Upload
hugo-goncalves
View
214
Download
0
Embed Size (px)
Citation preview
8/2/2019 10.1.1.21.9911 (2)
1/15
1
Policy Evaluation for Network ManagementRandeep Bhatia Jorge Lobo Madhur Kohli
Network Computing Research
Bell Labs600 Mountain Ave
Murray Hill, NJ 07974
Abstract
Policies are increasingly being used to manage com-
plex communication networks. In this paper we
present our work on a policy server which is being
used to provide centralized administration of packet
voice gateways and soft switches in next generation
circuit and packet telephony networks. The policies
running in the policy server are specified using a do-
main independent policy description language (P D L
).
This paper is motivated by the problem of evalu-
ating policies specified in P D L . We present an algo-
rithm for evaluating policies and study both its theo-
retical and empirical behavior. We show that the prob-
lem of evaluating policies is quite intractable. How-
ever we note that the hard instances of the policy eval-
uation problem are quite rare in real world networks.
Under some very realistic assumptions we are able to
show that our policy evaluation algorithm is quite ef-
ficient and is well suited for enforcing policies in com-
plex networks. These results constitute the first at-tempt to develop a formal framework to study the in-
formal concepts of policy based network management.
I. INTRODUCTION
A network policy defines the behavior of the net-
work under various circumstances. Many of these
policies can be formulated as sets of low-level rules
that describe how to (re)configure a device or how to
manipulate the different network elements under dif-
ferent network conditions [4]. These conditions mayinclude a network element going down or too many
calls arriving at a router etc. The condition or state
of the network is conveyed by primitive events which
originate at network elements. For example when
a device is powered up it may generate a PowerUp
event. In general a primitive event is a conveyor of
the state of the network element which originated
it, at the time when the event was generated. State
data in an event may contain information such as the
name of the originating device and the time when
the event was generated etc. A policy defines the set
of actions which must be taken, to control the be-
havior of the network elements, when certain primi-tive events occur. For example when a router fails a
policy may require that all switches route their calls
through a different router.
Consider a simplified example of setting some of
the parameters of a modem pool for an Internet Ser-
vices Provider (ISP). The ISP has two customers,
A
andB
, and gives a different telephone number
to each customer:5 5 9 9 9 9 1
toA
and5 5 9 9 9 9 2
to
B
. Both telephone numbers share the same pool
of2 0
modems. There can be many simultaneous
connections from the same customer to the modempool, however the server can be configured to limit
the maximum number of connections allowed per
customer. A policy can describe how these lim-
its change according to the time of the day. For
example, during office hours a customer may ac-
cess1 5
of the modems, but only1 0
after hours.
Let us say we have a clock generating a primitive
event, sayC o a r s e T i m e E v e n t
. Instances of this
event occur four times a day, with an attribute named
T i m e
with a value from the setf
morning, noon,
evening, midnightg
. The policy rules for the
8/2/2019 10.1.1.21.9911 (2)
2/15
2
morning changes are:
1 ) C o a r s e T i m e E v e n t
causesM o d e m P o o l A s s i g m e n t ( 5 5 5 9 9 9 1 ; 1 5 )
if ( C o a r s e T i m e E v e n t : T i m e = \ m o r n i n g " ) :
2 ) C o a r s e T i m e E v e n t
causes M o d e m P o o l A s s i g m e n t ( 5 5 5 9 9 9 2 ; 5 )
if( C o a r s e T i m e E v e n t : T i m e = \ m o r n i n g " ) :
The actionM o d e m P o o l A s s i g m e n t
changes the
maximum number of connections that a telephone
number (and hence a customer) can make to the mo-
dem pool. There will be similar rules for the evening
actions.
We have developed a policy based management
system that is being used to do Operations, Admin-
istration, Maintenance and Provisioning (OAM&P)
in carrier-grade communication networks. Thisnext generation circuit and packet telephony net-
work comprises of packet voice gateways, soft
switches, and device servers among other net-
work entities. An event occurring at a device (due
to some conditions being met in the device opera-
tions) is received by its device server and streamed
out to the policy server as a java object of a pre de-
fined java class. The java object carries with it the
state information about the device when the event
occurred. In the policy server, policies are written
using the names, attributes and methods of the javaclasses for the events. We have developed a domain-
independent policy description language (P D L
) for
specifying policies.P D L
provides a succinct repre-
sentation of complex policies in a very general way.
The policy server registers the events that define
the behavior of the policies, with the device servers,
thus informing the device servers to stream only
those events that may be required by some policy.
Policies are enforced by the policy server by stream-
ing action objects to the device servers which results
in device specific commands being sent to the un-derlying devices. At the heart of all this is the policy
evaluator that evaluates the policies to determine the
set of actions to enforce the policies, given the be-
havior of the network, as reported by the events. A
description of the first version of the system can be
found in [1].
Policies are becoming central to network manage-
ment to the point that industry has already started
standardization efforts related to policy description
and manipulation [2], [8]. However these efforts
have been quite ad-hoc and do not address the prob-
lem of evaluating policies per se. In this paper
we mainly focus on the problem of evaluating poli-
cies specified usingP D L
. The results constitute to
our knowledge the first attempt to develop a formal
framework to study the informal concepts of policy
based network management. We provide a complete
characterization of the underlying complexities of
evaluating these policies. We show that the evalu-
ation of policies is quite hard, by showing that even
restricted instances of this problem are NP-complete.
However, we note that the hard instances of the prob-
lem are quite rare in real world networks. Motivatedby our observations we present an algorithm for eval-
uating policies which works very well in practice as
supported by our empirical results. We also analyze
the complexity of the algorithm fixing various policy
and network parameters.
The rest of the paper is organized as follows. In
Section II we give a brief description ofP D L
. Sec-
tion III presents an efficient algorithm for evaluat-
ing policies specified usingP D L
. In Section IV we
study the complexity of evaluating policies, specified
using P D L . In Section V, we present simulation re-sults on the performance of the algorithm.
II. POLICY DESCRIPTION LANGUAGE
A policy description is a succinct representation of
a policy. We have developed a domain-independent
policy description language that we callP D L
. A
detailed description ofP D L
can be found in [6]. In
P D L
, a policyP
is represented as a collection of ex-
pressions of two types: (1) policy rule propositions
which are expressions of the form
e v e n t
causesa c t i o n
ifc o n d i t i o n
(1)
and (2) policy defined event propositions which are
expressions of the form
e v e n t triggers p d e ( m1
= t
1
; : : : ; m
k
= t
k
)
8/2/2019 10.1.1.21.9911 (2)
3/15
3
ifc o n d i t i o n
(2)
A policy rule reads: If thee v e n t
occurs under the
c o n d i t o n
thea c t i o n
is executed. A policy defined
event proposition reads: If thee v e n t
occurs under
the c o n d i t i o n the policy defined event p d e is trig-gered.
