Abstract
The project aims to further
the development of policy-based network and systems management by combining
the language based approach formulated at Imperial College with the CISCO
Information Model (CIM-CX) based on the Common Information Model (CIM), a
DMTF Standard. Moreover, the project aims to achieve significant advances in
user definition of policy given the CIM-CX model, refinement of high level
policies into lower-level, device-specific ones, validation of policy
against device capabilities, and conflict analysis for a set of policies.
The project will also facilitate the interaction between policy-aware
applications and policy-based networks. Numerous efforts over the last years
within both academia and industry have focused on the development of
policy-based networks as a means of implementing adaptive Quality of Service
management and rapid deployment of customised services. For this approach to
be effective, policy needs to be clearly specified in a language easily
understandable by human administrators and policy-makers but also
implementable on the network elements. The language must be applicable to a
uniform representation of the network elements and their properties,
operations and relationships expressed in a device independent information
model. To be implementable, the policy specification must be free of
conflicts and must match the device capabilities. This project builds upon
the research done at Imperial College over the last 10 years and strives to
deliver an integrated solution to these problems.
Investigators:
Morris Sloman, Wayne Luk, Emil Lupu, Naranker Dulay
Imperial College, Department of Computing, 180 Queen’s Gate, London SW7 2 BZ
m.sloman, e.c.lupu, n.dulay, w.luk @doc.ic.ac.uk
Cisco Champions:
Anson Chen VP/GM, Network Management (achen@cisco.com)
Paul Gleichauf, Business Development Manager (phg@cisco.com)
Andrea Westerinen, Manager and Architect, Information Modeling
(andreaw@cisco.com)
Cicso Account Manager:
Tim Liney
Funding allocated: $46K
1 Motivation
There is considerable
interest in the Internet community in policy-based networks as a means of
implementing adaptive QoS (Quality of Service) management, caching,
persistence and security to support modern multimedia applications, mobility
and ubiquitous computing. Adaptive networks must support rapid deployment of
customised services tailored for potentially mobile, corporate and
individual users. However most of the current work on policy (within such
organisations as DMTF [6], IETF [10], [15] and in industry) concentrates on
specifying information models for policy based on CIM, LDAP Schema or XML,
or on very low-level protocols such as COPS for setting policy in network
elements [2],[8]. There has also been some separate work on specifying
security policies within roles [9],[11],[17]. Imperial College has been the
main focus for defining policy specification languages such as Ponder
- a
declarative, object oriented language for specifying both management and
security policy [4], [5] [14], [16] [18]. The other approaches do not have
the structuring and reusability concepts required to cater for very
large-scale inter-organisational environments where policy will be specified
by many different administrators.
Policies are rules
governing the choices in behaviour of a system. Authorisation policies are
used to define what services or resources a subject (management agent, user
or role) can access. Obligation policies are event triggered
condition-action rules which can be used to define the conditions for
reserving network resources, changing queuing strategy, or loading code onto
a router. A policy-enabled application may interpret policies to adapt to
requirements of specific users, such as what information to filter when
bandwidth or device capabilities are limited. However some of the
application specific policies may have to be enforced within the network.
Thus policy-enabled applications need to be able to transfer policies to
policy-based programmable networks. Similarly, the network may need to pass
policies to be interpreted by the application for more efficient adaptation,
for instance related to caching or monitoring of application specific
components. Note that a network supporting ubiquitous computing is not just
routers and switches but includes processing, storage and caching services.
The policy supporting an application must be decomposed and deployed on all
these components, which may have very different capabilities for executing
the policy. One of the objectives of this project will be to investigate the
policy interaction between different administrative domains which could
correspond to an application, service provider or organisation.
