Information Technology Reference
In-Depth Information
The PDP evaluates the policy request or the event and determines the policy deci-
sions to be sent to the PEP clients. This is done securely using a TLS-based transport.
The PDP integrates different XML-based client-type specific modules according to
the different kind of policies supported (e.g., IPsec, QoS, routing, etc). Each of these
PDP modules has an XML schema defining its high-level policy representation.
Policy Enforcement Point (PEP)
PEP clients enforce the policy decisions taken by the PDP to the policy-managed
network nodes. When a new PEP is active in the network or some events at the PEP
occur, the PEP needs to get or update its internal configuration. In this moment the
PEP will send a policy request to the default PDP server that it has configured.
PEP clients also integrate different XML-based client-type specific modules ac-
cording to the type of policies supported. Additionally, PEPs can need to transform
low-level representation to internal configuration that is specific to the vendor, operat-
ing system, and software release, and vice versa. PEP uses a Policy Configuration
Transformer module to make it; it is based on XSLT (XSL Transformations).
2.2 XML-Seamless Policy Representation
The policy representation is defined at two levels. The first one represents high-level
policies generated by the administrator in a Policy Management Tool (PMT) and
stored in the XML Policy Database. The second level of representation defines low-
level policies to be exchanged between the Policy Decision Points (PDPs) and the
Policy Enforcement Points (PEPs) existing in the management architecture. Both pol-
icy representations have the following features in common:
Based on the IETF Policy Core Information Model (PCIM) [6]
−
−
Defined from an XML Schema
−
Encoded in XML
For the low-level policy, we have defined an XML scheme from the PIB (Policy
Information Base) definition that permits the XML-encoding of such structure (XML
PIB). IETF uses ASN.1 format for the definition of PIB modules. Therefore, we use
XER [7] to derive an XML scheme from the PIB definition in ASN.1, which is a
mechanism for converting between ASN.1 encoded data structures and XML encoded
data structures. When XER is applied to the ASN.1 expressions, data structures are
encoded as character strings in the form of tag, value, and end-tag, whereas BER en-
codes data structures as octets in the form of tag, length, and value. Figure 1 shows
how XER-encoded PIBs fit in the proposed management architecture.
High-Level
XML Policy
High-Level
XML Policy
Policy
Database
PMT
PDP
Low-Level
XER-encoded PIB
PEP
Fig. 1.
XML-seamless policy representation