Thee v e n t
may be primitive or complex. A prim-
itive event may have attributes which may be of
type integer, float, string, etc, or simple data struc-
tures such as stacks, or queues, etc. There are stan-
dard attributes in every primitive event class such
as time and location (URL) of the generation of
the event. There are two types of primitive events,
system defined primitive events and policy defined
events. System defined events are generated by the
environment while policy defined primitive eventsare only generated by the policy according to the pol-
icy defined event propositions. In the policy defined
event proposition above, them
i
s are the attributes of
the policy defined eventp d e
and their values are the
t
i
s. Thet
i
s can be attributes from other primitive
events that appear ine v e n t
, they could be constants
or the result of operations applied to the attributes
of the other primitive events in the proposition. The
conditions are boolean functions over the event at-
tributes and the actions may take event attributes as
arguments and yield commands for controlling de-vices.
The representation of more interesting policies re-
quires descriptions of more elaborate events. In
P D L
, primitive events can be composed into com-
plex events using notions from regular expressions.
A. Complex events
Policy decisions are made based on the stream
of primitive event instances observed by the policy
server running the policy. We will call the streamsof event instances event histories. There may be sev-
eral instances of one or more primitive events occur-
ring at the same time (for example several calls may
start simultaneously). Each set of primitive event
instances occurring simultaneously in a stream is
called an epoch. An event literal is a primitive event
symbole
or a primitive event symbol preceded by!
.
The event literal! e
occurs in an epoch if there are no
instances of the evente
in the epoch. We will use
the standard dot . notation to refer to the attributes
of an event. Primitive events can be composed into
basic events. A basic event is either an expression of
the forme
1
& : : : & e
n
representing the occurrence of
instances ofe
1
throughe
n
in the current epoch (i.e.
the simultaneous occurrence of then
events) where
eache
i
is an event literal, ore
1
j : : : j e
n
representing
the occurrence of an instance of one of thee
i
s in the
current epoch. Basic events only refer to instances
of events that occur in a single epoch. However,
we could have composite events that refer to several
epochs simultaneously. For example, the sequence
l o g i n F a i l ; l o g i n F a i l ; l o g i n F a i l
may represent the
event: three consecutive attempts to login that resultin failure. We can describe many other situations if
we borrow the notion of a sequence of zero or more
events from regular expressions. In general, a (com-
plex) event is either a basic event, or an expression
that can be formed by a finite number of applications
of the following rules:
1. IfE
1
throughE
n
are events thenE
1
; : : : ; E
n
is
a (complex) event representing the sequence: event
E
1
, immediately followed by eventE
2
,: : :
, imme-
diately followed by eventE
n
.
2. IfE
is an event then E
is a (complex) event rep-
resenting the sequence of zero or more occurrences
of the eventE
.
3. IfE
is an event then( E )
is a (complex) event.
We can interpret the semantics of a complex event
by associating a non deterministic finite automaton
(NDFA) with a complex event expression. Arcs of
the automaton are labeled with the basic events ap-
pearing in the expression and transitions are made
based on the sequences and the caret operators. For
example, the complex evente
1 e
2
;
e
2
; e
3
& e
4 is as-sociated with the automaton:
e
3
& e
4
e
2
e
2
e
1
8/2/2019 10.1.1.21.9911 (2)
4/15
4
B. Traces of events
LetH = E
1
; : : : ; E
m
be a sequence of con-
tiguous epochs. A trace of an eventE
is
a sequences
j ? 1
; E
0
j
; s
j
; E
0
j + 1
; : : : ; s
m ? 1
; E
0
m
; s
m
,
where sj ? 1
; s
j
s
j + 1
: : : s
m
is an accepting path fromthe initial state
s
j ? 1
to a final states
m
in the NDFA
forE
, withs
m
being the only final state, andE
0
i
is
a minimal subset of events fromE
i
that triggers the
transition from the states
i ? 1
to the states
i
of the
automaton. Note that two different instances of a
primitive event in an epoch are considered to be dis-
tinct events for set membership. In a given stream of
epochsH
there is an instance of the complex event
E
for each distinct trace ofE
inH
. When a trace
ofE
reaches the final states
m
of the NDFA forE
,
thec o n d i t i o n
of the proposition is evaluated. If thec o n d i t i o n
is true and the proposition is a policy rule
thea c t i o n
in the proposition is invoked and the trace
is terminated. If the proposition is a policy defined
event rule, an instance of the policy defined event is
generated and is appended to the incoming epoch.
C. Conditions
Ac o n d i t i o n
is a sequence of predicates of the
formt t
0 , wheret
andt
0 can be attributes from
primitive events that appear in e v e n t , or they couldbe constants or the result of operations applied to
the attributes of the primitive events that appear in
e v e n t
.
is a comparison operator such as
,
etc. There is a special class of operators that can be
used to form terms, called aggregators. For a given
generic aggregatorA g g
, the syntax of the operator
will beA g g ( e : x )
orA g g ( e )
. Heree
is a primitive
or policy defined event that appears in thee v e n t
part
of the proposition,e : x
is an attribute ofe
. As the
name suggests the aggregator operators are used to
aggregate values over multiple epochs. For examplea count aggregator
C o u n t ( e )
can be used to count
the number of occurrences of evente
over multiple
epochs. An aggregator could also add the values of
the attributee : x
or get the largest value, etc. These
aggregation terms are applied to primitive events that
appear under the scope of a caret operator. The
rule
e
1
; e
2
causesa
ifC o u n t ( e
2
) = 2 0
(3)
will executea
if 20 instances ofe
2
follow an instance
ofe
1 .
D. Notation and Assumptions
In the rest of the paper we will denote the event
historyH
at timet
to beH = E
1
; : : : ; E
t
. We will
callE
j
the epoch at timej
. Note that epochs are
not associated with time, they appear when events
arrive at the policy server. Once an epoch is started,
it terminates according to a global parameter of the
system: length which is application dependent. For
example, we can consider all events occurring in thesame day as members of the same epoch, or change
the scale (length) to minutes or seconds.
III . POLICY EVALUATION ALGORITHM
In this section we present an algorithm for evalu-
ating policies specified usingP D L
. The algorithm
is implemented as the Policy Engine of a Policy
Server embedded in the softswitch, a next gen-
eration switch for circuit and packet telephony net-
works. and has been used to implement policies for
detecting alarm conditions, fail-overs, device config-
uration and provisioning, service class configuration,
congestion control etc.
The algorithm to evaluate a policy works in real-
time: The algorithm only gets to see the current
epoch. Based on the set of events that happen in the
current epoch and the past history the algorithm eval-
uates all the actions that must happen in the current
epoch, as specified by the policy.
We present the algorithm for a single rule of the
policy. The only interaction between the rules of apolicy happens as a result of policy defined events
which may be shared between rules. The policy de-
fined events that get triggered in an epoch get added
to the next epoch. The evaluation of a rule at any
epocht
is therefore independent of the policy defined
events triggered by other rules in the epocht
. Thus
8/2/2019 10.1.1.21.9911 (2)
5/15
5
we can treat the evaluation of the rules independent
of each other.
High level idea: Let the policy rule be
E causes A if B or E triggers T if B :
The algorithm maintains the setR ( t )
of all possi-
ble distinct partial traces for eventE
at epocht
(recall that the history at epocht
isE
1
; E
2
: : : E
t
).
