IETF Logo Mail Archive

Re: [ogpx] Protocol for permitting policy decisions

Magnus Zeisig <magnus.zeisig@iis.se> Thu, 08 October 2009 08:47 UTC

Return-Path: <magnus.zeisig@iis.se>
X-Original-To: ogpx@core3.amsl.com
Delivered-To: ogpx@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B0FDC3A69A1 for <ogpx@core3.amsl.com>; Thu, 8 Oct 2009 01:47:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.842
X-Spam-Level:
X-Spam-Status: No, score=-4.842 tagged_above=-999 required=5 tests=[AWL=-0.597, BAYES_00=-2.599, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, TRACKER_ID=2.003]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3rglcOIEDvld for <ogpx@core3.amsl.com>; Thu, 8 Oct 2009 01:47:05 -0700 (PDT)
Received: from cleaner.prod.iis.se (cleaner.prod.iis.se [212.247.7.212]) by core3.amsl.com (Postfix) with ESMTP id 5D17A3A6885 for <ogpx@ietf.org>; Thu, 8 Oct 2009 01:47:03 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by cleaner.prod.iis.se (Postfix) with ESMTP id AF050A802F; Thu, 8 Oct 2009 08:48:43 +0000 (UTC)
Received: from cleaner.prod.iis.se ([127.0.0.1]) by localhost (cleaner.prod.iis.se [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04886-04; Thu, 8 Oct 2009 08:48:35 +0000 (UTC)
Received: from pgpkeys.office.nic.se (pgpkeys.office.nic.se [212.247.204.14]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by cleaner.prod.iis.se (Postfix) with ESMTP id 7BCDFA8003; Thu, 8 Oct 2009 08:48:35 +0000 (UTC)
Received: from EXCH2K7HUB-RV.office.nic.se ([212.247.204.21]) by pgpkeys.office.nic.se (PGP Universal service); Thu, 08 Oct 2009 10:48:35 +0200
X-PGP-Universal: processed; by pgpkeys.office.nic.se on Thu, 08 Oct 2009 10:48:35 +0200
Received: from Exchange2k7.office.nic.se ([169.254.1.222]) by EXCH2K7HUB-RV.office.nic.se ([212.247.204.21]) with mapi; Thu, 8 Oct 2009 10:48:34 +0200
From: Magnus Zeisig <magnus.zeisig@iis.se>
To: Carlo Wood <carlo@alinoe.com>, Infinity Linden <infinity@lindenlab.com>
Date: Thu, 8 Oct 2009 10:48:33 +0200
Thread-Topic: [ogpx] Protocol for permitting policy decisions
Thread-Index: AcpHjZ/dn/0M4yr0TcCYhjtDQY9t6gAZSWyg
Message-ID: <983F17705339E24699AA251B458249B50CC48CB683@EXCHANGE2K7.office.nic.se>
References: <983F17705339E24699AA251B458249B50CC48CAEBF@EXCHANGE2K7.office.nic.se> <3a880e2c0910051239t3dcae895x4f6d5f4bf5d64cd@mail.gmail.com> <20091007203535.GA13882@alinoe.com>
In-Reply-To: <20091007203535.GA13882@alinoe.com>
Accept-Language: sv-SE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-pgp-encoding-version: 2.0.2
x-pgp-mapi-encoding-version: 2.5.0
x-pgp-encoding-format: Partitioned
x-pgp-universal-saved-content-codepage: utf-8
acceptlanguage: sv-SE
MIME-Version: 1.0
Content-Language: sv-SE
Content-Type: multipart/alternative; boundary="_000_983F17705339E24699AA251B458249B50CC48CB683EXCHANGE2K7of_"
X-Virus-Scanned: Debian amavisd-new at cleaner.prod.iis.se
Cc: "ogpx@ietf.org" <ogpx@ietf.org>
Subject: Re: [ogpx] Protocol for permitting policy decisions
X-BeenThere: ogpx@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Virtual Worlds and the Open Grid Protocol <ogpx.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ogpx>, <mailto:ogpx-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ogpx>
List-Post: <mailto:ogpx@ietf.org>
List-Help: <mailto:ogpx-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ogpx>, <mailto:ogpx-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2009 08:47:06 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I am strongly in favour of leaving policy descisions to the RD, but since there seems to be a need for at least some AD managers to be able to make policy decisions as well, I guess the protocol handshake need even more flexibility than the versions scetched on by Meadhbh, Carlo and me so far. I will adapt the diagram style of Meadhbh and Carlo (http://www.ietf.org/mail-archive/web/ogpx/current/msg00520.html), since it's more readable than my text-flow variant. Also, I will leave out parameter examples since there seem to be a risk people get hooked on if a certain parameter should be included or not, rather than the possibility of handling any parameter.

I may be paranoid, but I still prefer agent domains to be allowed, but not forced by protocol, to reduce the dissemination of information about their clients as far as possible, and there Carlo's AND version in the response is a good step forward (http://www.ietf.org/mail-archive/web/ogpx/current/msg00520.html). We might even wind up with negotiations where one domain requests the actual values while the other domain only wants to disseminate a reply to if it fits a range for one or more of the requested parameters.

