[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Distributing site-wide RFC 3484 policy

Subject: Re: Distributing site-wide RFC 3484 policy
From: Perry Lorier <perry@coders.net>
Date: Sat, 28 Jul 2007 13:35:18 +1200
Cc: v6ops@ops.ietf.org
In-reply-to: <46AA4A0D.6040109@gmail.com>
References: <46A4F9DD.50403@gmail.com> <56C08B78-D7FF-42A7-8422-5A9E9A6AADD9@inetcore.com> <46A609C5.1050109@gmail.com> <20070727.142827.31527302.yoshfuji@linux-ipv6.org> <46AA4A0D.6040109@gmail.com>
User-agent: Thunderbird 1.5.0.12 (X11/20070604)


This is a standard issue in any policy distribution mechanism -
if there are two sources for policy (e.g. local and central),
which one wins? That needs to be defined in the mechanism.
Sometimes, the site-wide policy will win, because the IT Management
has authority.

Non-local policy belongs to an Interface. The "Home network interface"policy discusses what you can do via that interface, the "Corporate VPN"policy describes what you can use the Corporate VPN for.

Local policy is how you merge these policies. eg say I have threeinterfaces on my laptop at the moment:


* Wireless to my home network.

The policy for this says "prefer me preferentially for the local networkstuffs" "I provide a native v6 internet connection (ie, globally scopedaddresses can be sent this way", etc


* VPN to my corporate workplace

The policy for this says "You can connect to local corporate servicespreferentially" "Provide non-preferential access to some services suchas an Internet connection"


* IP over the cellular network (GPRS, CDMA, EVDO whatever)
This policy for this says "I can provide an internet connection"

Local policy says "treat wireless + vpn as equal, then below that prefercellular connection". Thus the policies all get merged together to endup with:


If it's for the local home network use the wireless      High Priority
If it's for the company addresses, use the VPN            High Priority

If it's for a normal (globally scoped) address, use the wirelessMedium Priority


If it's for a globally scoped address, use the VPN         Low Priority

If it's for a globally scoped address, use the expensive, slowcellphone Low Priority

Thus a networks responsibility is to present what features it has andhow that network wants to be used (what source addresses it recommendsfor what, what connections it's willing to provide). Local policy is howto choose between different networks on it's various interfaces. Localpolicy could in theory override one given to it by the network, but ofcourse if it tries to do something the network doesn't providereachability towards it won't work.

References:
- Distributing site-wide RFC 3484 policy
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- Re: Distributing site-wide RFC 3484 policy
  - From: Ruri Hiromi <hiromi@inetcore.com>
- Re: Distributing site-wide RFC 3484 policy
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- Re: Distributing site-wide RFC 3484 policy
  - From: YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@linux-ipv6.org>
- Re: Distributing site-wide RFC 3484 policy
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>

Prev by Date: Re: Distributing site-wide RFC 3484 policy
Next by Date: Re: CPE equipments and stateful filters
Previous by thread: Re: Distributing site-wide RFC 3484 policy
Next by thread: Re: Distributing site-wide RFC 3484 policy
Index(es):
- Date
- Thread