A partial traceP
of eventE
at epocht
is de-
fined to be a proper prefix of a trace of event
E
at some future epocht + k
(k > 0
). In
other wordsP = s
0
; E
0
j
; s
j
; E
0
j + 1
; s
j + 1
: : : E
0
t
; s
t
,
and there exist epochsE
t + 1
; : : : E
t + k
and states
s
t + 1
; : : : s
t + k
of the NDFA forE
, withs
t + k
be-
ing a final state, such thatP
when appended with
E
t + 1
; s
t + 1
: : : E
t + k
; s
t + k
is a trace ofE
at epoch
t + k
. We refer to these distinct partial traces as
active threads of event E . The set R ( t ? 1 ) and
the epochE
t
is used to compute the setR ( t )
. This
computation also yields all the distinct traces of the
eventE
at epocht
. The algorithm evaluates the pol-
icy rule in each such trace at epocht
, thus computing
all the actions that are to be done, and all the policy
defined events that are to be triggered at epocht
. In
order to facilitate the computation of the policy rule
in a trace, some additional information is maintained
for every (partial) trace. This information includes
the value of the attributes of the events, and the ag-
gregate operators that can be computed for the cur-
rent history, for the (partial) trace. As a result the
algorithm has complete information to compute the
policy rule in a given trace.
Intuitively an active thread (partial trace) repre-
sents a partial evaluation of the policy rule in the
current epoch that holds a potential of leading to a
complete evaluation of the rule in some future epoch,
thus becoming a trace of the event. Given an active
threadA
at epocht ? 1
and the epochE
t
, the algo-
rithm computes all possible ways of extendingA
to
an active thread or a trace for epocht
. All such ac-
tive threads are added to the setR ( t )
. In addition set
R ( t )
gets an active thread which represents a partial
evaluation of the policy rule that starts at epocht
.
In the following we will denote an active thread
A = s
0
; E
0
j
; s
j
: : : E
0
t
; s
t
by the tuple( A
1
; A
2
)
,
whereA
1
= f s
0
; s
j
: : : s
t ? 1
; s
t
g
andA
2
=
( E
0
j
; E
0
j + 1
: : : E
0
t
)
.
The policy evaluation algorithm PE has two
phases: the initialization phase and the real-timeevaluation phase. The former involves compiling the
policy description to evaluate all the static informa-
tion. The latter phase lasts from the time the algo-
rithm is started to forever. In the real-time phase, the
algorithm PE, at epocht
, evaluates the policy rule in
the current historyH
, to determine the actions to be
taken, or the policy defined events to be triggered at
epocht
.
We will use a running example of a policy rule toillustrate the algorithm PE:
e
1
; e
1
; e
2
; e
2
causesA ( c o u n t ( e
1
1 ] ) ; e
2
2 ] : x )
if B ( e1
2 ] : y )
Note that instance the complex eventE =
e
1
; e
1
; e
2
; e
2
consists of at least onee
1
followed by
at least onee
2
. The conditionB
tests for they
at-
tribute of the laste
1
in the instance ofE
. If the con-
ditionB
evaluates to true then it causes actionA
with
two arguments which are dependent on the number
ofe
1
and the value of thex
attribute of the laste
2
in
the instance ofE
.
A. Initialization phase
This phase involves, among other things, the
construction of a non-deterministic finite automata
(NDFA)N
for the complex eventE
in the rule.
Example: For our example the NDFA is shown in
Fig. 1. It has three states1 ; 2 ; 3
. State1
is the initial
state and state3
is the final state.
1 2 3
e
1
e
1
e
2
e
2
Fig. 1. NDFA for the example.
8/2/2019 10.1.1.21.9911 (2)
6/15
6
B. Real-time evaluation phase
We describe this phase for a particular epocht
. As
described earlier the algorithm maintains a set of ac-
tive threadsR ( t )
for eventE
at epocht
. In addition
for every active thread A = ( A 1 ; A 2 ) in R ( t ) the al-gorithm maintains the partial information (attribute
values, aggregated values etc), that can be obtained
fromA
and which is required to evaluate the if con-
ditionB
, the actionA
or to construct policy defined
eventsT
.
Example: Lett = 1
andE
1
= f e
1
g
. One of the
active threads ofE
at epoch1
hasA
1
= f 1 ; 2 g
and
A
2
= ( f e
1
g )
, corresponding to the only primitive
event in the history att = 1
. Another active thread
ofE
at epoch1
hasA
1
= f 1 ; 1 g
andA
2
= ( f e
1
g )
.
Note that for the first active thread c o u n t ( e1
1 ] ) = 0
ande
1
2 ]
is instantiated to the primitive evente
1
in
E
1
. Similarly for the second active thread we know
thatc o u n t ( e
1
1 ] ) > = 1
, and we do not have any
information aboute
1
2 ]
.
The general structure of the algorithm PE is as
follows. Let epocht
be the next epoch. By our as-
sumption the algorithm has the set of active threads
R ( t ? 1 )
. LetA ( t ? 1 ) 2 R ( t ? 1 )
be an active
thread. Lets
be the last state of the NDFAN
ofE
,
in the pathA
1
forA ( t ? 1 )
. We will say that the
active threadR ( t ? 1 )
is in states
of the NDFAN
.
Let( s ; s
0
)
be a transition inN
which is labeled with
a basic eventE
( s ; s
0
)
. ThenE
( s ; s
0
)
is of the forme
or
! e
ore
1
& e
2
& : : :
ore
1
j e
2
j : : :
, where eache ; e
i
is a
primitive event. LetI
be the set of minimal subsets
ofE
t
in which eventE
( s ; s
0
)
occurs. For each seti
2 I
a new active thread is generated, for which
A
1
=
append( A
1
ofA ( t ? 1 ) ; ( s
0
) ) ;
A
2
=
append( A
2
ofA ( t ? 1 ) ; ( i ) )
In addition the algorithm computes the additionalinformation obtained for evaluating the policy rule
from the epochi
. At this point it is checked if this
new active thread is in a final state of the NDFAN
,
and if it has all the information required to evaluate
the policy rule. If it is then the policy rule is eval-
uated in this active thread, and the active thread is
terminated. Otherwise the active thread is added to
the setR ( t )
. This procedure is carried out for every
active thread inR ( t ? 1 )
. In addition a new active
thread! ( 0 )
is added toR ( t )
withA
1
=
the initial
state of the NDFA and an emptyA
2
.
Example: In the previous example there are three
active threads at epoch1
in this history. Two were
described earlier and the third one is! ( 0 )
.
Example: Let the history at time t = 2 be E1
=
f e
1
g ; E
2
= f e
3
g
. In this history all three active
threads inR ( 1 )
are discarded at epoch2
. Therefore
R ( 2 ) = f ! ( 0 ) g
.
