[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Distributing site-wide RFC 3484 policy

To: v6ops@ops.ietf.org
Subject: Re: Distributing site-wide RFC 3484 policy
From: Arifumi Matsumoto <arifumi@nttv6.net>
Date: Wed, 08 Aug 2007 15:36:04 +0900
In-reply-to: <46B30FCE.8010305@gmail.com>
References: <20070728.050316.783372127.fujisaki@syce.net> <20070727.155553.23231926.yoshfuji@linux-ipv6.org> <20070728.073043.432840387.fujisaki@syce.net> <20070803.193447.114127942.yoshfuji@linux-ipv6.org> <46B30FCE.8010305@gmail.com>
User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; ja-JP-mac; rv:1.8.1.6) Gecko/20070728 Thunderbird/2.0.0.6 Mnenhy/0.7.5.666

Hi,

Brian E Carpenter wrote:

On 2007-08-03 12:34, YOSHIFUJI Hideaki / $B5HF#1QL@ wrote:
...

2. Applicability of distribution of "exact" policy table is toorestricted.An implementation may want to have their own policy, or moreattributes

   (probably, in addition to ifindex), e.g. traffic class or whatever.
   The ifindex should be assumed one of extensions to the "standard"
   policy table, and the details should be left to implementations.
   The policy announced from network cannot be set directly.

   I know that conflicts are common, but, I would say, the distribution
   should not (or cannot) be an exact one, but a "hint", "suggestion" or
   "recommendation".  I do think it is much better to have information as

"relative" representation, but at least, we should make theinterpretation

   clear.

   Of course, an implementation may assume such information an order from
   network, but the network policy can only be enforced by the network.

   If the interpretation of the "policy" is relaxed, we will have more
   chances to use such framework.


I agree that the IETF specifcation should not say that the central
policy takes priority over the host policy. IMHO we should provide
a mechanism (such as assigning a weight to each policy element),
so that it is a configuration issue whether the central policy or the
host policy wins.

   Brian


About zone-index we don't hesitate to remove it from our specification
if there is no single case that utilize zone index or we cannot make
use of it because of it's characteristics.

About Brian's comment,
I agree that we should provide such a mechanism for changing
policy acceptance behavior at hosts. Although these issues should be
"implementation depenedent", IMHO it is better to describe several
possible and valid implementation approaches in the specification draft.

Whether the distributed values should be "relative" or "absolute"
depends on such a mechanism. If the mechanism allows a host's policy
to be fully overwriten, the distributed values can be used as absolute
values. They have to be taken as relative values if a user chooses
"merge mechanism", which can lead to policy collision in some cases though.

--
Arifumi Matsumoto
   IP Technology Expert Team
   Secure Communication Project
   NTT Information Sharing Platform Laboratories
   E-mail: arifumi@nttv6.net

References:
- Re: Distributing site-wide RFC 3484 policy
  - From: (Tomohiro -INSTALLER- Fujisaki/藤崎智宏) <fujisaki@syce.net>
- Re: Distributing site-wide RFC 3484 policy
  - From: YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@linux-ipv6.org>
- Re: Distributing site-wide RFC 3484 policy
  - From: (Tomohiro -INSTALLER- Fujisaki/藤崎智宏) <fujisaki@syce.net>
- Re: Distributing site-wide RFC 3484 policy
  - From: YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@linux-ipv6.org>
- Re: Distributing site-wide RFC 3484 policy
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>

Prev by Date: RE: I-D ACTION:draft-nward-v6ops-teredo-server-selection-00.txt
Next by Date: Re: I-D ACTION:draft-nward-v6ops-teredo-server-selection-00.txt
Previous by thread: Re: Distributing site-wide RFC 3484 policy
Next by thread: Re: Distributing site-wide RFC 3484 policy
Index(es):
- Date
- Thread