Multiple policies will
apply to the network elements in order to support the requirements of
different applications, different users and cooperating but distinct
administrative domains. Furthermore, the shared resource that the network
represents is itself composed of different elements with varying
capabilities and interfaces. It thus a prime concern to ensure: i) that
policies applying to the same network elements are consistent and ii) that
the network elements have the capability to implement the policy. Tools are
needed to consistently define and analyse policies in order to detect
conflicts and validate the specification with respect to the device
capabilities. Simple conflicts may arise when positive and negative
authorisation are permitted but some conflicts are context specific such as
two policies which try to assign different priorities to a particular data
stream, or which result in a conflict for limited shared resources [13].
Very little work has been done on the specification of these conditions. We
have been investigating the use of OCL (Object Constraint Language, an OMG
Standard) to specify constraints relating to a set of policies (which we
call metapolicies). Further work is needed in order to refine these
specifications and elaborate their use in real-life examples.
The results of this project
will benefit not only CISCO, a major promoter of policy-based networking,
but the network management community at large. Applying Ponder policies to
CIM (and therefore CIM-CX) represented network elements and services will
benefit all those in industry and academia adopting the CIM standard.
Furthermore, the results on policy analysis and validation as well as the
approach elaborated for inter-domain policy interactions will constitute
valuable theoretical and practical results for any policy-driven framework.
All the investigators in this project have an established track record of
publishing their research results in journals, conferences and international
fora. Furthermore, all reports and developed code will be made freely
available to the community at large.
2 The Ponder Policy
Framework
Ponder is an
object-oriented, declarative language developed at Imperial College for
specifying management and security policies [4]. For example, the following
authorisation policy with the name bwalloc permits the Agroup to perform the
action of setting up a videoconference with bandwidth of 4 Mb/s and priority
of 3 to the BGroup in New York or the Dgroup in Boston between 16.00 and
18.00 daily.
inst auth+ bwalloc {
subject Agroup;
target
BGroupNY + DGroupBoston;
action videoconf (bw=4,
priority=3);
when time.between (1600,1800); }
The following obligation
policy type named videoSetUp, takes two parameters – a subject which
evaluates the policy and a target on which the action to reserve bandwidth
is performed, when an event is received for a videoRequest with the
requested bandwidth bw as a parameter. A constraint defines that the
reservation will only take place if the allocated bandwidth plus the request
is less than a maximum allowed bandwidth. It is assumed that the allocated
and maximum bandwidth are variables held within the subject. (The subject
would either be a single object in the CIM Schema, or information found by
traversing the information model starting from the subject s). Two instances
of the policy are then created for different gateway subjects and router
targets.
type oblig videoSetUp
(subject s; target t;)
on videoRequest (bw);
do t.bwreserve (bw);
when ((s.allocatedbw + bw)
< s.maxbw); }
inst USvideoSetUP =
videoSetUp (gateways/USgateway, routers/USedgeRouter);
inst
UKvideoSetUP = videoSetUp
(gateways/UKgateway, routers/UKedgeRouter);
Ponder also supports
grouping of policies into roles related to positions in organisations or the
set of policies applying to a particular network component [18]. Management
structures can be defined as configurations of roles with policies applying
to relationships between roles for organisational units such as departments
or buildings. Inheritance permits specialisation of existing policy
specifications for different environments. Ponder also allows complex
actions to be implemented by dynamically loaded scripts within the subject
policy interpreter. Details of the Ponder language are described in [4] [5].
It should be noted that
Ponder realizes the basic constructs of the IETF's
and DMTF's Policy Core
Information Model (PCIM) in its approach to obligation policies.
3 Research objectives and
research issues
How should policies be
communicated between different administrative domains? This includes the
representation of policies and transformation between the semantics
understood by the various components involved.
Can we use policies to
manage the deployment of policies and hence support adaptive policies
which change according to network conditions?
How to specify
constraints in order to prevent conflicts within a set of policies for a
particular network component, across a set of cooperating components or
when merging policies from different organisations?
How to validate a set of
policies against the capabilities of the devices to which they are meant
to be applied?
How to support
policy-driven self-managed cells in an ubiquitous computing environment.
4 Work Packages
Deliverables:
Month 6: Case studies
of the use Ponder in a CIM
environment.
