Controller figure 187 model 4 as in model 3 except

This preview shows page 316 - 318 out of 408 pages.

Controller ? ? ? ? ? ? ? ? ? ? ? ? Figure 18.7: Model 4. As in Model 3, except the hosts can choose to disregard or replace aspects of policy at their option. Question marks indicate a freedom of hosts to choose. Thus the communications and enforcement challenges faced by Model 4 are the same (in terms of scaling properties) as for Model 3: i.e. I fail is the same as that in Model 3. Hence this model can in principle work to arbitrarily large N . Model 4 is the model used by cfengine ([Bur95, Bur04]). The largest current clusters sharing a common policy are known to be of order 10 4 hosts, but this could soon be of order 10 6 , with the proliferation of mobile and embedded devices. Model 5: Mesh, with partial autonomy and hierarchical coalition An embellishment of Model 4 is to allow local groups of hosts to form policy coalitions that serve to their own advantage. Such groups of hosts might belong to one department of an organization, or to a project team, of even to a group of friends in a mobile network. Once groups form, it is natural to allow sub-groups and thence a generalized hierarchy of policy refinement through specialized social groups. If policies are public then the scaling argument of Model 3 still applies since any host could cache any policy; but now a complete policy must be assembled from several sources. Once can thus imagine using this model to distribute policy so as to avoid contention in bottlenecks,
CHAPTER 18. POLICY TRANSGRESSIONS, PROMISES NOT KEPT, AND FAULT MODELLING 300 Controller ? ? ? ? Figure 18.8: Model 5. Communication over a mesh topology, with policy choice made hierarchically. Sub- controllers (dark nodes) edit policy as received from the central controller, and pass the result to members of the local group (as indicated by dashed boxes). Question marks indicate the freedom of the controllers to edit policy from above. since load is automatically spread over multiple servers. In effect, by delegating local policy (and keeping a minimal central policy) the central source is protected from maximal loading. Specifically, if there are S sub-controllers (and a single-layer hierarchy), then the effective update capacity is multiplied by S . Hence the threshold N thresh is multiplied (with respect to that for Model 3) by the same factor. Model 6: Mesh, with partial autonomy and inter-peer policy exchange The final step in increasing autonomy is the free exchange of information between arbitrary hosts (peer to peer). Hosts can now offer one another information, policy or source materials in accor- dance with an appropriate trust model. In doing so, impromptu coalitions and collaborations wax and wane, driven by both human interests and possibly machine learning. A peer-to-peer policy mechanism of this type invites trepidation amongst those versed in traditional control mecha- nisms, but it is really no more than a distributed genetic algorithm. With appropriate constraints it could equally be made to lead to sensible convergent behaviour, or to catastrophically unstable behaviour.

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture