A Cautionary Note About Policy Conflict Resolution

Policy-based network management promises to deliver a high degree of automation for military network management. A policy-based network management system provides the capability to express networking requirements in the form of policies and have them automatically realized in the network, without requiring further manual updates. However, as with every technology, these benefits come at the expense of certain obvious risks. The biggest risk associated with policy-based management is that the policies themselves can interact in undesirable ways, by causing conflicting actions to be taken by the management system. Thus it is essential that policies be analyzed for conflicts, and that mechanisms be put in place for determining how to resolve these conflicts. A number of policy conflict resolution techniques have been described in the literature; however, they often concentrate on the abstract problem of formal policy analysis and have very little to do with practical policy conflict resolution in live management systems. This paper provides an overview of the state of the art in policy conflict detection and resolution, followed by a critical look at what is really needed to resolve practical policy conflicts in network management systems. The premise of this paper is that application-specific policy conflict detection and resolution can mostly be addressed by careful policy writing (or re-writing), rather than via cumbersome and unrealistically complex policy conflict resolution solutions