Re: [Ibnemo] Clearing up some misconceptions, part 1: Technical Questions
"Susan Hares" <shares@ndzh.com> Fri, 19 June 2015 19:59 UTC
Return-Path: <shares@ndzh.com>
X-Original-To: ibnemo@ietfa.amsl.com
Delivered-To: ibnemo@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E1581AD4A1 for <ibnemo@ietfa.amsl.com>; Fri, 19 Jun 2015 12:59:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.889
X-Spam-Level:
X-Spam-Status: No, score=-101.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_DOS_OUTLOOK_TO_MX_IMAGE=0.01, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fV8XOyz10aBI for <ibnemo@ietfa.amsl.com>; Fri, 19 Jun 2015 12:59:35 -0700 (PDT)
Received: from hickoryhill-consulting.com (hhc-web3.hickoryhill-consulting.com [64.9.205.143]) by ietfa.amsl.com (Postfix) with ESMTP id 182581AD47E for <ibnemo@ietf.org>; Fri, 19 Jun 2015 12:59:35 -0700 (PDT)
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=174.124.166.245;
From: Susan Hares <shares@ndzh.com>
To: 'John Strassner' <John.sc.Strassner@huawei.com>, ibnemo@ietf.org
References: <B818037A70EDCC4A86113DA25EC02098200E5215@SJCEML701-CHM.china.huawei.com>
In-Reply-To: <B818037A70EDCC4A86113DA25EC02098200E5215@SJCEML701-CHM.china.huawei.com>
Date: Fri, 19 Jun 2015 15:59:23 -0400
Message-ID: <027701d0aaca$70878630$51969290$@ndzh.com>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_000_0278_01D0AAA8.E97D8750"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQEMgFfNqd3oJ2/0C6+de/8/FYTzFp88dopw
Content-Language: en-us
X-Authenticated-User: skh@ndzh.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/ibnemo/ehrV2Ubxe0YUcaz5WC4k4x3Vf_I>
Subject: Re: [Ibnemo] Clearing up some misconceptions, part 1: Technical Questions
X-BeenThere: ibnemo@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of Nemo, an intent-based North Bound \(NB\) interface consisting of an application protocol running over HTTP \(RESTful interfaces\) to exchange intent-based primitives between applications and meta-controllers controlling virtual network resources \(networks, storage, CPU\)." <ibnemo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ibnemo>, <mailto:ibnemo-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ibnemo/>
List-Help: <mailto:ibnemo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ibnemo>, <mailto:ibnemo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2015 19:59:47 -0000
John: A few questions: 1. On roles: In the discussion, Diego suggested that there were three types of roles: security, infrastructure, and customer intent. These roles are objects that are responsibilities. The question under discussion was is there any hierarchy in object these roles suggest? Why is the hierarchy of these roles practically important? The operators are hoping that the objects bound within the role of a customer will give input to the business logic systems that guide the creation infrastructure. The operational needs suggest that roles regarding infrastructure and security also guide this business logic. 2. Intent linked to roles You consider that it is very hard to have Intent being expressed by different Roles (Actors) . You suggest that the policy for a router and a firewall are different because you do not know which verb to utilize (forward/drop or accept/reject). The key role to start with is the customers role. The customer role is constrained by the business logic that influences by the objects contained in the infrastructure role and the security role. Therefore, does the dialog language provide a grammar that can clearly state these constraints? You state: The policy continuum defines the contexts for different roles in the system. If you don't want to use roles, the policy continuum defines context for all policies, whether they are intent-based or not. If this is true, please try to provide the policy continuums context for three simple use cases: a) The Virtual network case (London and Beijing office, wants a flow at X) b) The DC case (describing data center processing), c) the home network case (home network with parental controls). 3. On context versus Intent: <https://datatracker.ietf.org/doc/draft-xia-ibnemo-icim/> draft-xia-ibnemo-icim-00 is trying to separate the concepts of user, intent, and context. You state Context can influence intent, but only if the system allows it. This is beauty of the Nemo language. It states network intent (node, connection, flow) and context in the model and the policy. John- you are right that that userà intentà role à context if examined as a linear logical train is not sensible. However, it is important to understand how: users exists with role, intent, and context. Your example of: Role: customer My intent: access by code server Business rule: only allow code access through intranet connection Context: Authenticated in L3VPN My result: denied Includes: a user with a role, intent, context, and a business rule. What is your business rule? Is it constraint? If so, how is it an input to intent? Let us rename your business rule to an organizational rule because all organizations have rules regarding what roles can do. T 4. Intent relationship of object, result or object, operation We do not have a precise definition of intent linguistically in the draft-xia-ibnemo-icm-00.txt. If your datalog syntax provide a purely declarative and mathematically formal language, can it provide an example of how to signal intent for: d) The Virtual network case (London and Beijing office, wants a flow at X) e) The DC case (describing data center processing), f) the home network case (home network with parental controls). I would appreciate you sending your NOMS 2006 proposal. 5. I agree that growing formalism would help this work. Sue Hares From: Ibnemo [mailto:ibnemo-bounces@ietf.org] On Behalf Of John Strassner Sent: Thursday, June 18, 2015 8:23 PM To: ibnemo@ietf.org Subject: [Ibnemo] Clearing up some misconceptions, part 1: Technical Questions Hi all, I was asked to look at this thread. So I spent the last three days reading every message in the archive between 22/01/2015 and 16/06/2015 (197 messages). Rather than issue 100 or so replies, I thought I would condense my feedback into a series of emails that had specific groups of topics. This is email #1. There are a number of serious misconceptions that, when fixed, will hopefully allow faster progress to be made. The short summary of these is as follows: 1. Roles. Roles have been formally designed since at least 1997 (Dirk Bäumer, Dirk Riehle, Wolf Siberski, and Martina Wulf, "The Role Object Pattern", PLoP). Roles are succinctly defined as objects that represent one or more responsibilities of another entity. Period. They do not "select" things, grant special powers, or cook lunch. They simply represent the responsibilities of one or more actors or objects. (As an aside, this is why the NIST RBAC standard defines users, roles, permissions, operations, and objects as five different types of entities). Still don't believe me? From INCITS 359, the NIST RBAC standard: "Role - A role is a job function within the context of an organization with some associated semantics regarding the authority and responsibility conferred on the user assigned to the role." This list talks of the roles played by an actor, such as a Customer vs. a NetworkAdmin. The "role" did not grant the NetworkAdmin the power to reconfigure a router interface. The role simply identified this as a responsibility of a person or group playing this role; it is up to that entity and the management system to implement and enforce the reconfiguration. There are a number of software design patterns that use roles for great value. The policy servers that I have built in the last 15 years have all used the role-object pattern; in fact, I have invented some new role-based patterns. The advantage of roles are many, but a role has nothing to do with intent (see 4 below). Some people have said that "one role will not call other roles". This is incorrect. The literature (and especially NIST) talks about hierarchical roles (that is level 2 of the NIST RBAC spec, by the way). Of course roles can interact with other roles - that is why they are full-fledged objects. Finally, some people have talked about layers of roles. I agree with Bert, intent should be at the "top layer". Roles do not have a relationship with a layer. 2. Context. Context is a set of information and data that MAY affect the outcome of an event, but more importantly, is a definition of the environment in which something is happening, has happened, or will happen. Context is used to understand what is, has, or will happen. Therefore, context can NOT be intent. Context can influence intent, but only if the system allows it. For example, my intent is to cross the road. The context is that cars are driving at 60 miles per hours on the road. Context is NOT a parameter to my intent in this example; if I am foolish enough to play Frogger with real cars, I deserve what I get. However, the context COULD influence me to wait for a better chance to cross the road, or take a taxi, or do any number of things. My intent has not changed because of context; however, my intent could be influenced by context if I choose to let it. This applies at lower levels as well. My intent is to have Gold service. My context is that I am directly connected through a switch with one hardware queue. In this case, Gold == Silver == Bronze, because with one hardware queue, it doesn't matter what I **want**, I am only going to get what the hardware is capable of delivering. I would encourage you all to read some of the DEN-ng papers on context-aware policies (also available in TMF ZOOM). In this approach: context selects a working-set of policy rules the working set of policy rules collectively define the behavior of the system being managed feedback from system state and monitored data may change the context, which then changes the working-set of policy rules, so the system adapts in a closed-loop manner 3. "Equations". Something of the form A -> B is NOT an equation. Formally, an equation is a statement that the values of two mathematical expressions are equal. I have no idea how to interpret '->'; I have seen some people use this to mean implies (material implication), but typically in logic, one would use the unicode U+21D2 to represent this. Please use "formula" instead of "equation", and please define the symbology that you are using. 