Internet-Draft enterprise network policies March 2024
Liu, et al. Expires 5 September 2024 [Page]
Network Working Group
Intended Status:
B. Liu
Huawei Technologies
Q. Gao
Huawei Technologies
Y. Liu
China Unicom

Scenarios and Potential Future Work of Enterprise Network Policies


This document describes several typical scenarios of utilizing network policies against enterprise networks, and discusses some existing work and the limitations. Lastly, this document proposes several aspects of potential future work that might led to a formation of policy plane for enterprise networks.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 5 September 2024.

Table of Contents

1. Introduction

A network policy is a set of rules that govern how network resources are accessed, utilized, and secured within an organization's infrastructure. These policies outline acceptable and unacceptable behavior regarding network usage, data transmission and access control. etc. In modern digital infrastructures, network policies play a crucial role in ensuring the performance, security and reliability.

For network policies used for enterprise networks, the organization's specific needs and circumstances need to be considered during the development process. For example, there are some businesses that may require high network QoS guarantees; others may require very strict access control, and so on. In addition, enterprise network policies need to be customized according to the size and complexity of the organization. For example, SMBs (Small-Medium-Businesses) usually lack a well-developed IT team and capabilities, and rely more on network policies, and even hope that the network system can be integrated with all the digital infrastructure control functions; whereas, large enterprises usually have a strong IT team, and may hope that the network policy can be easily integrated into the IT process.

In this document, we focus on two common types of network policy scenarios for enterprise networks, e.g. access control and service QoE assurance, and some initial analyze of the current state of the art technologies, including GBP, IAM for access control, etc., is made. Finally, this document proposes potential future work, which mainly refers to the formation of a comprehensive "policy plane" for enterprise networks including aspects of policy management, corresponding information distribution and policy enforcement mechanisms in data plane.

2. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Common Scenarios of Enterprise Network Policies

3.1. Access Control

Access control policies for enterprise networks are mainly used to manage and control users/devices access to applications and enterprise network resources, and include the following major application scenarios:

  • Authentication and Authorization: Enterprise networks need to ensure that only authenticated users and devices can access corresponding data and resources. Common authentication methods include usernames and passwords, two-factor authentication, biometrics, and so on. Authorization, on the other hand, identifies the resources and permission levels that each user or device can access.

  • Network security domain segmentation: According to the organizational structure and security requirements of an enterprise, the network can be segmented into different zones or virtual networks, with different access control policies for each zone. For example, segregate the internal network from the external network, or separate the networks of different departments.

  • Security Measurement and Auditing: Enterprises should log the network activities of all users and devices, and conduct regular audits to detect anomalous behaviors and security vulnerabilities to help them track and respond to security incidents. For example, when enabling remote users to access the corporate network using a VPN, organizations might need to monitor remote user activity based on user identity, device health status, and other factors.

In current practice, Role-Based Access Control (RBAC) approach is commonly used in enterprises for access control, which could significantly simplify the complexity of administrators' management of user privileges. Based on RBAC, Attributes-Based Access Control (ABAC) approach is also emerging, which allows finer granularity of privilege management by also considering users' attributes (e.g., users' location, device hardware/software environment, the time of access etc.) along with the role and identity.

3.2. Service QoE Assurance

QoE (Quality of Experience) assurance policies are to ensure the performance, stability and reliability of network services to improve user satisfaction and experience. There are some popular scenarios with more pronounced demands for QoE within the enterprise today:

  • General traffic classification and optimization: there are different types and sources of traffic in an enterprise, including data transmission, web browsing, video streaming etc. Traffic needs to be classified according to its priority to maximize the use of limited network resources.

  • Video conference: In the post-pandemic era, video conference is becoming more and more indispensable in daily work. In order to guarantee the smooth video conference experience, it is necessary to ensure that network bandwidth, latency and jitter are controlled within reasonable range to avoid problems such as video screen lag and voice delay etc.

  • Remote access: Working from home or during the business trip is also becoming more and more indispensable. The ultimate goal for remote access is that it works just like within the enterprise, which also requires a reasonable network bandwidth/latency etc.

  • Cloud applications: With the popularity of cloud-based applications, organizations are demanding higher availability and performance. Enterprise networks need to reserve sufficient bandwidth and resources for more and more frequent and intense traffic caused by cloud applications.