Within the Polyander
project we will focus on validation of refined policies with respect to the
capabilities and state of the network elements which actually implement the
policy. Initial work has started on this validation with respect to a
DiffServ environment. We have identified the need to validate policies with
respect to target device capabilities to create DiffServ functional
elements; whether static variable such as maximum queue lengths are violated
by polices whether dynamic variables such as requested bandwidth for a
class of service is less than available bandwidth. Some of the dynamic
checking can be done within the policies themselves by means of constraints
but other validation requires metapolicies i.e. constraints (policies) about
permitted policies. The Ponder compiler needs extensions to support
metapolicies as the current implementation does not support them. In
addition we will investigate the extensions to the CIM model to allow
representation of the information required for policy validation. Further
extension of the validation will be with respect to end-to-end application
flows across multiple routers i.e. is it possible to perform the validation
with respect to a service level request rather than policies for a specific
router.
The two main issues here are how do we represent
policies, and how do we map the policies which are meaningful to the
application onto those appropriate for network components and then deploy
them. We already have an implementation of the use of policies for
installing other policies and adapting to failures or new requests in a
DiffServ environment [21],
as an extension to the manual deployment architecture [7].
We have started looking at ubiquitous computing environments with
policy-driven self-managed cells (SMCs), which may correspond to body
area networks for medical monitoring, a network with sensors in the home,
office or an outdoor sensor network. These SMCs interact with other peer
cells or may be composed to form complex application specific networks.
This type of approach raises many research issues with respect to validating
policies that apply to multiple cells, how to transfer policy information
between cells etc. We will be implementing at least one scenario related to
ubiquitous computing for healthcare applications.
Deliverables:
Month 6: Update current
DiffServ management implementation to include validation and use of CIM
objects.
5
Summary of work achieved WP1: Policy in a CIM environment
We have found that Ponder
is well suited for specifying policies for CIM described managed objects. We
have started using the CIM network sub-model for representing the DiffServ
functional elements that a router supports and specifying policy in terms of
configuration of the CIM attributes. Furthermore, since there is no a
specific CIM sub-model for providing traffic statistics related to DiffServ,
e.g. number of implemented traffic classes, bandwidth allocated to each
class of traffic, etc., we are currently deploying a DiffServ metrics CIM
sub-model that provides this information. This model will be used in WP2 in
order to perform validation tasks for a DiffServ network environment.
WP2: Policy
Validation Tools
Important progress has been
made towards this goal. We have adopted a two pronged approach by
investigating policy validation with respect to device capabilities and
traffic state on one hand (where device capabilities and traffic state are
provided by CIM) and adopting a formal approach towards analysis and
refinement by translating Ponder policies into event calculus on the other
[22] . More information about our approach on policy validation can be found
in [23].
[1] Chen, F. and R.S.
Sandhu. Constraints for Role-Based Access Control. In Proceedings of First
ACM/NIST Role Based Access Control Workshop. 1995. Gaithersburg, Maryland,
USA, ACM Press. [2] Cisco Assure QoS Policy
Manager http://www.cisco.com/warp/public/cc/cisco/mkt/enm/cap/index.shtml
[3] Corradi, A., R.
Montanari, C. Stefanelli, E. Lupu and M. Sloman. Flexible Access Control for
Java Mobile Code, 16th Annual Computer Security Applications Conference
(ACSAC2000), Dec 2000, New Orleans USA. [4] Damianou, N., N. Dulay,
E. Lupu and M. Sloman. Ponder: A Language for Specifying Security and
Management Policies for Distributed Systems. The Language Specification -
Version 2.2. Research Report DoC 2000/1, Imperial College of Science
Technology and Medicine, Department of Computing, London, 3 April, 2000.
[5] Damianou, N., N. Dulay,
E. Lupu and M. Sloman. The Ponder Policy Specification Language. Workshop on
Policies for Distributed Systems and Networks (Policy2001), HP Labs Bristol,
29-31 Jan 2001. [6] Distributed Management
Task Force, Inc. (DMTF), Common Information Model (CIM) Specification,
version 2.2, available from http://www.dmtf.org/spec/cims.html, June 14,
1999. [7] N. Dulay, E. Lupu, M.
