On Wed, 12 Mar 2003, Markus Hofmann wrote:
Alex Rousskov wrote:
You are right that this is pretty much unrelated to the callout
protocol: calls should no go out if OPES is being bypassed. The only
related aspect is that the callout protocol may have to pass user
bypass instructions/preferences _if_ we want to support selective
bypass (e.g., "bypass only this OPES/service"). I am not sure we need
that kind of selectivity at this point.
Isn't this kind of selectivity provided by the OPES rules? If a user
wants to use OPES services, in general, but wants to bypass specific
services, this should be reflected in the user's rules rather than
"in-band" in application messages...
With respect to the callout protocol possibly having to pass user
bypass instructions/preferences... I assume the OPES processor
includes explicite instructions on which services to execute in the
callout protocol messages. As such, not including a specific service
implies that it won't be executed, implicitely implementing a "bypass".
What I am worried about is the ability of a callout server to delegate
processing to other servers (I think processing delegation is allowed
in the architecture draft). Depending on how selective our rules are,
it is possible that the bypass rules did not match on the original
OPES dispatcher but would have matched on some remote callout server
two OPES hops away. Will that server have enough information to
activate bypass mode?
Another way to look at this is the services granularity. Here is an
example:
User (or rules) say: bypass any opes:filtering/porn service
for responses
OPES dispatcher is configured to forward all responses
to an opes:filtering/cisco-defaults service. The names
do not match, so the response is forwarded to the callout
server.
The opes:filtering/cisco-defaults service forwards the
response to opes:filtering/virus and opes:filtering/porn
callout servers/services.
Will the opes:filtering/porn service know to bypass?
Can the answer be derived from current drafts? If not, future OPES
identification/addressing work should answer this question.
Alex.