The evaluation of a policy rule at an epoch may
cause some actions or trigger some policy defined
events. The algorithm PE ensures that the same ac-
tion is not done twice or the same policy defined
event is not triggered twice in an epoch. Two ac-
tions are the same if they cause the invocation of
the same function with the same values for the ar-
guments. Two policy defined events are the same if
they are an instance of the same event object with the
same values for their attributes.
8/2/2019 10.1.1.21.9911 (2)
7/15
7
C. Pseudocode for the algorithm PE
// Initialization phase
P = the Policy
for each rule r in P
NDFA(r
) = the NDFA for eventE
of ruler
R ( 0 ; r ) = f the active thread ! ( 0 ) g
t = 1
i
1
= E
1
// Online phase
while(true)
// pde is the set of triggered events
pde= ;
actions = ;
for each ruler
inP
// Compute active threads for epoch t
R ( t ; r )
= Update( R ( t ? 1 ; r ) ; i
t
) R ( 0 ; r )
// Compute actions for epoch t
actions = actions Actions( R ( t ? 1 ; r ) ; i t )
// Compute triggers for epoch t
pde = pde
Trigger( R ( t ? 1 ; r ) ; i
t
)
// FIRE fires the actions
FIRE(actions)
i
t + 1
= pde Et + 1
t = t + 1
Example: Let the history H at epoch 2 be E1
=
f e
1
g ; E
2
= f e
1
; e
1
; e
2
; e
2
g
. The two instances of
e
1
in the second epoch have they
attributes set to4
and5
respectively. The two instances ofe
2
in thesecond epoch have the
x
attributes set to2
and7
re-
spectively. Thee
1
in the first epoch hase
1
: y = 9
.
As described earlier there are three active threads in
R ( 1 )
. For each of these active threads we present
below the new active threadsR ( 2 )
that are created at
epoch2
.
1. For the active thread! ( 0 ) 2 R ( 1 )
two new
active threads may be added toR ( 2 )
, each with
A
1
= f 1 ; 1 g
andA
2
= ( f e
1
g )
, one for eache
1
inE
2
. Note that for both these active threads we
have the same information to evaluate the policyrule:
c o u n t ( e
1
1 ] ) 1
. Hence both these active
threads are indistinguishable, in terms of the evalua-
tion of the policy rule. Hence only one of these active
threads is added toR ( 2 )
. In addition for the active
thread! ( 0 ) 2 R ( 1 )
two new active thread are added
toR ( 2 )
, each withA
1
= f 1 ; 2 g
andA
2
= ( f e
1
g )
,
one for eache
1
inE
2
. Note that these two active
threads are distinct since even though for both of
them we havec o u n t ( e
1
1 ] ) = 0
, one of them has
e
1
2 ] : y = 4
and the othere
1
2 ] : y = 5
.
2. For the active thread corresponding to the tuple
( f 1 ; 1 g ; ( f e
1
g ) ) in R ( 1 ) the two new active threads
that are added toR ( 2 )
are determined as for the ac-
tive thread! ( 0 ) 2 R ( 1 )
.
3. For the active thread corresponding to the tu-
ple( f 1 ; 2 g ; ( f e
1
g ) )
inR ( 1 )
one active thread cor-
responding to the tuple( f 1 ; 2 ; 2 g ; ( f e
1
g ; f e
2
g ) )
is
added toR ( 2 )
. Here the firste
1
refers to thee
1
in
the first epoch and the seconde
2
may refer to any
of the twoe
2
s in the second epoch. In this active
threadc o u n t ( e
1
1 ] ) = 0 ; e
1
2 ] : y = 9
. In addi-
tion for the active thread( f 1 ; 2 g ; ( f e
1
g ) ) 2 R ( 1 )
two traces of event E at epoch 2 are obtained, bothcorresponding to the tuple
( f 1 ; 2 ; 3 g ; ( f e
1
g ; f e
2
g ) )
,
where the firste
1
refers to thee
1
in the first epoch
and the seconde
2
refers to one of the twoe
2
s in
the second epoch. For each of these active threads
c o u n t ( e
1
1 ] ) = 0 ; e
1
2 ] : y = 9
, and for one of them
e
2
2 ] : x = 2
and for the othere
2
2 ] : x = 7
. Note that
both these traces have enough information to eval-
uate thec o n d i t i o n
. If thec o n d i t i o n
evaluates to
true for both these traces, then the actionA
is per-
formed twice at epoch2
, once asA ( 0 ; 2 )
and once
asA ( 0 ; 7 )
.
IV. THE COMPLEXITY OF POLICY EVALUATION
In this section we show that even restricted in-
stances of the policy evaluation problem are quite
hard. However we observe that the hard instances of
the policy evaluation problem are quite rare in real
world networks. Under some very realistic assump-
tions we are able to show that our policy evaluation
algorithm (Section III) has a good worst case per-
formance.
A. Hardness of evaluating policies
We establish the hardness of the easier decision
version of the problem: Given a policyP
of de-
scription sizep
and an actionA
and historyH
of
8/2/2019 10.1.1.21.9911 (2)
8/15
8
h
epochs, isA
caused byP
in any of the epochs of
H
? We show that the decision version of the policy
evaluation problem is NP-Hard for many restricted
class of policies.
We first show that the decision version of the pol-icy evaluation problem is NP-complete if there is no
bound onp
, the policy description size. Our first
two results show this for some very simple class of
policies. One might makep
a small bounded con-
stant. Unfortunately we are able to show that the
problem is hard even ifp
is a small bounded con-
stant. We present three more hardness results each
bringing out a different aspect of the intractability of
the problem. These are hardness results for policies
with policy defined events, policies with double
non-determinism , and policies that use aggregate
operators for un-grouped events in the scope of a
operator in the specification of policy eventE
. From
these three results we conclude that the intractibil-
ities are due to: simple policies for which an expo-
nential number of policy defined events may get trig-
gered (exponential inh
), double non-determinism
potentially leading to an exponential number of ac-
tive threadsA = ( A
1
; A
2
)
, which differ in the path
A
1
traversed in the NDFA, and for the third kind
(un-grouped) of policies for which there may be an
exponential number of active threadsA = ( A
1
; A
2
)
,
that differ only in the A 2 values. We are able to showthat these are the only necessary and sufficient condi-
tion for the intractability of the problem. That is we
show later that the class of policies, in which none of
the above mentioned intractibilities are present, can
be evaluated in polynomial time. And the algorithm
presented in Section III does so.
First of all note that the decision version of the
policy evaluation problem is in the class NP, under
the assumption that all functions in the policy rule
are computable in polynomial time. This is because
given a trace T for the event E , of the policy rule,
at an epocht
, it can be verified, in polynomial time,
ifT
is a valid trace and if actionA
happens when
the policy rule is evaluated inT
. Below we present
reductions from 3-SAT to this problem, thus estab-
nested s?
lishing its NP completeness.
Theorem 1: The policy evaluation problem is NP-
complete for policies in which the policy specifica-
tion does not use the operator, For this result we
requirep
to be a polynomial inh
, thus allowing un-bounded size policies.
Proof: We reduce 3-SAT to the decision ver-
sion of the policy evaluation problem. Let the given
instance of 3-SAT haven
variablesx
1
; x
2
; : : : x
n
.
