Cisco
University Research Programme
Polyander:
Language Based Policy Specification, Analysis and Deployment for Large-scale
Systems
26 September 2001
Investigators: Morris Sloman, Wayne Luk, Emil Lupu, Naranker Dulay
Imperial College, Department of Computing, 180 Queen’s Gate, London SW7 2 BZ
m.sloman, e.c.lupu, n.dulay, w.luk @doc.ic.ac.uk
Abstract
The project aims to further the development of policy-based network and systems management by combining the language based approach formulated at Imperial College with the CISCO Information Model (CIM-CX) based on the Common Information Model (CIM), a DMTF Standard. Moreover, the project aims to achieve significant advances in user definition of policy given the CIM-CX model, refinement of high level policies into lower-level, device-specific ones, validation of policy against device capabilities, and conflict analysis for a set of policies. The project will also facilitate the interaction between policy-aware applications and policy-based networks. Numerous efforts over the last years within both academia and industry have focused on the development of policy-based networks as a means of implementing adaptive Quality of Service management and rapid deployment of customised services. For this approach to be effective, policy needs to be clearly specified in a language easily understandable by human administrators and policy-makers but also implementable on the network elements. The language must be applicable to a uniform representation of the network elements and their properties, operations and relationships expressed in a device independent information model. To be implementable, the policy specification must be free of conflicts and must match the device capabilities. This project builds upon the research done at Imperial College over the last 10 years and strives to deliver an integrated solution to these problems.
Duration: 36 months.
Funding
allocated: $60K initially- possibly renewable
Cisco Champions: Anson Chen
VP/GM, Network Management
Paul Gleichauf
Business Development Manager
Andrea Westerinen
Manager and Architect, Information Modeling
Cicso Account Manager: Tim Liney
There is considerable interest in the Internet community in policy-based networks as a means of implementing adaptive QoS (Quality of Service) management, caching, persistence and security to support modern multimedia applications, mobility and ubiquitous computing. Adaptive networks must support rapid deployment of customised services tailored for potentially mobile, corporate and individual users. However most of the current work on policy (within such organisations as DMTF [6], IETF [10], [15] and in industry) concentrates on specifying information models for policy based on CIM, LDAP Schema or XML, or on very low-level protocols such as COPS for setting policy in network elements [2],[8]. There has also been some separate work on specifying security policies within roles [9],[11],[17]. Imperial College has been the main focus for defining policy specification languages such as Ponder – a declarative, object oriented language for specifying both management and security policy [4], [5] [14], [16] [18]. The other approaches do not have the structuring and reusability concepts required to cater for very large-scale inter-organisational environments where policy will be specified by many different administrators.
Policies are rules governing the choices in behaviour of a system. Authorisation policies are used to define what services or resources a subject (management agent, user or role) can access. Obligation policies are event triggered condition-action rules which can be used to define the conditions for reserving network resources, changing queuing strategy, or loading code onto a router. A policy-enabled application may interpret policies to adapt to requirements of specific users, such as what information to filter when bandwidth or device capabilities are limited. However some of the application specific policies may have to be enforced within the network. Thus policy-enabled applications need to be able to transfer policies to policy-based programmable networks. Similarly, the network may need to pass policies to be interpreted by the application for more efficient adaptation, for instance related to caching or monitoring of application specific components. Note that a network supporting ubiquitous computing is not just routers and switches but includes processing, storage and caching services. The policy supporting an application must be decomposed and deployed on all these components, which may have very different capabilities for executing the policy. One of the objectives of this project will be to investigate the policy interaction between different administrative domains which could correspond to an application, service provider or organisation
Multiple policies will apply to the network elements in order to support the requirements of different applications, different users and cooperating but distinct administrative domains. Furthermore, the shared resource that the network represents is itself composed of different elements with varying capabilities and interfaces. It thus a prime concern to ensure: i) that policies applying to the same network elements are consistent and ii) that the network elements have the capability to implement the policy. Tools are needed to consistently define and analyse policies in order to detect conflicts and validate the specification with respect to the device capabilities. Simple conflicts may arise when positive and negative authorisation are permitted but some conflicts are context specific such as two policies which try to assign different priorities to a particular data stream, or which result in a conflict for limited shared resources [13]. Very little work has been done on the specification of these conditions. We have been investigating the use of OCL (Object Constraint Language, an OMG Standard) to specify constraints relating to a set of policies (which we call metapolicies). Further work is needed in order to refine these specifications and elaborate their use in real-life examples.
