| Edited: 7/18/2007 2:51 PM by Pietras John | |
|
| | SMWG - Issues for the Production of the SLE-SM Red-2 book This message serves as the base of a thread of messages regarding outstanding issues with the forthcoming Red-2 version of the SLE-SM Service Specification. Under this top-level messages will be header messages for each of the sections of the SLE-SM Red Book. Specific issues should be posted as "replies" to those section-header messages, and further discussions of each issue should be posted as replies to that issue. | |
| |
| Edited: 7/18/2007 3:06 PM by Pietras John | |
|
| |
SMWG - Service Package Service (Section 4) Issues for the Production of the SLE-SM Red-2 book
This message is the base message of the thread of messages discussion issues regarding section 4 of the SLE-SM Service Specification.
| |
| |
| Posted: 7/18/2007 3:10 PM by Pietras John | |
|
| |
Service Package state transition to cancelled when deferred transfer services or event sequences are not instantiated with RSP
CSPC-24 (table 4-2) states that if an in-progress CSP is unable to be validated and performed prior to expiration of minServiceDefinitionLeadTime, CM may terminate the operation and issue a CSP-FR. We have also said that deferred transfer service instances and event sequences of SPs should be instantiated (via RSP) prior to expiration of minServiceDefinitionLeadTime. If the Service Package is not completed by then, *must* or *may* CM cancel the SP? If CM *must* cancel an incomplete SP, then it can be explicitly called out as a guard condition in the Service Package state diagram. But if CM is free to ignore the incompleteness, then it cannot be a true guard condition for cancelling the SP. Perhaps the formal guard condition should instead be the Service Package Start Time. Alternatively, perhaps the guard condition should be simply [Service Package cancelled], and leave the discussion of what may have caused the cancellation to the Concept Green Book.
| |
| |
| Edited: 7/25/2007 2:55 PM by Pietras John | |
|
| | Configuration Profile Service (Section 5) Issues for the Production of the SLE-SM Red-2 book
This message is the base message of the thread of messages discussion issues regarding section 5 of the SLE-SM Service Specification.
| |
| |
| Edited: 7/25/2007 3:04 PM by Pietras John | |
|
| |
From: Pietras John
Posted: Wednesday, July 25, 2007 11:55 AM
Subject: Add Space Link Session Profile State Diagram
The following points summarize the discussion of the 25 July 2007 SMWG telecon regarding the draft Add Space Link Session Profile (ASLSP) state diagram that Anthony had distributed earlier that day. If I have missed any points, or have misreperesented any of the issues and/or the discussion related to them, please register the corrections as replies to this message.
As I tried to summarize the discussion, I performed some post-telecon analysis in my head, which I’ve also documented below. I have tried to make clear the separation between what was discussed during the telecon and my thoughts afterwards.
1. Sil suggested separate states exist before and after the ASLSP-AR is sent. The subsequent discussion brought up the point made in the June meeting that prior to the issuance of the AR, the message set is undergoing message set validation. Until the message set is validated, CM doesn’t even “know” about the SLSP being requested to be added, so the SLSP doesn’t yet have a state.
2. What looked like an apparent disparity in the approach outlined in (1) above was noted for the comment attached to the DSLSP-FR loop, which states that the DSLSP fails if the SleSmCreatorName does not match that of the referenced SpaceLinkSessionProfile. Why is checking the SleSmCreatorName a “pre-state” activity for the initial addition of the SLSP, but something that is checked when that SLSP is to be deleted? We left the telcon without resolving this issue.
After the telecon, I (John) had a chance to think about it more and to check the SLE-SM service spec. There is a difference between the two that justifies the apparently-different behavior. In the message set validation that happens prior to the acknowledgement of the ASLSP-I, the SleSmCreatorName is checked to see if it can be authenticated with respect to the source, and if it is valid in the context of the referenced Service Agreement. Faliure at this level results in Exception Response being returned to UM. The same checks are performed as part of message set validation DSLSP-I (and QSLSP-I, for that matter), and this level of validation is similarly absent from the ASLSP state diagram. The SleSmCreatorName-related validation that is called out in the comment box is part of service management validation, which is above the level of message set validation.
3. As the telecon was nearing its end, I raised a question about the QSLSP loops out of the Unreferenced and Referenced states - why do they only succeed, and what happens when a QSLSP fails? Erik rightfully pointed out that the only way for a QSLSP-I to fail (other than a timeout, which should never happen) is for the spaceLinkSessionProfileId to be unknown (in the context of the Service Agreement), in which case the QSLSP-I certainly can’t pertain to the SLSP, so it is invisible from the state of the SLSP.
As I thought more about it after the telecon, I became concerned that here was a failure condition that wasn’t message set validation but rather service management validation, yet it was still “invisible” from the perspective of a given SLSP. I then realized (or, more correctly, remembered) that service management validation itself has two steps. The first step deals with what I will call (for the lack of a better, more terse name) binding of the invocation to an information entity. For the ASLSP, the binding is successful when a new, currently-unused-by-another-SLSP spaceLinkSessionProfileId is provided in the ASLSP-I. For the DSLSP (and QSLSP), the binding is successful when the spaceLinkSessionProfileRef in the DSLSP-I (or QSLSP-I) names a currently-used spaceLinkSessionProfileId.
