On 1/23/13 7:08 PM, Alia Atlas wrote: > > > On Wed, Jan 23, 2013 at 6:37 PM, Joe Marcus Clarke <jcla...@cisco.com > <mailto:jcla...@cisco.com>> wrote: > > On 1/23/13 5:04 PM, Alia Atlas wrote: > > I'd be interested in hearing others perspective on the use-cases > requiring > > multi-headed control and what you see this requirement as meaning. > This > > is a rather > > different requirement, in terms of embedding the > policy-enforcement into > > the > > routing system, from what is currently done for CLI/NetConf/SNMP. In > > those cases, > > the latest writing wins and installs its state. For i2rs, an idea > > proposed (in > > http://tools.ietf.org/html/draft-atlas-irs-policy-framework) is that > > different i2rs clients > > are decided between based upon precedence. > > > > Frequently, different services are "known" to not collide, based upon > > human-assigned > > policy - such as different prefixes for different traffic types, etc. > > > > To get things started with a use-case, consider that there are two > > different services > > that are using i2rs. > > a) Special Traffic Flow Routing: a service that installs > > policy-based routing filters to > > route specific traffic on predetermined paths. > > b) DDoS Detection: a service that detects traffic of interest and > > installs policy-based > > routing filters to route the suspicious traffic to an > analysis box. > > In this case, the second service could have a higher precedence to > > override the first service's > > installed filters when necessary. > > > > Any opinions? > > More like a thought. In the use case you describe, couldn't both > coexist? Meaning you could simply have two PBR "actions," one that > routes the traffic and the other that copies the interesting traffic to > the DDoS sniffer. So the precedence may be the same and both can > coexist. Now, if the DDoS service finds a problem in the copied > traffic, it can install an overlapping policy that would preempt the > original. > > > Exactly - both could exist unless the DDoS service finds a problem with > a flow being routed by the first service.
That coexist wasn't clear (at least to me) in the draft or your description here. But maybe this wouldn't be considered overlap in the precedence sense? > > > As to the flow in the draft, if the new, higher-precedence service is > transient and the store-if-not-best bit is set, then the previous state > will be restored (if it has the next best precedence). Shouldn't the > commissioner be notified again that its state is active again? > > > Absolutely - I'll double-check to be sure that's in there when we revise > the draft. Thanks. Joe -- Joe Marcus Clarke, CCIE #5384, | | SCJP, SCSA, SCNA, SCSECA, VCP ||||| ||||| Distinguished Services Engineer ..:|||||||||::|||||||||:.. Phone: +1 (919) 392-2867 c i s c o S y s t e m s Email: jcla...@cisco.com ---------------------------------------------------------------------------- _______________________________________________ i2rs mailing list i2rs@ietf.org https://www.ietf.org/mailman/listinfo/i2rs