LetC = f c
1
; c
2
: : : c
m
g
be the set of clauses in the
given 3-SAT instance. Thus eachc
i
is a disjunction
of literals overx
1
; x
2
; : : : x
n
. We construct a policy
P
withn
primitive events:e
1
; e
2
: : : e
n
, such thate
i
has a boolean attributex
i
. The policyP
has one rule:
e
1
; e
2
; e
3
: : : ; e
n
causesA
ifB :
HereB
is a conjunction of boolean expressions con-
structed as follows. For every clausec
i
which is
a disjunction of the three literals corresponding to
the variablesx
a
; x
b
; x
c
, we define a boolean function
f
i
with three argumentse
a
: x
a
; e
b
: x
b
; e
c
: x
c
that com-
putes the disjunction of its arguments corresponding
to the clausec
i
. For example if the clausec
i
is equal
tox
1
j x
2
j x
3
thenf
i
( x ; y ; z ) = x j y j z :
For clausec
i
we have a boolean expressionb
i
which is true if and
only if the functionf
i
( e
a
: x
a
; e
b
: x
b
; e
c
: x
c
)
evaluates
to 1 . The condition B is a conjunction of the boolean
expressionsb
1
; b
2
: : : b
m
.
Let there ben
epochs in the history, withE
j
=
f e
j
; e
j
g ; ( 1 j n )
, such thate
j
1
: x
j
= 1
and
e
j
2
: x
j
= 0 :
In other words at thej
-th epoch two
instances of primitive evente
j
occur, one of which
has attributee
j
: x
j
set to1
and the other one has the
attributee
j
: x
j
set to0
.
Note that there are2
n traces (instances) of the
complex eventE = e
1
; e
2
; e
3
; : : : e
n
in the input his-
toryH
at epochn
, each corresponding to the2
n
dif-ferent choices of picking one of the two primitive
events in each epoch. Note that depending on which
e
i
we pick from the epochi
, either the value ofe
i
: x
i
is0
or it is1
. In other words each of the trace of
the eventE
corresponds to a distinct setting of the
attributese
i
: x
i
; ( 1 i n )
. Hence there is a one
8/2/2019 10.1.1.21.9911 (2)
9/15
9
to one correspondence between an assignment to the
variablesx
1
; x
2
: : : x
n
and an trace of the eventE
,
such that the value ofx
i
is equal to the value of the
attributee
i
: x
i
in the trace. But then if the policyP
on historyH
causes the actionA
to happen at epoch
n , then there must be an trace of the event E for
which the conditionB
evaluates to true, which by
construction implies a satisfying assignment for the
given 3-SAT instance. On the other hand if there is
a satisfying assignment for the given 3-SAT instance
then in the corresponding trace of the eventE
the
conditionB
evaluates to true, and hence the policy
P
on historyH
must cause the actionA
to happen at
epochn
.
Remark 2: This result seems to suggest that the
policy evaluation problem may be hard due to there
being two primitive events per epoch which leads
to doubling of the active threads at every epoch,
even though all these active threads traverse the same
path in the NDFA forE
(they agree onA
1
). Next
we show that this is not the only reason for the in-
tractability of the policy evaluation problem.
Theorem 3: Even if there is only one primitive
event, which may happen only once in each epoch,
the decision version of the policy evaluation problem
is NP-complete. For this result we requirep
to be a
polynomial inh
.
Proof: We again reduce 3-SAT to the de-
cision version of the policy evaluation problem.
Let the given instance of 3-SAT haven
variables
x
1
; x
2
: : : x
n
. LetC = f c
1
; c
2
: : : c
m
g
be the set of
clauses in the given 3-SAT instance. We construct a
policyP
with one primitive event, and one rule:
e ; e ; : : : e
causesA
ifB :
The history we consider hasn
epochs (h = n
) with
E
j
= f e g ; ( 1 j n ) :
The proof is similar to
the proof of Theorem 1. As before we have to es-tablish a correspondence between an assignment to
then
variablesx
1
; x
2
: : : x
n
and a trace of the event
E = e ; e ; : : : e
in the inputH
. Note that there are
at least2
n traces ofE
in the historyH
, each corre-
sponding to a different set of values of the functions
c o u n t ( e i ] ) ; ( 1 i n )
. Given an trace ofE
in the
historyH
we map it to an assignment of then
vari-
ablesx
1
; x
2
: : : x
n
as follows. We correspondx
i
to
c o u n t ( e i ] )
:c o u n t ( e i ] ) > 0
corresponds tox
i
= 1
andc o u n t ( e i ] ) = 0
corresponds tox
i
= 0
. Now
the proof is exactly the same as the proof of Theo-
rem 1 where we replace ei
: x
i
by c o u n t ( e i ] ) in the
conditionB
.
So far we have seen that simple class of policies
are hard to evaluate. In real life most policies are
small and have bounded description size. For such
policies the previous results do not hold. In the fol-
lowing we will study such class of bounded size poli-
cies.
Theorem 4: Even if only two primitive events
may happen in each epoch,p
is a constant and poli-
cies are defined using policy defined events, the deci-sion version of the policy evaluation problem is NP-
complete.
Proof: We reduce 3-SAT to this decision ver-
sion of the policy evaluation problem. Let the given
instance of 3-SAT be as in proof of Theorem 1, have
n
variablesx
1
; x
2
; : : : x
n
. LetC = f c
1
; c
2
: : : c
m
g
be the set of clauses in the given 3-SAT instance. We
construct a constant size policyP
with3
primitive
events:e
1
; e
2
; e
3
, such thate
1
has a boolean attribute
x
ande
2
has two attributesy
andz
. The attributesy
and z of e 2 are used to encode a clause c 2 C . Thepolicy
P
has five rules:
e
1
& ! t triggers t ( a = e1
: x ; b = 0 ; c = 1 ) :
e
1
& t
triggers t ( a = 2 t b + 1 e1
: x + t : a ; b = t : b + 1 ; c = 1 ) :
e
2
& t triggers t ( a = t : a ; b = t : b ; c = 1 )
iff ( t : a ; t : c ; e
2
: y ; e
2
: z ) :
e
2
& t
triggerst ( a = t : a ; b = t : b ; c = 0 )
if! f ( t : a ; t : c ; e
2
: y ; e
2
: z ) :
e
3
& t
causesA
ift : c = 1 :
Heret
is a policy defined event with three attributes:
a ; b ; c
. We consider a historyH
ofn + m + 1
epochs,
E
j
= f e
1
; e
1
g ; ( 1 j n ) ; E
j
= f e
2
g ; ( n + 1
j n + m ) ;
andE
n + m + 1
= f e
3
g :
Note that the his-
tory as described above does not include the policy
defined events that get added to the epochs, it only
8/2/2019 10.1.1.21.9911 (2)
10/15
10
represents the system defined primitive events.