The results of this project will benefit not only CISCO, a major promoter of policy-based networking, but the network management community at large. Applying Ponder policies to CIM (and therefore CIM-CX) represented network elements and services will benefit all those in industry and academia adopting the CIM standard. Furthermore, the results on policy analysis and validation as well as the approach elaborated for inter-domain policy interactions will constitute valuable theoretical and practical results for any policy-driven framework. All the investigators in this project have an established track record of publishing their research results in journals, conferences and international fora. Furthermore, all reports and developed code will be made freely available to the community at large.
Ponder is an object-oriented, declarative language developed at Imperial College for specifying management and security policies [4]. For example, the following authorisation policy with the name bwalloc permits the Agroup to perform the action of setting up a videoconference with bandwidth of 4 Mb/s and priority of 3 to the BGroup in New York or the Dgroup in Boston between 16.00 and 18.00 daily.
inst auth+ bwalloc {
subject Agroup; target
BGroupNY + DGroupBoston;
action videoconf (bw=4, priority=3);
when time.between
(1600, 1800); }
The following obligation policy type named videoSetUp, takes two parameters – a subject which evaluates the policy and a target on which the action to reserve bandwidth is performed, when an event is received for a videoRequest with the requested bandwidth bw as a parameter. A constraint defines that the reservation will only take place if the allocated bandwidth plus the request is less than a maximum allowed bandwidth. It is assumed that the allocated and maximum bandwidth are variables held within the subject. (The subject would either be a single object in the CIM Schema, or information found by traversing the information model starting from the subject s). Two instances of the policy are then created for different gateway subjects and router targets.
type
oblig
videoSetUp (subject s; target t;) {
on
videoRequest (bw);
do
t.bwreserve (bw);
when ((s.allocatedbw + bw) < s.maxbw); }
inst USvideoSetUP = videoSetUp (gateways/USgateway,
routers/USedgeRouter);
UKvideoSetUP = videoSetUp (gateways/UKgateway, routers/UKedgeRouter);
Ponder also supports grouping of policies into roles related to positions in organisations or the set of policies applying to a particular network component [18]. Management structures can be defined as configurations of roles with policies applying to relationships between roles for organisational units such as departments or buildings. Inheritance permits specialisation of existing policy specifications for different environments. Ponder also allows complex actions to be implemented by dynamically loaded scripts within the subject policy interpreter. Details of the Ponder language are described in [4] [5].
It should be noted that PONDER realizes the basic constructs of the IETF’s and DMTF’s Policy Core Information Model (PCIM) in its approach to obligation policies [19].
The overall objective of the project is to evaluate the policy specification languages as a means of specifying and implementing both security and management policies for adaptive networks. The specific objectives of this proposal are:
i. To evaluate and refine the Ponder Policy Language for specifying policy for a CIM environment where the CIM (and therefore CIM-CX) information model defines the objects to which policy applies. (Use of the model to provide the backing semantics for policy rules facilitates an improved and consistent environment for policy definition.)
ii. To develop techniques and interfaces for interaction between policy-based applications and policy-enabled networks in order to support dynamic adaptation and to deploy policies in a heterogeneous environment;
iii. To develop tools for rule refinement, conflict and consistency analysis of policies to permit merging of policies from multiple administrative domains and across multiple devices with varying capabilities;
iv. To validate the above approach in various scenarios applying policies as a constrained form of programming to drive adaptation and management in networked environments.
The research issues to be addressed by this project include:
· How should policies be communicated between different administrative domains? This includes the representation of policies and transformation between the semantics understood by the various components involved.
· Can we use policies to manage the deployment of policies and hence support adaptive policies which change according to network conditions?
· How to specify constraints in order to prevent conflicts within a set of policies for a particular network component, across a set of cooperating components or when merging policies from different organisations?
· How to validate a set of policies against the capabilities of the devices to which they are meant to be applied?