AD -------------------------(name, <RDkey1?, RDkey2?>)------------------------> RD
AD <--(name, <RDvalue1, RDvalue2, ADkey1?, ADkey2?, agentkey1?, agentkey2?>)--- RD
AD --(name, <RDvalues OK, ADvalue1, ADvalue2, agentvalue1, agentkey2 range?>)-> RD
AD <----------(name, <ADvalues OK, agentvalue1 OK, agentkey2 range>)----------- RD
AD ----------------------------(name, agentkey2 OK)---------------------------> RD
AD <-----------------------------(name, rez cap)------------------------------- RD

In this example, RD might have refused giving the required range for agentvalue2, either because it technically doesn't support that kind of negotiation or because of policy, in either case of which the rez cap would have failed. It might on the other hand instead already from the beginning have supplied the required ranges instead of asking for the actual value. I think it would be good if the protocol would enable either of these cases for maximum flexibility.

It may also be an idea to permit caching of at least AD- and RD-parameters or evaluations of them, especially if we're talking extensive sets with perhaps hundreds of parameters. Since the ADs and RDs should be free to update their own parameters at any time, the handshake in that case must of course contain a check if cached parameters have been updated. Also, if an AD or RD supports several sets of parameters depending on which domain or service it deals with, means to distinguish between them are required, perhaps using policy URI's the way Meadhbh suggested (http://www.ietf.org/mail-archive/web/ogpx/current/msg00523.html). A policy could then basically be broken down into a set of own parameter values and required parameter ranges for the domain or service connecting.

I also think, like Meadhbh (http://www.ietf.org/mail-archive/web/ogpx/current/msg00523.html), that we will need to suggest, but not require, a number of parameter name and formats to facilitate communication, so that not e.g. US and UK domains can't connect, because one asks about "color" and the other one only can respond about "colour".

Best regards,

Magnus


- -----Ursprungligt meddelande-----
Från: Carlo Wood [mailto:carlo@alinoe.com]
Skickat: den 7 oktober 2009 22:36
Till: Infinity Linden
Kopia: Magnus Zeisig; ogpx@ietf.org
Ämne: Re: [ogpx] Protocol for permitting policy decisions

On Mon, Oct 05, 2009 at 12:39:32PM -0700, Infinity Linden wrote:
> option 3: multi-message handshake
>
> AD --------------- (name) -------------> RD
> AD <-------- (X, age > X? cap) --------- RD
>
> AD ------------------------------------> RD (age > X? cap)
> AD <------------ (rez cap) ------------- RD

Note, again, the need for a flexible protocol negotiation:
we can't know, already, what all will be needed.

Nevertheless, the more flexibility the better imho.
I'd prefer to see this:

AD ------(name, <list with keywords>) -----------> RD
AD <-----(name, <list with keywords + ranges>) --- RD
AD ------(name, yes/no)--------------------------> RD
AD <-----(rez cap) ------------------------------- RD

Where VWRAP will not define what keywords are possible.

However, implementers might, for example, choose to use 'AGE' as keyword
with an integer range, leading to a msg exchange like

AD ------(name, (AGE)) -----------> RD
AD <-----(name, (AGE, 21)) -------- RD
AD ------(name, yes)--------------> RD
AD <-----(rez cap) ---------------- RD

or some might implement

AD ------(name, (AGE, LIKES_BUNNIES)) -----------> RD
AD <-----(name, (AGE, 13), YES) ------------------ RD
AD ------(name, yes, yes)------------------------> RD
AD <-----(rez cap) ------------------------------- RD

For privacy reasons, I think it would suffice to
just send the AND of all 'yes's, thus:

AD ------(name, (AGE, LIKES_BUNNIES)) -----------> RD
AD <-----(name, (AGE, 13), YES) ------------------ RD
AD ------(name, yes)-----------------------------> RD
AD <-----(rez cap) ------------------------------- RD

or,

AD ------(name, (AGE, LIKES_BUNNIES)) -----------> RD
AD <-----(name, (AGE, 13), DONTCARE) ------------- RD
AD ------(name, yes)-----------------------------> RD
AD <-----(rez cap) ------------------------------- RD

Again, neither 'AGE' nor 'LIKES_BUNNIES', would be defined by us,
but we would define how to handle integer ranges, booleans,
don't cares, string literals, and perhaps regular expressions.

- --
Carlo Wood <carlo@alinoe.com>

-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSs2nYe5MlU9XyaiSAQiJLAf/fye7HX0vp2JkZF/wu+7FSVzZ2al3nKcL
JiB+Z1mxP3ICiGZrvdIojSCHL5+T8k23cj9Q9ggz7yQv12EhRynq4rmlSfgs7Ta/
cKrKh7vvQHsZsnsaiHaw29DA30rejSJWabkZ5c29zUd18ll86EZr0qIqP9ByIbMJ
RrppGN98IaYd3rOclzK0/e3LdRKAgLhg1GotudPKJ4vU7qI3XV6sKwuaUOzWzsWm
tDpcHxcCHhF9O4uDstGFAxbPVvZNnrmzQXRzlQ6pajmpzT0iU25k78Y7bldq/Bnd
60Ij9GcofockvBuWVUiIDZsxqZG982jnDGz3DQEorg38XtAbKieN8w==
=2NSu
-----END PGP SIGNATURE-----

v2.8.7 | Report a Bug | By Email