The two events in each of the firstn
epochs sat-
isfye
1
1
: x = 1 ; e
1
2
: x = 0 :
Thus the events in the
firstn
epochs, as in the proof of Theorem 1, encode
the2
n
assignments for then
variablesx
1
; x
2
: : : x
n
.The events in the next
m
epochs correspond to the
m
clauses, such that the evente
2
in the epochn + i
encodes using its attributesy
andz
, thei
-th clause.
This is done as follows. Let thei
-th clause involve
the three variablesx
1
; x
2
andx
3
. Let
1
;
2
;
3
be each0
or1
depending on if the corresponding lit-
eralx
1
; x
2
; x
3
is positive or negative in thei
-th
clause. The evente
2
in epochn + i
encodes thei
-th
clause by setting the attributey
to the boolean vec-
tor(
1
;
2
;
3
)
and by setting the attributez
to the
vector(
1
;
2
;
3
)
. The event in the last epoch ise
3
which serves as a flag to terminate the evaluation of
the policy.
Note that the first rule applies only in the first
epoch, and that at the end of then
epochs there are
exactly2
n policy defined eventst
, each correspond-
ing to one of the2
n possible satisfying assignments,
which is encoded in the attributea
oft
(as a decimal
number corresponding to the binary vector). Each
of these events at epochn
hast : c = 1
. We now
show that if for some policy defined eventt
, the at-
tributet : c
is equal to one at epochm + n + 1
then
the assignment encoded int : a
is a satisfying assign-
ment. Note that in them
epochs,n + 1 : : : n + m
,
only rules three and four are evaluated. In the epoch
n + i
, these rules ensure that if the encoded assign-
mentt : a
satisfies thei
-th clause, for a policy defined
eventt
with attributec = 1
, then a new instance of
policy defined eventt
with attributec = 1
is added
to the next epoch, otherwise an instance of policy de-
fined eventt
with attributec = 0
is added to the next
epoch. These rules also ensure that for a policy de-
fined eventt
with attributet : c = 0
, the instance of
the policy defined event t that gets added to the next
epoch also has attributec = 0
. Hence ift : c = 1
for a
policy defined eventt
at epochm + n + 1
then the as-
signment encoded int : a
is a satisfying assignment.
Therefore actionA
occurs at epochm + n + 1
iff the
given instance of 3-SAT has a satisfying assignment.
Note that the functionf
can be implemented in
constant space, since it only checks the value of its
second argument, and it only checks if the clause en-
coded in its last two arguments is satisfied by the as-
signment encoded in its first argument.
Remark 5: We note that the reason triggers make
the problem hard, is that policies may trigger an ex-
ponential number of policy defined events (exponen-
tial inh
) in historiesH
of lengthh
.
Theorem 6: Even if only two primitive events
may happen in each epoch,p
is a constant, policy
rules do not use policy defined events, however we
allow double non-determinism in the event defi-
nition, the decision version of the policy evaluation
problem is NP-complete.
Remark 7: An example of an event with dou-
ble non-determinism is the complex eventE =
( e
1
; e
2
)
. Such an event may have an exponential
number of active threads (exponential inh
) in an
epoch historyH
of lengthh
.
Proof: The proof is similar to the proof of The-
orem 4. We reduce 3-SAT to this decision version
of the policy evaluation problem. Let the given in-
stance of 3-SAT haven
variablesx
1
; x
2
; : : : x
n
. Let
C = f c
1
; c
2
: : : c
m
g
be the set of clauses in the given
3-SAT instance. We construct a constant size policy
P
with4
primitive events:e
1
; e
0
1
; e
2
; e
3
, such thate
1
has an attributex
,e
2
ande
3
are the same event as in
the proof of Theorem 4. The policyP
has one rule:
( e
1
; e
0
1
) ; e
2
; e
3
causesA
iff
1
( f
2
( e
1
: x ) ; e
2
: y ; e
2
: z )
The historyH
withh = n + m + 1
is given by:
E
j
= f e
1
; e
0
1
g ; ( 1 j n ) ; E
j
= f e
2
g ; ( n + 1
j n + m ) ;
andE
n + m + 1
= f e
3
g :
Here the eventse
1
s in the firstn
epochs of the
history are used to encode the2
n
assignments forthe
n
variablesx
1
; x
2
: : : x
n
. This is done by setting
e
1
: x = 2
j ? 1 for the evente
1
inE
j
; ( 1 j n )
.
The events in the nextm
epochs, as in the proof of
Theorem 4, encode them
clauses. The evente
3
as
before serves as a flag to terminate the evaluation of
the policy.
8/2/2019 10.1.1.21.9911 (2)
11/15
11
The functionf
2
is an aggregator operator that
sums up thee
1
: x
values. Note that at the end of
the firstn
epochs there are2
n active threads for
( e
1
; e
0
1
)
in the history, for each of which the func-
tionf
2
( e
1
: x )
encodes a potential satisfying assign-
ment, as its decimal value.
The functionf
1
is an aggregator operator that
checks, as in the proof of Theorem 4, if the assign-
ment encoded inf
2
( e
1
: x )
satisfies the clause en-
coded in its last two arguments. The value of this
function is one at the end ofn + m + 1
epochs if and
only if all them
clauses are satisfied by the encoded
assignment. Note that both the functionsf
1
andf
2
can be implemented in constant space.
Remark 8: The above shows that a complex event
with double non-determinismE =
(
e
1
;
e
2
)
, mayhave an exponential number of active threads in an
epoch historyH
of lengthh
. Note that these active
threadsA = ( A
1
; A
2
)
differ inA
1
, the path that they
take in the NDFA forE
, and for a complex event
with non-determinism there can be an exponential
number ofA
1
s.
We now show that even if we do not allow dou-
ble non-determinism, andp
is a constant, the policy
evaluation problem is still hard.
Theorem 9: Even if only two primitive events
may happen in each time instance,p
is a constant,
policy rules do not use policy defined events, and
there is no non-determinism in the event definition,
the decision version of the policy evaluation problem
is NP-complete.
Remark 10: The following proof establishes that
there may be an exponential number of active threads
A = ( A
1
; A
2
)
in an epoch historyH
of lengthh
, all
of which have the sameA
1
, the path in the NDFA,
however they may differ in theA
2
s.
Proof: The proof is similar to the proof of The-orem 6. We reduce 3-SAT to this decision version
of the policy evaluation problem. Let the given in-
stance of 3-SAT haven
variablesx
1
; x
2
; : : : x
n
. Let
C = f c
1
; c
2
: : : c
m
g
be the set of clauses in the given
3-SAT instance. We construct a constant size policy
P
with3
primitive events:e
1
; e
2
; e
3
, such thate
1
has
a attributex
,e
2
ande
3
are the same event as in the
proof of Theorem 4. The policyP
has one rule:
e
1
; e
2
; e
3
causes A
iff
1
( f
2
( e
1
: x ) ; e
2
: y ; e
2
: z )
The historyH
withh = n + m + 1
is given by:
E
j
= f e
1
; e
1
g ; ( 1 j n ) ; E
j
= f e
2
g ; ( n + 1
j n + m ) ;
andE
n + m + 1
= f e
3
g :
The pair of eventse
1
s in the firstn
epochs dif-
fer in their attributex
value, one has it set to0
and
the other has it set to1
. These events as in earlier
proofs are used to encode the2
n assignments for the
n
variablesx
1
; x
2
: : : x
n
, since an active thread has
to choose one of these events in each such epoch.
