PBMAN is aimed at designing and implementing a management infrastructure for Ambient Networks. The technique adopted in PBMAN is Policy-based Management (PBM) and the main underlying enabling technology is Peer-to-Peer (P2P). In fact, PBMAN itself is an instantiation of a more abstract framework, called P4MI (Peer-to-Peer Policy Management Infrastructure). A primary design principle adopted in PBMAN is to keep the architecture general and simple. As new experience is gained with designing and implementing the framework, new features and functionalities will be added.
The general PBMAN architecture is focused on the role and implementation of the access control space (ACS). In Figure 1 we can clearly identify three types of implementations for the ACS: PDN ACS, User ACS and PEP ACS. Both User and PEP ACS may be part of a combined Agent ACS.
Policy Decision Network and Agents
The Policy Decision Network (PDN) is the heart of PBMAN, being responsible for implementing most of its functionalities, mostly related to Policy-based Management and p2p interworking, such as storing and retrieving policies and taking decisions upon receiving requests. The PDN is comprised of two main entities, Decision Points and Repositories. A Decision Point, also called PDN Node or P-Node, is a policy server, which accepts some part of the whole PDN work. There is a significant difference between a PDP in the IETF PBM client/server model and a PBMAN P-Node. The former is designed to interact with a set of PEPs and is not intrinsically aware of the existence of other PDPs, e.g., for load balance and fault tolerance purposes. The latter is able to interwork with other P-Nodes by design via a distributed p2p network, based on Distributed Hash Tables (DHT) ., which is called PDN-ring. The PDN-ring provides PBMAN with the inherent features of p2p systems, such as load balancing, fault tolerance and scalability.
Each P-Node, implements a part of the ACS. Three new FEs have been added for PBMAN, policy FE, P2P FE and Data Management (DM) FE. The policy FE embraces all PBM concepts, including the PDN and policy agent functionality for dealing with policies in the ACS. The P2P FE is comprised of all p2p related functions, such as DHT-based policy location, routing, search and retrieval. Another function of the P2P-FE is managing PDN rings, as well as for enabling interactions between all components of the ACS: PDN/PDN, Agent/PDN and Agent/Agent. The DM FE implements a layer that extends the data storage capabilities of the DHT-network (P2P-FE). A known limitation of DHT-based systems is that they only support exact-match lookups, i.e., lookup operations require the user to provide the exact key used to generate the hash table index for storing the information. In order to surpass this low flexibility, additional data management features have been added to PBMAN, in order to make it able to deal with more complex data structures, such as lists and tables.
The PDN has also two information repositories, the Policy Repository (PR) and the Management Information Repository (MIR). The PR must store policies according to some requirements, such as making easier the process of searching and retrieving policies. PBMAN does not specify a particular storage technology, such as LDAP or a DBMS, as long as different implementations are able to interoperate. In addition to policies, there is a need for keeping information about entities that are to be managed with policies, which is stored in the MIR. Typical information in the MIR is profile information for policy agents and targets, policy to device mapping and configuration, control and management information of the PDN itself.
Policy Agents are represented by hosts, equipments or devices used by users or by the network for providing services and enforcing policies. The interaction between agents and the PDN is based on the hierarchical p2p DHT-based adopted approach. Agents may be comprised of two parts, which may be simultaneously present or not: PEPs and Users. PEPs are agents aimed at enforcing policies, such as routers, firewalls and remote access servers. PEP agents are also software and hardware for providing services, which must enforce policies of right of use, security, accounting, etc. Examples of this type of PEP are gaming and printing servers. Users represent devices or networks of connected devices that a given real user is using for accessing AN services.