In the second step - once the invocation is bound to an information entity - the rest of service managment validation can be performed (such as conformance with the ranges on parameter values in the Service Agreement). Failure to bind the invocation to an information entity and failure to meet any of the other service management validation criteria all result in the issuance of an FR, but if the binding fails, no SLSP’s state is affected and therefore these attempted operations are invisible to the state of a SLSP.
We don’t make the distinction between these two steps in service management validation, and in general I don’t think that we need to. But it has made me realize that in the case of the CSP operation, it could lead to unwanted (or at least unexpected) outcomes with respect to how we have currently defied that operation. Here’s the scenario:
UM invokes CSP using a servicePackageId that is already being used; otherwise the CSP-I is fine. The CSP-I is acknowledged (since the validation of the uniqueness of the servicePackageId is service management validation). Before the expected disposition time of the CSP operation, UM invokes the DSP to delete what it thinks is only that enqueued CSP. The DSP-I not only causes the enqueued CSP to fail, it also causes the existing SP with that servicePackageId to be deleted.
Now I think the practical response to this scenario is that if any UM is messed up enough to be redundantly using servicePackageIds, accidentially deleting an existing SP is one of their lesser worries. But I thought I’d point it out. If we wanted to “fix” this problem, we would have to perform the information entity binding validation into the validation that is performed before the AR is issued, which would ential going through all of the UM, CM, and Data Set Composition and Relationship requirements to separate them out. If anyone thinks that we should worry about this more now, please raise the concern. Otherwise, I suggest that we move on.
4. Sil raised the issue of whether we wanted to be able to delete an ASLSP-I any time after it has been acknowledged, in the same way as we have adopted for the CSP and RSP. We recollected discussing this possibility at the June meeting and the decision made then that being able to delete a CSP or RSP is a special case because it involves the allocation and deallocation of scarce resources (e.g., antennas). Sil responded that if an analyst needs to review the new profile before accepting it, that could justify the pre-emptive deletion. However, in the end we agreed that for Red-2 we would not include it, but that Sil will post a possible RID for Red-2 on the CWE discussion page.
5. During the telecon, I noted that two ways of representing decisions are used in the diagram: the first is the separate decision icon (“acceptable”), the second is two guard conditions emanating from the same state (“DSLSP-I [valid]” and “DSLSP-I [not valid]”). I think that one or the other should be used, and there was a general consensus that the two guards approach was preferrable. Regarding the wording of the guard, “acceptable” is not quite right as the guard condition. It is more than acceptable, the operation has in fact been performed. I suggest that the guard conditions be “[profile added]” for the SR branch and “[profile not added]” for the FR branch.
| |
| |
| Posted: 7/26/2007 10:25 AM by Crowson Anthony | |
|
| | Taking up John's point 2, this is exactly right. To be explicit, there may be many SleSmCreatorNames authorised for this SA, and that check is part of the Doc Exch Protocol. The validation called out here is that only the creator of any specific SLSP may delete it (whereas for example, there is no specific restriction on who can query it.). This is the only validation step that is specific to this SLSP. In some ways I do wonder whether we should distinguish more clearly between the different stages of validation - I feel it may help understanding. Maybe a little discussion in the concept document, not necessarily part of the formal spec?
[Now, I do recall discussion somewhere else as to whether this "creator" limitation was too restrictive, but for now at least that's what the book says.] | |
| |
| Edited: 7/27/2007 6:55 AM by Crowson Anthony | |
|
| |
SMWG - Document Exchange (Section 3) Issues for the Production of the SLE-SM Red-2 book
This message is the base message of the thread of messages discussion issues regarding section 3 of the SLE-SM Service Specification. | |
| |
| Posted: 7/27/2007 7:07 AM by Crowson Anthony | |
|
| | Role of AR in 3-Phase Operation
While we have an informal expectation that an AR will be sent “quickly”, while SR/FR may be “slow” (the entire rationale for the 3-phase operation), this is not actually stated anywhere (as far as I can see!). There is only one disposition timer for the Invoker. It is only when that timer has expired, and no SR/FR has been seen, that he “shall contact the Performer to determine the disposition of the operation”. So while the arrival of an AR may give a nice warm feeling, non-arrival apparently has no significance. Would it not be reasonable to initiate some action rather earlier, if no AR has been received? Should there be a separate "acknowledgment timer"?
Scenario: CM has a weekly planning cycle, disposition timer is (say) 8 days. Under the current rules, it is only after the next planning cycle has been missed, that UM would contact CM to find out why a CSP was never accepted. | |
| |
| Posted: 7/27/2007 9:11 AM by Crowson Anthony | |
|
| | I agree that termination seems unnecessary. Your suggestion sounds good - and the presence of such a note may be all we need for now. If Red-2 reviewers are all happy with that approach, who am I to insist that it be formalised?
| |
| |
| Posted: 7/27/2007 9:11 AM by Pietras John | |
|
| |
Good point. We actually started with an acknowledgement timer also (or it may have been instead of), but decided that it was too harsh to terminate the operation if an ack is not received by a certain time.
How about (at least for Red-2) I put in a Note stating that UM and CM may bilaterally establish an expected acknowledgement time, and if the Invoker doesn't get an acknowledgement by that time, the Invoker may contact the performer to ascertain the intermediate status of the operation? Additionally, if you'd still like to consider making it a formal part of the 3-Phase pattern, you could post the issue as a possible RID against Red-2 on that Discussion thread. | |
| |
|