This page will capture issues to be addressed in the overall architecture of OPNFV components.
The following terms are widely used in this analysis, as basic concepts.
Term | Meaning |
---|---|
State | Information that can be used to convey or imply the state of something, e.g. an application, resource, entity, etc. This can include data held inside OPNFV components, "events" that have occurred (e.g. "policy violation"), etc. |
Event | An item of significance to the policy engine, for which the engine has become aware through some method of discovery e.g. polling or notification. |
The following terms are borrowed from the XACML standard. While defined by XACML largely for Role-Based Access Control purposes, these terms are used here for analogous ways for broader policy purposes.
Term | Meaning as used here |
---|---|
Policy Administration Point (PAP) | An entity that defines/distributes/manages policies. |
Policy Information Point (PIP) | An entity that acts as a source of policy-related events and state or additional contextual information necessary for policy decisions. |
Policy Decision Point (PDP) | An entity that determines what response if any is needed to an event. |
Policy Execution Point (PEP) | An entity that takes actions as determined by a PDP. |
Policy Retrieval Point (PRP) | An entity that hosts policies. In general, this analysis assumes the PDP acts as PDP. |
The following example diagram illustrates a "relationship diagram" type view of an NFVI platform, in which the roles of components focused on policy management, services, and infrastructure are shown. This view illustrates that a large-scale deployment of NFVI may leverage multiple components of the same "type" (e.g. SDN Controller), which fulfill specific purposes for which they are optimized. For example, a global SDN controller and cloud orchestrator can act as directed by a service orchestrator in the provisioning of VNFs per intent, while various components at a local and global level handle policy-related events directly and/or feed them back through a closed-loop policy design that responds as needed, directly or through the service orchestrator.
As defined above, here is an overview of the policy-related roles of the entities in the diagram above.
Issues to be investigated as part of establishing an overall cohesive/adaptive policy architecture:
General requirements for a policy architecture are below. These will be analyzed further in subsequent sections of this analysis.
Requirement | Description |
---|---|
Intent expression. | Specification of what a VNF designer, service, user, etc require per the deployment and lifecycle event handling for a VNF or VNF-enabled service. |
Polled monitoring. | Exposure of state via request-response APIs. |
Notifications. | Exposure of state via pub-sub APIs. |
Realtime/near-realtime notifications. | Notifications that occur in actual or near realtime. |
Delegated policy. | CRUD operations on policies that are distributed to specific components for local handling, including one/more of monitoring, violation reporting, and enforcement. |
Violation reporting. | Reporting of conditions that represent a policy violation. |
Reactive enforcement. | Enforcement actions taken in response to policy violation events. |
Proactive enforcement. | Enforcement actions taken in advance of policy violation events, e.g. blocking actions that could result in a policy violation. |
Compliance auditing. | Periodic auditing of state against policies. |
Requirement | Description |
---|---|
Compute Affinity/Anti-affinity | Place VMs based upon compute resources. |
Storage Affinity/Anti-affinity | Place VMs based upon storage resources. |
Network Affinity/Anti-affinity | Place VMs based upon network resources. |
SDN Controller engineering rules | Apply engineering rule based policies via SDNCs. |
SDN Controller security policies | Apply security policies via SDNCs. |
High Availability | Distribute VMs across diverse resources. |
Geo-Diversity | Distribute VMs across geographically diverse resources. |
Group-Based Policy | Constrain configuration actions based upon association of specific state data to groups, e.g. ownership, group membership, etc. |
Role-Based Access Control | Constrain configuration actions based upon role of the configuration change requester, e.g. owner, group membership, etc. |
The analysis below is based upon these basic architectural goals:
Goal | Description |
---|---|
Localized enforcement. | Policies are expressed in terms native to an infrastructure manager and enforced locally where possible and desired. |
Closed-loop enforcement. | Where necessary/desired, policy is enforced through closed-loop methods in which the policy-related event originator (PIP) publishes events per subscriptions or administered defaults for event reporting. |
Minimum policy translations. | Policies have be translated the least number of times possible before they are administered at a PRP/PDP. |
The following sections are placeholders for analysis.