CIM provides a suitable information model for specifying users, devices or components to which policy applies. Although there has been work within the IETF/DMTF on defining an information model for representing policies in CIM, we are not aware of anyone actually defining policies for CIM objects. We will evaluate the use of Ponder for specifying both management and security policies,– and then refine the language to cater for any shortcomings identified in the evaluation.
Deliverables:
Month 6: Case studies of the use Ponder in a CIM environment.
Month 12: Demonstrator of Ponder policies applied to CIM described managed objects
It is necessary to analyse a set of policies in order to decompose it to specific actionable components, identify any inconsistencies and be able to verify that the device capabilities are sufficient to implement the policy [1], [13]. The emphasis will be put on context specific conflicts, although the other aspects of the problem must be addressed in order to perform adequate conflict analysis. To identify these conflicts it is necessary to specify the conditions which result in a conflict, thus placing constraints on the set of policies which can be applied to a managed entity. Although some of these constraints may be device independent e.g., two policies which assign different priorities to the same data stream, other constraints will pertain to the type of device or service being managed. Although we have started investigating the use of the Object Constraint Language (OCL) [16] for some device independent constraints, further work is needed in order to evaluate the use of OCL for this purpose. In particular device or service specific constraints may need to refer to the CIM model of the managed entity. Moreover, there is a need to investigate where these constraints should be stored e.g., attached to the CIM description, associated with a policy group or with a domain of managed objects, and when they need to be evaluated, e.g., when adding a policy, when changing the device capabilities or at run-time. Although, static analysis is desirable wherever possible run-time analysis may prove necessary in specific cases.
Deliverables:
Month 12: Evaluation of OCL as a means of specifying constraints.
Month 24: Initial conflict analysis tools
Month 36: Final conflict analysis toolkit integrated into Ponder development environment
The two main issues here are how do we represent policies, and how do we map the policies which are meaningful to the application onto those appropriate for network components and then deploy them. We will investigate XML as the means of representing policies to be transferred between administrative domains. It is possible that a form of a simplified service level agreement (SLA) whereby an application requests a particular class of service may be a suitable interface for some applications related to QoS. However this may not be adequate for other applications, such as mobile computing, where it is necessary to set up adapters within the network to perform compression, filtering or information transformations. We need to define suitable interfaces and protocols to permit interaction between the various administrative domains which may need to exchange policy and agree on a common policy. An important aspect of this work will be to extend the prototype deployment architecture [7] to make it policy driven and adaptable so that policies can be specified for the deployment of policies.
Deliverables:
Month 12: Representation for transferring policy between organisations
Month 24: Initial inter-domain policy interaction interface and protocol specification
Month 36: Demonstrator integrating inter-domain interactions and policy deployment
[1] Chen, F. and R.S. Sandhu. Constraints for Role-Based Access Control. In Proceedings of First ACM/NIST Role Based Access Control Workshop. 1995. Gaithersburg, Maryland, USA, ACM Press.
[5] Damianou, N., N. Dulay, E. Lupu and M. Sloman. The Ponder Policy Specification Language. Workshop on Policies for Distributed Systems and Networks (Policy2001), HP Labs Bristol, 29-31 Jan 2001.
[7]
N. Dulay, E. Lupu, M. Sloman, N. Damianou, A
Policy Deployment Model for the Ponder Language,
Proc. IEEE/IFIP International Symposium on Integrated Network Management
(IM’2001), Seattle, May 2001, IEEE Press, pp. 529-543.
[8] HP PolicyXpert http://www.openview.hp.com:80/products/policy/
[9] IBM. Access Control Meets Public Key Infrastructure, or: Assigning Roles to Strangers. IEEE Symposium on Security and Privacy. 2000. http://www.hrl.il.ibm.com/TrustEstablishment/paper.asp.
[11] Jajodia, S., P. Samarati and V.S. Subrahmanian. A Logical Language for Expressing Authorisations. In Proceedings of IEEE Symposium on Security and Privacy. 1997, pp. 31-42.
[15] Moore, B., J. Strassner and E. Ellesson. Policy Core Information Model VI. IETF draft, from http://www.ietf.org, May 2000.
[17] Sandhu, R.S., E.J. Coyne, H.L. Feinstein and C.E. Youman. Role-Based Access Control Models. IEEE Computer, 1996. 29(2): 38-47.
[19] Internet Engineering Task Force. RFC 3060.