4. Intent "Equations" The following is wrong: User -> intent -> context Context is NEVER determined by intent; that is in fact exactly backwards! A more correct version is: A user, playing a particular Role in a given context, expresses intent. The intent is independent of the role and context. However, both may affect how the management system implements this. By the way, the equation user -> intent-> role -> context is WORSE! What does a role have to do with context? My Customer Role doesn't care if it is WiFi or Intranet or cellular, or what time of the day it is. However, context can affect what can be accomplished: My intent: access my code server Business rule: only allow code access through an intranet connection Context: authenticated in an L3VPN My result: DENIED Why? Because my particular context violated a business rule. My intent did NOT change. My role did NOT change. The same result would have happened for different roles and contexts. 5. Intent and Role Some people have said that intent should be classified by a user's role or set or roles. This doesn't make sense to me. Roles do not "classify" anything. Roles separate one object with multiple responsibilities into a set of objects, where each Role object defines a particular responsibility. This provides system adaptability. For example, a customer that withdraws and deposits money should be separated into two roles (e.g., what if the customer is a bank employee? :-) ). The customer DID NOT CHANGE in this example. If you don't use roles and still want to obey separation of duty, then artificially splitting the same customer into two objects creates a long list of problems (e.g., separate objects imply separate identities) and still didn't solve the original problem. Some people have talked about "role-based intent". This doesn't make sense to me. In the previous paragraphs, I already argued that role and intent MUST be orthogonal. In particular, the following drawing does not make sense to me: http://www.ietf.org/mail-archive/web/ibnemo/current/jpgeskUTBKFLr.jpg First, if the roles actually did map to these functions in this way, you would have a very difficult role-engineering problem. Second, the collection of roles in a particular layer serves no purpose other than to categorize those roles. I would hope that intent doesn't care about categorization. The only case that I can think of where this MAY make some sense is talking about a specific set of Roles (e.g., EndUser vs. NetworkAdmin) and how the intent of the former is conveyed to the latter, so that the latter can act on it. But this is conflating roles (which are about responsibility) with intent (which is about being determines to do something, and focusing on doing that something). 6. Intent and Constraints. Some people have said that the components of an intent are objects, results, and constraints. I disagree. Constraints are inputs to an intent. The actor issuing the intent can choose to ignore the constraints (my Frogger or code server download examples) at their own risk - the ultimate mediator is the management system. Object is too broad a term - it could be an input and/or an output. I also don't understand why a result is part of an intent. An intent is expressing a focused desire to do something independent of whether that results in anything. Perhaps this is just linguistic confusion, but if you want to build a quality language and a quality information model, then formalisms are your friend. 7. Intent: pure, impure, and other variations. This just cannot work; that's what we concluded when writing the ONF NBI white paper. If you go down this path, then everything is intent (pure + impure = 1), and that is not useful. People like to use IP addresses and port numbers and router IDs and ... get over it! Please! These are all elements of prescription. Look at Dave Lenrow's slides (similar slides also appeared at OpenStack in Vancouver last month). There is absolutely no difference between specifying a port number or IP Address for a flow as there is in specifying "Ibuprofen" to solve a headache (when perhaps the headache was caused by something very different than Ibuprofen won't fix). Constraints are an important part of policy-based management. Constraints do not have to be included, but most real-world examples are filled with constraints, so the ability to represent them is critical. Intent should always have the ability to have constraints and context added to it. While both are independent of intent, both MAY restrict the results obtained from the intent request. 