Figure 2: Two other possible configurations of policy control architecture components. The configuration on the left shows a local decision point at a network node and the configuration on the right shows PEP and PDP co-located at the same node.
If it is available, the PEP will first use the LPDP to reach a local decision. This partial decision and the original policy request are next sent to the PDP which renders a final decision (possibly, overriding the LPDP). It must be noted that the PDP acts as the final authority for the decision returned to the PEP and the PEP must enforce the decision rendered by the PDP. Finally, if a shared state has been established for the request and response between the PEP and PDP, it is the responsibility of the PEP to notify the PDP that the original request is no longer in use.
Unless otherwise specified, we will assume the configuration shown on the left in Figure 2 in the rest of this document.
Under this policy control model, the PEP module at a network node must use the following steps to reach a policy decision:
1. When a local event or message invokes PEP for a policy decision, the PEP creates a request that includes information from the message (or local state) that describes the admission control request. In addition, the request includes appropriate policy elements as described below.
2. The PEP may consult a local configuration database to identify a set of policy elements (called set A) that are to be evaluated locally. The local configuration specifies the types of policy elements that are evaluated locally. The PEP passes the request
with the set A to the Local Decision point (LPDP) and collects the result of the LPDP (called "partial result" and referred to as D(A) ).
3. The PEP then passes the request with ALL the policy elements and
精品推荐