Sloman, N. Damianou, A Policy Deployment Model for the Ponder Language,
Proc. IEEE/IFIP International Symposium on Integrated Network Management
(IM’2001), Seattle, May 2001, IEEE Press, pp. 529-543. [8] HP PolicyXpert
http://www.openview.hp.com:80/products/policy/ [9] IBM. Access Control
Meets Public Key Infrastructure, or: Assigning Roles to Strangers. IEEE
Symposium on Security and Privacy. 2000. http://www.hrl.il.ibm.com/TrustEstablishment/paper.asp.
[10] Internet Engineering
Task Force. Policy Working Group http://www.ietf.org/html.charters/policy-charter.html
[11] Jajodia, S., P.
Samarati and V.S. Subrahmanian. A Logical Language for Expressing
Authorisations. In Proceedings of IEEE Symposium on Security and Privacy.
1997, pp. 31-42. [12] Lobo, J., R. Bhatia
and S. Naqvi. A Policy Description Language. In Proc. of AAAI, July 1999.
Orlando, Florida, USA. [13] Lupu, E.C. and M.
Sloman. Conflicts in Policy-Based Distributed Systems Management. IEEE
Trans. on Software Engineering, 25(6): 852-869 Nov.1999. [14] Lupu, E.C. and M.S.
Sloman. Towards a Role Based Framework for Distributed Systems Management.
Journal of Network and Systems Management, 1997b. 5(1):5-30. [15] Moore, B., J.
Strassner and E. Ellesson. Policy Core Information Model VI. IETF draft,
from http://www.ietf.org, May 2000. [16] Rational Software
Corporation. Object Constraint Language Specification, Version 1.1,
Available at http://www.rational.com/uml/, September 1997. [17] Sandhu, R.S., E.J.
Coyne, H.L. Feinstein and C.E. Youman. Role-Based Access Control Models.
IEEE Computer, 1996. 29(2): 38-47. [18] Sloman, M. and E. Lupu.
Policy Specification for Programmable Networks. Proc. of First International
Working Conference on Active Networks (IWAN’99), Berlin, June 1999, ed. S.
Covaci, LNCS, Springer Verlag, Berlin, June 1999, pp. 73-84. [19] Martinez, M. et al.
Using the Script MIB for Policy-based Configuration Management. Proc. NOMS
2002: 8th Network Operations and Management Symposium, Florence, Italy,
15-19 Apr. 2002. [20] Leonidas A.
Lymberopoulos. An Adaptive Policy Based Management Framework for Network
Services Management. PhD Transfer Report, Imperial College London, 29 May
2002. Available from http://www.doc.ic.ac.uk/~llymber [21] Lymberopoulos, L.,
Lupu, E. & Sloman, M. An Adaptive Policy Based Management Framework for
Network Services Management. To appear in Special Issue on Policy Based
Management of Networks and Services, Journal of Networks and Systems
Management [22] Bandara A, Lupu E,
Rosso A. Using Event Calculus to Formalise Policy Specification and
Analysis, IEEE Workshop on Policies for Distributed Systems and Networks
(Policy2003), Como, Italy June 2003. [23]
Leonidas Lymberopoulos, Emil
Lupu and Morris Sloman.
Using CIM to Realize Policy Validation within the
Ponder Framework. Presented
at DMTF's 2003 Global Management
Conference, San Jose, CA, USA, 16-19 Jun. 2003 (Best
Academic Paper Award)per Award) [24] WBEM Services Project,
http://wbemservices.sourceforge.net/
The overall objective of the project is to evaluate
policy specification languages as a means of specifying and implementing
both security and management policies for adaptive networks.