8. Intent and Declarative Interfaces. Intent (or goal-driven) policy interfaces are NOT NEW. Jeff Kephart and I gave a tutorial at NOMS 2006 on policy management, and covered goal-based policies (and how they are different from other types of policies). This built on about a decade of previous work. This is one of the reasons why OpenStack Congress uses Datalog (well technically, we've extended the Datalog syntax a bit), because it is purely declarative, and mathematically formal. This latter gives very nice properties (order of Datalog statements do NOT matter, I can guarantee that ANY query is computable if it follows some simple rules, ...). 9. Policy Continuum. I do not understand how people can say that the Policy Continuum has anything to do with layers. If you don't believe Bob, then please listen to me as the inventor of the concept: a) the paper cited (there are many more) does NOT EVEN MENTION the word Layer b) if it was a layered system, I would have called it LAYERED Policies or Policy LAYERS. c) the definition of a continuum is a **continuous sequence** in which adjacent elements are not noticeably different from each other, but the extremes of the continuum are very different from each other. It has NOTHING to do with layers. The Policy Continuum was invented because policy has many different actors that want to use it. Defining SLAs is defining policy. Defining when the drop probability of a packet in a particular queue should be increased or decreased is policy. Many things between these extrema are policy. More importantly, different actors need to work together to implement E2E policy. However, each actor speaks their own language, and has their own set of concepts and terminologies. Trying to get this to change is a waste of time. Hence, the policy continuum embraced this diversity, and said (as Bob did) that the real problem is the nature and number of translations that are required. The policy continuum defines the contexts for different roles in the system. If you don't want to use roles, the policy continuum defines context for all policies, whether they are intent-based or not. The key point of the policy continuum is that it defines different actors for different policies, and mandates a translation between these continuum levels. This is the exact problem that provides difficulty for people dealing with intent - they don't know how to translate a high-level, technology-independent description of intent into anything specific. 10. REST. REST is NOT a protocol, please stop calling it a protocol. 11. Intent being expressed by different Roles (Actors). This gets VERY hard. I've graduated three Ph.D. students who did work on policy management (all used the policy continuum, all used an information model, 2 used DSLs). Unless you have a very RICH information model, this is impossible to do. You likely also need an ontology to formally define the semantics and meaning of different information model objects. Example: A Router says "forward" and "drop", a firewall says "accept" and "reject". How does the machine know which verb to use when traffic goes through both? This is a trivial problem compared to different actors that can use the same language with different data objects. I would strongly suggest that you first focus on one Role. Note that this is compounded by your very lightweight model. For example, a node can be anything from a sub-network to a port on a device. I don't see how that is helpful, especially in constructing a DSL. But that is a longer discussion. 12. Formalisms. This project confuses me - there seems to be a tendency to avoid the use of formalisms, even though two very specific formalisms (info model and DSL) are being proposed. I think that part of the confusion over the 100+ email discussions on intent derives from this lack of formalism. For example, you need to define what intent is, and what it isn't, precisely. Having "impure" intent, or intent with this set of conditions vs. that set of conditions, or intent on a Sunday, is the path to madness. Impure intent is, by definition, not formally expressible (unless you count intensional definitions as a type of formalism). regards, John John Strassner, Ph.D. CTO, Software Laboratory, CRD logo.gif Futurewei Technologies US R&D Center 2330 Central Expressway Building A, office A2-2143 Santa Clara, California 95050 Office: +1.408.330.4923 Email: john.sc.strassner@huawei.com
- [Ibnemo] Clearing up some misconceptions, part 1:… John Strassner
- Re: [Ibnemo] Clearing up some misconceptions, par… Bert Wijnen (IETF)
- Re: [Ibnemo] Clearing up some misconceptions, par… Zhoutianran
- Re: [Ibnemo] Clearing up some misconceptions, par… Susan Hares