Hi Zongpeng, Thanks for your review.
In most of the cases, the number of PEP is very limited, say 2 maybe 3. So the normal procedure is that AAP discovers the PEP and remembers it in the discovery procedure. ( Maybe a parameter such as "role" can be added to the IPAddressToAccessControlGroups Objective to distinguish their roles. It is missing currently. ) Whenever AAP has some updates (new/delete/updated), it sends the unicast based unsolicited synchronization to PEP. If there are two PEPs , send two unicast respectively. Whether an PEP will install the received mapping information, that's PEP's choice. I would like to highlight one thing which was asked in last meeting as well. This defined objective is for distributing the mapping information but not the policy itself. The group based policies should be provisioned upfront at PEPs. So PEP knows what groups would have related policies at its spot. It can selectively install related mapping information. There could be some waste that AAP sends mapping information to PEP which has no coupled group policy to be enforced at that spot. But that is not a big concern in most cases. Thanks, Yizhou From: [email protected] [mailto:[email protected]] Sent: Tuesday, October 26, 2021 10:05 PM To: Liyizhou <[email protected]>; [email protected] Cc: Xun Xiao <[email protected]> Subject: Re: [Anima] unsolicited synchronizaiton in draft-yizhou-anima-ip-to-access-control-groups-01.txt Hi, Yizhou I have read the draft, and I think it is good to have a convince way to update the policies in the network. Also, I want to share some personal understandings here. If any misunderstandings, please correct me. Thanks. The AAPs need to inform the PEPs of the policies of the users by using the GRASP. It can happen when the user logs in, logs out, or triggers some policy changes. Maybe the first step is that the PEPs subscribe to the policy changing even that they are interested in. Do they send some GRASP messages to AAPs here? And then, if the user logs in, logs out, or triggers some policy changes, the AAP informs the PEPs that have subscribed. GRASP is used here. Is it a multicast? Best Regards Zongpeng Du ________________________________ [email protected]<mailto:[email protected]> & [email protected]<mailto:[email protected]> From: Liyizhou<mailto:[email protected]> Date: 2021-10-25 17:04 To: [email protected]<mailto:[email protected]> CC: Xun Xiao<mailto:[email protected]> Subject: [Anima] unsolicited synchronizaiton in draft-yizhou-anima-ip-to-access-control-groups-01.txt Hi all, The Unsolicited Synchronization message (as defined in section 5.1 in draft-ietf-anima-grasp-distribution) is greatly leveraged in this document to allow the access authentication point to pass IP to Group mapping info to policy enforcement point. That would make the information retrieval more efficient compared to request and reply (sync) mode. I guess a missing part is to a flag to be added to objective-flag, i.e. objective-flag = &( F_DISC: 0 ; valid for discovery F_NEG: 1 ; valid for negotiation F_SYNCH: 2 ; valid for synchronization F_NEG_DRY: 3 ; negotiation is a dry run F_UNSLC_SYNCH: 4 ; this is a missing line to indicate valid for unsolicited synchronization ) Looks like the future grasp objectives would require to consider if they are valid for unsolicited synchronization or not. Rgds, Yizhou _______________________________________________ Anima mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/anima
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
