Towards federated policy management

Abstract

In both data networks and telecommunication networks we are seeing a substantial growth in the number of policy engines and policy-enabled services and applications. We argue that end-users and network operators will need to have a unified, conceptually centralized "view" of the policies that they have specified and a unified understanding of how the policies will play out in the underlying infrastructure. We address the issue of "federated policy management", which allows users to specify preferences and policies at a high level and uses automated tools to map those preferences and policies into appropriate rule sets running on appropriate policy engines. As a key step in this direction, we develop a framework to support federated policy management in a restricted setting. Unlike previous work on distributed rule processing, the focus here is in the context of multiple policy decisions within a single process flow. Specifically, (in the terminology of IETF and Parlay/OSA) we study the case of a service or application that has multiple policy enforcement points (PEPs). We assume a policy language that supports production system style rules with chaining but no recursion (based on previous work on policy requirements for the telecommunications context). We present algorithms whereby users can specify a single coherent ruleset expressing their preferences, and this ruleset is mapped to multiple rulesets, one for each PEP in the application.