4. Analysis of Existing Work

4.1. Group Based Policy (GBP)

GBP is firstly defined by OpenStack [GroupBasedPolicy] , it allows administrators to manage network traffic and policies based on applications, services, or user groups, rather than the traditional IP address or port-based approach. With GBP, administrators can have more flexibility in managing the network, improving security and performance.

In theory, GBP is a concept containing broad semantics, which could cover both access control and QoE assurance aspects of the scenarios described in Section 3 , but the most prominent use case of it is access control, as described below.

In enterprise networks, employees are usually categorized into various security groups. By employing GBP, enterprise networks could stop threats by ensuring that security group policies are consistently applied across the network, regardless of where endpoints or users are located. Specifically, there is VxLAN-based GBP work had been adopted by multiple vendors and applied many organizations, which utilizes a reserved field in the VxLAN header as the Scalable Group Tag (SGT). Using SGTs as match criteria in switch/firewall filtering rules is more robust than using ports or MAC addresses to achieve a similar effect. SGTs can be statically assigned or be configured on the RADIUS server and sent to the switches via 802.1X when the user is authenticated. There is an IETF draft [I-D.smith-vxlan-group-policy] tacking this issue and trying to standardize the approach.

4.2. Identity and Access Management (IAM)

IAM is a system of managing user access to systems, applications and network resources. It includes authentication, authorization, privilege management, and auditing functions designed to ensure that only authorized users can access the resources they need.

IAM system is usually deployed on the application/cloud/data center side of the network, and it is becoming the de-facto approach of access control for modern enterprise mostly because of to the trend of cloudification. However, there are obvious limitations of IAM for access control:

Therefore, network-based access control is still very necessary in the context of the widespread use of IAM. Especially for the large amount of SMEs, to integrate the access control capability into the network infrastructure can greatly simplify the IT operation and maintenance burden.

4.3. QoE for Enterprise Networks

To enforce the QoE policies, apart from the policy making (as described in above Section 3.1 ), data plane mechanisms also need to be employed. In current practice, data plane QoE mechanism mostly refers to scheduling within network devices. There are different hardware queues in a hardware interface, packets sent over the interface are put into different queues. Some queues could have higher priority for scheduling so that packets in those queues could be sent out quicker.

However, such mechanism is a very general method that could not fit various requirements of modern enterprise application. The enterprise would need more sophisticated and finer granularity mechanisms to assure the bandwidth, latency, jitter etc. to be with a reasonable range.

5. Potential Future Work

5.1. Policy Management

It mainly includes following aspects:

5.2. Information Distribution

When enforcing policies in enterprise networks, various kinds of information need to be exchanged between network elements. The information could be simply categorized into two:

  1. The policies themselves: it is obvious that the one policy itself is a piece of information needs to be distributed to the policy enforcement point (e.g. switches and firewalls etc.). Traditionally, routing protocols or north-south protocols (e.g. Netconf, PCEP etc.) are utilized for flooding or configuration of such policies.

  2. Policy related meta data: since the user/device status and the administration intents are highly dynamic (for example, in the use case ABAC as described in Section 3.1 ), the relative meta data regarding to network policies need to be updated. Considering such information update would ubiquitous and very frequent due to the mobility and complexity of the enterprise services, high efficiency of the meta data distribution should be addressed. In this sense, traditional flooding and configuration pattern might not be sufficient, new pattern such as Pub-Sub needs to be considered.

5.3. Data Plane Enforcement

It mainly includes following aspects:

6. Security Considerations


7. IANA Considerations

This document does not need IANA considerations.

8. References

8.1. Normative References

Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <>.
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <>.

8.2. Informative References

"Group based policy", , , <>.
Smith, M. and L. Kreeger, "VXLAN Group Policy Option", Work in Progress, Internet-Draft, draft-smith-vxlan-group-policy-05, , <>.

Authors' Addresses

Bing Liu
Huawei Technologies
Q11, Huawei Campus
No.156 Beiqing Road
Hai-Dian District, Beijing
P.R. China
Qiangzhou Gao
Huawei Technologies
Q11, Huawei Campus
No.156 Beiqing Road
Hai-Dian District, Beijing
P.R. China
Ying Liu
China Unicom