The events in the next m epochs, as in the proof ofTheorem 4, encode the
m
clauses. The evente
3
as
before serves as a flag to terminate the evaluation of
the policy.
The functionf
2
is an aggregator operator that en-
codes thee
1
: x
values (as a decimal representation of
the binary vector). Note that at the end of the first
n
epochs there are2
n distinct active threads ofE
,
each corresponding to a potential distinct satisfying
assignment of the 3-SAT instance.
The functionf
1
is an aggregator operator thatchecks, as in the proof of Theorem 6, if the assign-
ment encoded inf
2
( e
1
: x )
satisfies the clause en-
coded in its last two arguments. The value of this
function is one at the end ofn + m + 1
epochs if and
only if all them
clauses are satisfied by the encoded
assignment. Note that both the functionsf
1
andf
2
can be implemented in constant space.
Remark 11: In theP D L
a group operator is
provided to deal with this kind of intractability. For
an event defined asg r o u p ( e )
for some basic evente
,
there is at most one instance in any given epoch, nomatter how many distinct instances of
e
are present
in the epoch. As the name suggests the group op-
erator groups all these instances into one instance.
We will show later that policies where all the basic
events within the scope of a operator are of the
formg r o u p ( e )
, in its specification can be efficiently
8/2/2019 10.1.1.21.9911 (2)
12/15
12
evaluated given some other restrictions.
B. Complexity of the Policy Evaluation Algorithm
We have seen that even very restricted instancesof the policy evaluation problem are hard to solve.
However the hard cases seem to arise only for con-
trived instances of the problem. In real life we can
assume that the following may hold:
All active threads have small length, i.e. there are
only a small number of epochs in its underlying par-
tial trace.
The functions used in the policy rules can be effi-
ciently computed.
The policy rules have bounded size descriptions.
There are only a small number of distinct instancesof a primitive (system defined or policy defined)
event in any epoch of the history.
Policies can be written without using double non-
determinism to construct complex events.
Policies can be written such that the basic events in
the scope of a operator are also within the scope
of theP D L
group operator in the eventE
.
These assumptions are justified by the fact that
real networks have finite memory: the events that
must lead to an action, happen not too far back in
the past. Also network policies can be generally
expressed as simple rules which do not require too
much computation to implement.
Under these assumptions the policy evaluation al-
gorithm PE is quite efficient.
Theorem 12: Given a policy ruleR
of sizep
, de-
fined using complex eventE
that does not use dou-
ble non-determinism, and uses the group operator
for basic events in the scope of a , and a history
H
in which there are at mostk
distinct instances of
any primitive event (including policy defined) in anyepoch, such that all the active threads of
E
have a
length bounded byl
inH
, and all ofR
s functions
can be computed efficiently then the algorithm PE,
to evaluate ruleR
, runs in timeO ( ( k l )
p
)
per epoch.
Note that ifp
is a constant then the algorithm runs in
time a polynomial ink
andl
.
Proof: Note that the complexity of the algo-
rithm for any given epoch is directly proportional to
the number of active threads in that epoch. In the fol-
lowing we will bound the number of active threads
per epoch. It follows from our assumptions about
event E that it can be written as E = C1
; C
2
: : : C
m
,
for eventsC
i
which have the following property: ei-
therC
i
= D
i
for some eventD
i
which does not
contain any and all its basic events are within the
P D L g r o u p
operator, orC
i
= F
i
, whereF
i
does
not contain any operator. Note that bothD
i
and
F
i
are of the forme
1
; e
2
: : : e
j
, where eache
i
is a
basic event possibly within ag r o u p
operator. Note
that from this it follows that that the NDFAN
can
also be partitioned as shown in Fig. 2, which we will
write asN = N
1
; N
2
: : : N
m
.
N
m
N
2
N
1
transition
Fig. 2. Partition of the NDFA of the complex event
Let us first compute how many distinct active
threadsA = ( A
1
; A
2
)
can have the same pathA
1
in the NDFAN
. Two such active threads are dis-
tinct if they have a different value of some attributeor some aggregate operator. Note that in any such
active thread, an attributee s ] : x
can have at mostk
distinct values, one for each instance of the primitive
evente
in the epoch where this attribute is instan-
tiated. This is because for any attributee s ] : x
the
epoch in which it gets instantiated is the same for all
the active threads since they all agree on their paths
A
1
in the NDFAN
. Also note that all the aggre-
gate operators have the same value for all these ac-
tive threads, since aggregate operators involve events
and their attributes which are within the scope of the
operator and all such events by our assumption
are also within the scope of ag r o u p
operator. All
this implies that there can be at mostO ( k
p
)
active
threads that have the sameA
1
value.
Now we compute the number of distinct values for
A
1
that the active threads in any epoch may have.
8/2/2019 10.1.1.21.9911 (2)
13/15
13
Note that the pathA
1
can be partitioned intom
paths, with thei
-th path completely contained inN
i
.
Let the length of the chain (and hence the number of
states) ofN
i
ben
i
. Note thatP
m
i = 1
n
i
= O ( p )
, and
thereforem
as well asn
i
s are each at mostO ( p )
.
Since the active thread A1
has length a l , we must
have:m
X
i = 1
c
i
n
i
l :
for some non negative integersc
i
s. Note thatA
1
can be completely specified by specifying thec
i
val-
ues. A very crude estimate is0 c
i
l
for all
i
. Hence the number of distinct values for all the
c
i
and hence the number of distinctA
1
are at most
O ( l
m
) = O ( l
p
)
.
Combining the two results we get that the numberof active threads in any epoch are
O ( ( k l )
p
)
.
V. SIMULATION RESULTS
In this section we present our empirical results on
the performance of the policy evaluation algorithm
PE, based on simulations. Our experimental setup is
as follows. For a given policyP
and a historyH
of
h
epochs we measure the timem ( t )
(in milli-secs)
that it takes to evaluate the policy P at the epocht
onH
. We plott
on the X-axis andm ( t )
on the
y
axis. In Fig. 3 we show the performance of the
algorithm for4
simple policies, each with rules of
the forme causes A ( e : x ) : policies with one such
rule, two such rules, four such rules and eight such
rules. The rules in a policy use different primitive
events. For this experiment, the epochs in the his-
toryH
grow linearly withh
. That is thej
-th epoch
containsj
distinct instances (with different value for
attributex
) of each of the eight primitive events that
may occur in any of the policy rule. As expectedthe time to evaluate a policy increases linearly with
the number of epochs and the number of rules (for
clarity we do not present the results for policy with
9 ; 1 0 : : :
rules) The results in Fig. 3 serve as a base-
line to measure the performance of the algorithm for
more complicated policies.
s.8s.4s.2s.1
200180160140120100806040200
18001600140012001000
800600400200
0
Fig. 3. Simple Policies
The next policy that we used for our experiments
is for admission control, it enforces two levels of
admission control: at a global level it allows at
most maxConn, and at a class level it allows atmost a class dependent number of simultaneous con-
nections. The policy involves two external events
TryConn and DisConn representing a request for
a connection or for a disconnect respectively. In ad-
dition it involves two policy defined events Class-
Conn and GlobalConn, for enforcing the policy
by keeping track of the number of connections at the
class and global level respectively.
