Towards Federated Policy Management: Distributing a Ruleset Across Multiple Policy Enforcement Points

In both data networks and telecommunication networks we are seeing a substantial growth in the number of policy engines and policy-enabled services and applications. We argue that end- users and network operators will need to have a unified, conceptually centralized ``view'' of the policies that they have specified and a unified understanding of how the policies will play out in the underlying infrastructure. This paper addresses the issue of ``federated policy management'', which allows users to specify preferences and policies at a high level and uses automated tools to map those preferences and policies into appropriate rule sets running on appropriate policy engines. As a key step in this direction, the paper develops a framework to support federated policy management in a restricted setting. Unlike previous work on distributed rule processing, the focus here is in the context of multiple policy decisions within a single process flow. Specifically, (in the terminology of IETF and Parlay/OSA) we study the case of a service or application that has multiple policy enforcement points (PEPs). We assume a policy language that supports production system style rules with chaining but no recursion (based on previous work on policy requirements for the telecommunications context). We present a algorithms whereby users can specify a single coherent ruleset expressing their preferences, and this ruleset is mapped to multiple rulesets, one for each PEP in the application.