Using the Script MIB for Policy-based Configuration Management T. - - PowerPoint PPT Presentation

using the script mib for policy based configuration
SMART_READER_LITE
LIVE PREVIEW

Using the Script MIB for Policy-based Configuration Management T. - - PowerPoint PPT Presentation

Feb 02, 2023 201 likes •451 views

Using the Script MIB for Policy-based Configuration Management Page 1 Using the Script MIB for Policy-based Configuration Management T. Klie, S. Mertens, M. Brunner, P. Martinez, J. Sch onw alder, F. Strau J. Quittek Computer

slide-1
SLIDE 1

Using the Script MIB for Policy-based Configuration Management Page 1

Using the Script MIB for Policy-based Configuration Management

  • T. Klie, S. Mertens,
  • M. Brunner, P. Martinez,
  • J. Sch¨
  • nw¨

alder, F. Strauß

  • J. Quittek

Computer Science Department Network Laboratories Technical University Braunschweig NEC Europe Ltd. M¨

  • uhlenpfordtstr. 23

Adenauerplatz 6 38106 Braunschweig 69115 Heidelberg Germany Germany {schoenw,strauss}@ibr.cs.tu-bs.de {brunner,quittek}@ccrle.nec.de jasmin-team@ibr.cs.tu-bs.de

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-2
SLIDE 2

Using the Script MIB for Policy-based Configuration Management Page 2

Outline

  • 1. IETF Management-by-Delegation Architecture
  • The Script MIB
  • Jasmin: A Script MIB Implementation
  • 2. IETF Policy Framework
  • 3. Script MIB-based Policy Management
  • Policies as Programs
  • Policies as Objects
  • 4. Conclusion
  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-3
SLIDE 3

Using the Script MIB for Policy-based Configuration Management Page 3

The Traditional Manager/Agent Architecture

Management Agent

Configuration & Monitoring

(Managed Objects)

(SNMP, ...)

Manager

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-4
SLIDE 4

Using the Script MIB for Policy-based Configuration Management Page 4

The IETF Management by Delegation (MbD) Architecture (I)

Higher−Level Manager Distributed Manager Management Agent

Configuration & Monitoring

(Executing Scripts) (Managed Objects)

Monitoring & Control (SNMP, ...) (SNMP)

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-5
SLIDE 5

Using the Script MIB for Policy-based Configuration Management Page 5

The IETF Management by Delegation (MbD) Architecture (II)

Higher−Level Manager Distributed Manager Management Agent

Configuration & Monitoring

(Executing Scripts) (Managed Objects)

Script Upload Monitoring & Control (SNMP, ...) (SNMP) Script Download (SNMP, FTP, HTTP, ...)

Script Repository

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-6
SLIDE 6

Using the Script MIB for Policy-based Configuration Management Page 6

What the IETF Script MIB Specifies

Higher−Level Manager Distributed Manager Management Agent

Configuration & Monitoring

(Executing Scripts) (Managed Objects)

Script Upload Monitoring & Control (SNMP, ...) (SNMP) Script Download (SNMP, FTP, HTTP, ...)

Script Repository

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-7
SLIDE 7

Using the Script MIB for Policy-based Configuration Management Page 7

The IETF DISMAN Script MIB

  • Designed and standardized by the

IETF Distributed Management (DISMAN) Working Group

  • First Proposed Standard: RFC 2592, May 1999
  • Updated Proposed Standard: RFC 3165, August 2001
  • Supported functions:

– Information on supported script languages and extensions – Transfer of scripts to a distributed manager – Control execution of management scripts – Retrieve results from management scripts

  • Security based on:

– SNMPv3 security (USM and VACM) – Script runtime engine security models (sandbox)

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-8
SLIDE 8

Using the Script MIB for Policy-based Configuration Management Page 8

The Jasmin Project

  • Joint project (1998 – 2001):

– Technical University of Braunschweig – Network Laboratories, NEC Europe Ltd.