Startup triggers GlobalConn(conncts = 0);
StartClass triggers Class-Conn(class = Startup.class,
conncts = 0);
TryConn & ClassConn & GlobalConn
causes Conn("Connection", TryConn.user)
if GlobalConn.conncts < maxCon,
TryConn.class = ClassConn.class,
ClassConn.conncts < maxConn(TryConn.class);
Disconn
causes Disc("Disconnection", Disconn.user);
TryConn & ClassConn & GlobalConn
triggers ClassConn(class = ClassConn.class,
conncts = ClassConn.conncts + 1)
if GlobalConn.conncts < maxCon,
TryConn.class = ClassConn.class,
ClassConn.conncts < maxConn(TryConn.class);
TryConn & ClassConn & GlobalConn
triggers GlobalConn(conncts = Global-
Conn.conncts + 1)
if GlobalConn.conncts < maxCon,
TryConn.class = ClassConn.class,
8/2/2019 10.1.1.21.9911 (2)
14/15
14
ClassConn.conncts < maxConn(TryConn.class);
Disconn & ClassConn
triggers ClassConn(class = ClassConn.class,
conncts = ClassConn.conncts - 1)
if Disconn.class = ClassConn.class;
Disconn & GlobalConn
triggers GlobalConn(conncts = Global-
Conn.conncts - 1);
Disconn & ClassConn
triggers ClassConn(class = ClassConn.class,
conncts = ClassConn.conncts )
if Disconn.class != ClassConn.class;
TryConn & ClassConn
triggers ClassConn(class = ClassConn.class,
conncts = ClassConn.conncts )
if TryConn.class != ClassConn.class;
StartClass & GlobalConn
triggers Global-
Conn(conncts = GlobalConn.conncts);
This policy monitors and controls the number of
simultaneous connections from different classes of
users into a network. There is an overall limit of
connections given by the constant maxCon. In a
given moment the number of simultaneous connec-
tions is limited to a maximum of maxCon. There
is a second tier of control based on classes. Users
have associated classes and each class has limited
its maximum number of connection by the value of
the function maxConn(class). The policy worksas follows. There is an event triggered at the time
the policy is brought up (i.e. it is triggered by the
event Startup). The event triggered, Global-
Conn, has one attribute that keeps track of the total
number of current connections in the system. It is
initialized in 0. This is done by the first rule in the
policy. Each time a new user class is introduced the
event StartClass is generated by the registration
process. This event has one attribute, the event class
name. This event triggers an internal event, Class-
Conn, with two attributes, one with the class nameand the other a counter, also initialized in 0, that will
keep track of the number of simultaneous connec-
tions for the class. This is encoded in the second
rule. The next two rules process the connections
and disconnection. The connection policy rule ex-
ecutes the action (i.e. establishes the connection) if
the limits are not exceeded. The fifth and six rules in-
crement the appropriate class counter and the global
counter if the connections will be established. The
next two rules decrement the counters after discon-
nect occurs. The last three rules handle the cases
when event occurs but counters do not change. Note
that there is a StartClass event for each class and
these events are re-triggered each time an external
event (TryCOnn and Disconn) not affecting the
class occurs. For this policy the epochs are defined
as follows. A new epoch is initiated whenever a re-
quest for a connection or disconnection or any of the
start events happen. We assume for this policy that
every epoch contains exactly one external (system
defined) event.
We ran the experiments for randomly generated
admission/dis-connection requests for the admiss-
sion control policy, The running time of the algo-
rithm stayed around1 0 0
ms per epoch.
V I . RELATED WORK
Policy based network management has been a
topic of research for several years. There has been
work in formal models and methodologies to express
policies (see, for example, [9] and the references
therein) but no attention is directed to complexity is-
sues. In many cases is not clear that the models al-ways describe computable policies. General purpose
event programming languages have been around for
a while. Good examples are the READY system [3]
and its predecessor YEAST [5]. Event languages
have also been studied in the context of network
monitoring (see, for example, [4], [10]). There is
also a tremendous amount of effort from the net-
working industry to understand and standardize the
concept of policy. The interest is reflected in the
work of the Policy Working group in the Internet
Engineering Task Force (IETF) [7], [8]. Our pri-mary interest has been to develop a policy server,
with a complete understanding of the complexity of
the problem being addressed. For the latter goal we
needed more than an implemented event language
system. We needed a formal specification of what
a policy could do. We developedP D L
with this in
8/2/2019 10.1.1.21.9911 (2)
15/15
15
mind. Although we cannot do formal comparisons
betweenP D L
and the standards being proposed at
IETF y our complexity results show thatP D L
is a
very expressive language, and we believe sufficient
for the policies required in real network applications.
Details of the language and several examples can be
found in [6].
REFERENCES
[1] R. Bhatia, M. Kohli, J. Lobo, and A. Virmani. A policy-
based network management system. In Proc. of the In-
ternational Conference on Parallel and Distributed Tech-
niques and Applications/International Conference on Ar-
tificial Intelligence, June 1999.
[2] J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, and
A. Sastry. The COPS (Common Policy Service) protocol.
Technical Report draft-ietf-rap-cops-06.txt, Internet Engi-
neering Task Force, February 1999.[3] R. E. Gruber, B. Krishnamurthy, and E. Panagos. High-
level constructs in the READY event notification system.
In 8th ACM SIGOPS European Workshop, Sintra, Portu-
gal, September 1998.
[4] M. Z. Hasan. An active temporal model for network man-
agement databases. In IFIP/IEEE 4th International Sym-
posium on Integrated Network Management, pages 524
535, Santa Barbara, California, May 1995.
[5] B. Krishnamurthy and D. Rosenblum. YEAST: A general
purpose event-action system. IEEE Transactions on Soft-
ware Engineering, 21(10):845857, Octuber 1995.
[6] J. Lobo, R. Bhatia, and S. Naqvi. A policy description
language. In Proc. of AAAI, Orlando, FL, July 1999.
[7] J. Strassner and E. Elleson. Terminology for describ-ing network policy and services. Technical Report draft-
strassner-policy-terms-01.txt, Internet Engineering Task
Force, February 1999.
[8] J. Strassner and S. Schleimer. Policy framework definition
language. Technical Report draft-ietf-policy-framework-
pfdl-00.txt, Internet Engineering Task Force, November
1998.
[9] R. Wies. Policies in network and system management -
formal definition and architecture. Journal of Network and
System Management, 2(1):6383, 1994.
[10] O. Wolfson, S. Sengupta, and Y. Yemini. Managing
communication networks by monitoring databases. IEEE
Transactions on Software Engineering, 17(9):944953,
September 1991.
y The models are work in progress and are still imprecise and
incomplete.