Site home page
(news and notices)

Get alerts when Linktionary is updated

Book updates and addendums

Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)

Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!

Contribute to this site

Electronic licensing info



Policy-Based Management

Related Entries    Web Links    New/Updated Information

Search Linktionary (powered by FreeFind)

Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.

Policy-based management provides a way to allocate network resources, primarily network bandwidth, QoS, and security (firewalls), according to defined business policies. As the requirement for QoS increases with the use of Voice over IP (VoIP) and other real-time applications, the requirement for bandwidth allocation based on policy increases. Policy definitions are a response to questions such as these:

  • Who and what can access which resources on the network?

  • What is the highest priority traffic, what is the lowest priority traffic, and what levels of traffic are in between?

  • What traffic must have guaranteed delivery?

  • How is bandwidth allocated to ensure guaranteed delivery?

  • What traffic is eligible for discard when the network becomes busy and congested?

A policy-based management system allows administrators to define rules based on these types of questions and manage them in the policy system. These rules take the form "If condition, then action." A condition may be a user or group, the time of day, the application type, or the network address. Policy rules are then distributed to network resources. Policy-based management systems are best for large networks where large numbers of devices are easier to manage from a central location. Public networks will also use a form of policy management to allocate resources, but resource allocation is based on SLAs (services level agreements) established with customers.

Resources include devices that manage network bandwidth, security, IP addresses, storage, processors, and agents, as well as systems that manage services such as billing, accounting, and service mapping (i.e., mapping an RSVP request to an ATM SVC). Locator services are also required to help resource managers find one another. See "SLP (Service Location Protocol)" and "Service Advertising and Discovery."

In the last few years, network elements such as layer 3 switches and multilayer switches have gained the intelligence and processing speed to provide QoS and policy-based decision making. These devices have the ability to monitor and evaluate traffic without delay and make QoS and policy-related decisions. See "Multilayer Switching."

The IETF Policy Framework (POLICY) Working Group has developed a policy management architecture that is considered the best approach for policy management on the Internet. It includes the following components, as pictured in Figure P-4:

  • Policy management service    A graphical user interface for specifying, editing, and administering policy.

  • Dedicated policy repository    A place to store and retrieve policy information, such as an LDAP server or a DEN (Directory Enabled Network) device.

  • PDP (policy decision point)    A resource manager or policy server that is responsible for handling events and making decisions based on those events (i.e., at time x do y), and updating the PEP configuration appropriately.

  • PEP (policy enforcement point)    PEP exists in network nodes such as routers, firewalls, and hosts. It enforces the policies based on the "if condition then action" rule sets it has received from the PDP.

  • LPDP (local policy decision point)    This is a scaled-down PDP that exists within a network node and is used in cases when a policy server is not available. Basic policy decisions can be programmed into this component.

A variety of protocols may be used to communicate policy information between the PDP and the PEP. COPS (Common Open Policy Service) is the usual protocol, although DIAMETER or even SNMP may be used. COPS is a client/server protocol that provides transport services for moving policy information among IP network nodes. It also provides the transport for policy queries and responses. By moving policy information to different subnets, users can log on at other locations and receive the same service they receive from their home network.

COPS was developed by the IETF RSVP Admission Policy (RAP) Working Group, which is developing a scalable policy control model for RSVP. The group is working with the IETF POLICY Working Group to ensure that COPS supports policy information exchange between PDPs and PEPs. A complete set of related drafts and RFCs is located at the RAP site listed on the related entries page. Directories have become a crucial part of policy-based management. They are used to store and retrieve policy information. The IETF is working with the DMTF (Desktop Management Task Force) to define how policies are implemented in its DEN (Directory Enabled Network) specification. DEN defines a standard directory services architecture and schema that can be used to store network policy and configuration information. It also defines a distributed database that can be replicated to other locations; a consistent data model (structure of the data-that is, how real-world objects are defined in the directory); and LDAP (Lightweight Directory Access Protocol), a protocol that applications use to access the directory. With DEN, network administrators can integrate network information and policies in a single database that is consistent across the enterprise.

A typical policy transaction starts with a resource request to some device by a user or another network device. For example, a user may request access to a router interface that leads to the Internet. The router forwards the request to the PDP in the policy server using the COPS protocol. The policy server then queries one or more directory servers (via LDAP) to determine the user's authorization. The information is then used to build a "policy lease" that is sent back to the router. The router then implements and enforces the policy via its policy enforcement point.

Cisco QoS Policy Manager (QPM) enables end-to-end quality of service for enterprise networks. Network administrators use QPM as a complete system for application- and user-based centralized policy control, and automated reliable policy deployment. The QPM Web site is listed on the related entries page.

SOCKS v5 is an IETF standard that can support policy management and border control (firewalls) for IP networks. SOCKS is interoperable with new security models such as IPSec.

The following Internet RFCs provide more information on policy management.

  • RFC 2216 (Network Element Service Specification Template, September 1997)

  • RFC 2748 (The COPS (Common Open Policy Service) Protocol, January 2000)

  • RFC 2749 (COPS Usage for RSVP, January 2000)

  • RFC 2750 (RSVP Extensions for Policy Control, January 2000)

  • RFC 2751 (Signaled Preemption Priority Policy Element, January 2000)

  • RFC 2752 (Identity Representation for RSVP, January 2000)

  • RFC 2753 (A Framework for Policy-Based Admission Control, January 2000)

  • RFC 2768 (A Report of a Workshop on Middleware, February 2000)

  • RFC 2990 (Next Steps for the IP QoS Architecture, November 2000)

  • RFC 3052 (Service Management Architectures Issues and Review, January 2001)

  • RFC 3060 (Policy Core Information Model-Version 1 Specification, February 2001)

  • RFC 3084 (COPS Usage for Policy Provisioning or COPS-PR, March 2001)

Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.
All rights reserved under Pan American and International copyright conventions.