  • Goals of the project:

– Evaluate and enhance the Script MIB Standard – Provide a proto-type implementation – Study use-cases and develop supporting tools

  • Primary outcome of the project:

– a flexible open source Script MIB agent implementation – supporting various runtime engines (currently Java, Tcl, Perl) via the Script MIB Extensibility Protocol (SMX), RFC 3179

  • In 2000 demand for policy-based configuration management increased

→ How could the Script MIB support this?

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-9
SLIDE 9

Using the Script MIB for Policy-based Configuration Management Page 9

Policy-based Configuration Management

  • Motivation:

– Traditional management of individual device-specific configurations is ∗ complex and error-prone (different vendors means different ways) ∗ too static (state configuration, no behavior configuration) – The general policies behind those configurations are often simple

  • Consequence:

– Let the administrator configure just those policies – PBMS supports automated enforcement of the policies

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-10
SLIDE 10

Using the Script MIB for Policy-based Configuration Management Page 10

General Concept of Policies

  • A Policy is represented by a number of Rules
  • Each rule consists of a Condition and an Action
  • The evaluation of a rule is triggered by an Event
  • n <event(s)> if <condition> do <action(s)>

Approaches to express policies:

  • Specific policy definition language, e.g. PONDER
  • Traditional programming language & language extension for policies
  • Policy Core Information Model (PCIM)

An infrastructure is required:

  • Policies must be distributed over the network
  • Policies must be interpreted
  • Managed devices must be configurable
  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-11
SLIDE 11

Using the Script MIB for Policy-based Configuration Management Page 11

The IETF Policy-based Management Framework

Policy Management Application Policy Decision Point (PDP) Policy Enforcement Point (PEP)

Configuration & Monitoring (HTTP, CLI, COPS−PR, SNMP, ...) Monitoring & Control Policy Download Policy Upload

Policy Repository

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-12
SLIDE 12

Using the Script MIB for Policy-based Configuration Management Page 12

The IETF Policy-based Management Framework

Policy Management Application Policy Decision Point (PDP) Policy Enforcement Point (PEP)

Configuration & Monitoring (HTTP, CLI, COPS−PR, SNMP, ...) Monitoring & Control Policy Download Policy Upload

Déjà vu?

Policy Repository

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-13
SLIDE 13

Using the Script MIB for Policy-based Configuration Management Page 13

Management-by-Delegation

  • vs. Policy-based Management

Higher−Level Manager Distributed Manager Management Agent

Configuration & Monitoring

(Executing Scripts) (Managed Objects)

Script Upload Monitoring & Control (SNMP, ...) (SNMP) Script Download (SNMP, FTP, HTTP, ...)

Script Repository Policy Management Application Policy Decision Point (PDP) Policy Enforcement Point (PEP)

Configuration & Monitoring (HTTP, CLI, COPS−PR, SNMP, ...) Monitoring & Control Policy Download Policy Upload

Policy Repository

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-14
SLIDE 14

Using the Script MIB for Policy-based Configuration Management Page 14

Architecture of the Jasmin Policy-based Management System

SNMP HTTP or FTP

Script MIB Access Library Policy Class Library Web Server Policy Management Application

for agent communication policies to construct

Policy / Script Repository Script

etc.

Agent MIB Script MIB Runtime Engine Network Elements Policy Manager / Higher−Level Manager

SNMP, COPS−PR, SSH+CLI,

Policy Decision Point / Distributed Manager Policy Enforcement Points / Agents Policy DB

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-15
SLIDE 15

Using the Script MIB for Policy-based Configuration Management Page 15

Architecture of the Jasmin Policy-based Management System

SNMP HTTP or FTP

Script MIB Access Library Policy Class Library Web Server Policy Management Application

for agent communication policies to construct

Policy / Script Repository Script

etc.

Agent MIB Script MIB Runtime Engine Network Elements Policy Manager / Higher−Level Manager

SNMP, COPS−PR, SSH+CLI,

Policy Decision Point / Distributed Manager Policy Enforcement Points / Agents

?