The specific
objectives of this project are:
(1): To
evaluate and refine the Ponder Policy Language
for specifying policy for a CIM environment where the CIM (and therefore
CIM-CX) information model defines the objects to which policy applies. (Use
of the model to provide the underlying semantics for policy rules
facilitates an improved and consistent environment for policy definition.)
We have found that Ponder is well suited for specifying
policies for CIM described managed objects. We have started using the CIM
network sub-mode for representing the DiffServ elements that a router
supports and specifying policy in terms of configuration of the CIM
attributes. However, the overall objective has not been achieved yet and
further implementation is needed to integrate the Ponder environment with a
CIM based implementation for the configuration of network elements and case
studies must be developed.
(2):
To develop techniques and interfaces for interaction between policy-based
applications and policy-enabled networks in order to support dynamic
adaptation and to deploy policies in a heterogeneous environment
This has been mostly
achieved. We have made
substantial progress towards the implementation of an adaptive policy based
management framework for networks providing Differentiated Services [JNSM].
This framework automatically changes the underlying network policy as a
respond to changes in application QoS requirements and network events
indicating problems delivering DiffServ network services at the desired QoS
levels.
Furthermore,
we have a deployment system for Ponder policies which has been made
available in the public domain and have an XML format and compiler back end
for Ponder to enable easy exchange of policies. See http://www-dse.doc.ic.ac.uk/Research/policies/ponder.shtml
(3):To
develop tools for rule refinement, conflict and consistency analysis of
policies to permit merging of policies from multiple administrative domains
and across multiple devices with varying capabilities
Important progress has been
made towards this goal. We have adopted a two pronged approach by
investigating policy validation [23] with respect to device capabilities and
traffic state on one hand and adopting a formal approach towards analysis
and refinement by translating Ponder policies into event calculus on the
other [22].
Both tasks require further work.
(4):To
validate the above approach in various scenarios applying policies as a
constrained form of programming to drive adaptation and management in
networked environments.
We have implemented an
adaptive policy based management environment for network service management
which maps onto DiffServ implementation for QoS management [21]. It
currently controls a simulated DiffServ network, but further work is
required, to show how it could work with CIM objects model and to implement
the policy validation.
The research issues to be addressed by this project
include:
WP1:
Policy in a CIM environment
CIM provides a suitable information model for
specifying users, devices or components to which policy applies. Although
there has been work within the IETF/DMTF on defining an information model
for representing policies in CIM, we are not aware of anyone actually
defining policies for CIM objects. We will evaluate the use of Ponder
for specifying both management and security policies, and then refine the
language to cater for any shortcomings identified in the evaluation. The
DiffServ part of the CIM network sub-model and the DiffServ metrics
sub-model will be implemented within the CIM Object Manager (CIMOM) that
the WBEM Services project provides [24].
Our implementation will involve two steps:
Month 12: Demonstrator
of Ponder policies applied to
CIM described managed objects
WP2:
Policy Validation Tools
WP3: Demonstration
Scenarios
Month 12: Policy
Driven, self managed cell architecture and policy interaction specification.
Further implementation is
needed to integrate the Ponder environment with a CIM-based implementation
for the configuration of network elements and case studies must be
developed. We have started working on the configuration
of CIM-enabled DiffServ Linux routers
using the DiffServ classes of the CIM network sub-model.
We have also deployed a
prototype implementation of an adaptive policy based management system for
network service management which maps onto DiffServ implementation for QoS
management. More information about this implementation can be found in [21].
This implementation currently controls a simulated DiffServ network, but
further work is required, to show how it could work with routers that are
represented with the CIM objects model and to perform policy validation
tasks with the scope of WP2.
This approach is currently
being implemented [23]. This implementation
will extend the Ponder compiler to
support meta-policies and uses the CIM Object Manager (CIMOM) from the WBEM
Services Project [24] to provide the policy management system the necessary
device and network information from CIM.
Site maintained by Leonidas Lymberopoulos (llymber@doc.ic.ac.uk)
Project Publications
Ponder Policy Implementation and Validation in a CIM and Differentiated
Services Framework
|