Policy DB

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-16
SLIDE 16

Using the Script MIB for Policy-based Configuration Management Page 16

Different Levels of PDP Distribution

Policy Manager PDP P P E P P E P P E P P E P P E Policy Manager P P E P P E P P E P P E P P E PDP PDP Policy Manager P P E P P E P P E P P E P P E P P D P P D P P D P P D P P D (c) strongly distributed (b) weakly distributed (a) centralized

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-17
SLIDE 17

Using the Script MIB for Policy-based Configuration Management Page 17

Architecture of the Jasmin Policy-based Management System

SNMP HTTP or FTP

Script MIB Access Library Policy Class Library Web Server Policy Management Application

for agent communication policies to construct

Policy / Script Repository Script

etc.

Agent MIB Script MIB Runtime Engine Network Elements Policy Manager / Higher−Level Manager

SNMP, COPS−PR, SSH+CLI,

Policy Decision Point / Distributed Manager Policy Enforcement Points / Agents Policy DB

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-18
SLIDE 18

Using the Script MIB for Policy-based Configuration Management Page 18

Two Approaches

Policies as Programs Policies as Objects

– Each policy is implemented as – Each policy is implemented by a Java program a set of PCIM objects – Programs run independently – All policy objects are evaluated and concurrently by the same process

evaluation process application domain specific configuration interface network element configuration language runtime engine application domain specific configuration interface policy runtime engine network element configuration policy ’scripts’

  • bjects

policy policy ’scripts’ policy program

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-19
SLIDE 19

Using the Script MIB for Policy-based Configuration Management Page 19

Policies as Programs

engine: within the runtime Usual script code

Policy scripts Policy specific extension Application and config−mechanism specific Application domain specific network element extension

extensions: Script MIB language

Script MIB language runtime engine

drivers

scripts using classes

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-20
SLIDE 20

Using the Script MIB for Policy-based Configuration Management Page 20

Policies as Programs: Prototype Implementation

  • policyMgmt Java class package

– Classes: Policy, Rule, Timer, ... – Interfaces: Condition, Action, EventGenerator, Driver

  • diffServ Java class package

– Classes: Classifier, Queue, Scheduler, RandomDropper, ... – Driver Implementations: JtcDriver

  • jtc Java class package for the Linux DiffServ implementation

– Classes: DSMarkQDisc, DSMarkClass, TCIndexFilter, ...

  • Simple examples

See the paper for details and the example

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-21
SLIDE 21

Using the Script MIB for Policy-based Configuration Management Page 21

Policies as Objects

  • bjects

Policy

Script MIB policy runtime engine

class library

  • Applic. domain

policy classes PCIM

Evaluation Process

  • bjects being

Policy Application domain

  • bjects

specific drivers config−mechanism Application and

instances of classes

configuration

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-22
SLIDE 22

Using the Script MIB for Policy-based Configuration Management Page 22

Policies as Objects: Prototype Implementation

  • Policy runtime engine

– PolicyEvaluator class – Replaced class loader for serialized objects

  • Java classes implementing PCIM objects
  • Java classes implementing QPIM objects
  • DiffServ class package
  • Interface to the Linux DiffServ implementation from Uni Bern and NEC
  • Simple examples

See the paper for details and an example

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-23
SLIDE 23

Using the Script MIB for Policy-based Configuration Management Page 23

Conclusions

  • Though originally designed for Distributed Management the Script MIB

is well-suited as a Policy-based Configuration Management infrastructure

  • No need to re-invent

– a PDP internal architecture – a PDP-PEP protocol – a policy transfer protocol – a security model – a PDP control protocol

  • Depending on the chosen approach, it can be

– cheap using the existing Script MIB and runtime infrastructure, while policy scripts become more complex – standards based applying the PCIM and using a special policy runtime engine – user friendly using a policy definition language (not implemented by us)

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002

slide-24
SLIDE 24

Using the Script MIB for Policy-based Configuration Management Page 24

Thank You! Q & A

  • F. Strauß, TU Braunschweig

NOMS’2002 Florence, 17-Apr-2002