Post on 30-Dec-2015
description
PART IIBoD server prototype
Implementation & technical details
MB-NG workshop@UCL20/21 - Feb - 2003
Bas van OudenaardeAdvanced Internet Research Group
University of Amsterdamoudenaar@science.uva.nl
What to expect from this presentation
• Not a code walk, but highlight used concepts, model used behind Our first phase prototype of a BoD server ( based on Generic AAA)
• Giving an overview for DEMO
• Learn the details on building block of BoD server
Generic AAA:o AAA Server: may be involved in: Authorization,
Authentication, Accounting
o AAA request < > Driving Policy
o Behavior of the generic part is determined by the combination of Driving policies, ASMs and AAA requests
serv
authZcliententity
AAAServicehandlerserv
authZcliententity
AAA Servicehandlerserv
ASM
Serv*Serv*
policy
policy
“AAA protocol” > BoD request msg
authZ
Serv*
BoD request msg, using XML,SOAP
<AAARequest version="0.1" type="BoD" > <Authorization> <credential> <credential_type>simple</credential_type> <credential_ID>JanJansen</credential_ID> <credential_secret>#f034d</credential_secret> </credential> </Authorization> <BodData> <Source>192.168.1.2</Source> <Destination>192.168.1.5</Destination> <Bandwidth>1000</Bandwidth> <StartTime>now</StartTime> <Duration>20</Duration> </BodData></AAARequest>
Servlet in TOMCAT:
Using JAXM API
public class AAAServlet extends JAXMServlet implements ReqRespListener { private RBE theRBE;… public SOAPMessage onMessage( SOAPMessage message ) {…
try {
theRBE.parse( request, out ); << message check (DTD) + Policy fetch } catch( Exception ex ) { return error( ex.getMessage( ) ); } return createResponse( bout ); …
}
• Servlet Context
used to initiate the RBE, ASMs
• Java Reflection list methods of Object (ASMs)
Some details:
Driving Policy:
if( ASM::Authorization.authorize( << C++ like namespace Request::Authorization.credential.credential_type, Request::Authorization.credential.credential_ID,
Request::Authorization.credential.credential_secret ))Then * could work with simple data ( types
if ( ASM::RM.CheckConnection( Request::BodData.Source, Request::BodData.Destination )
• IF - THEN -ELSE structure
• Input for the Policy Objects, Javacc to serialize / used in Policy fetch
ASM overview:
For the BoD service we implemented:
• Resource Manager (RM) ASM (hardcoded) Network topology, state of network elements
• Switch ASMSNMP interface dealing with 802.1Q
• Authorization ASMAuthorization mechanism
RM ASM, BoD method:
public int BoD( String IPsrc, String IPdst, int size, String t, int dur ){
• Full control model
• Network element modeled as vertex with edges. State is updated in vertex. (link usage )
• using backtracking algorithm to find path ( recursive )
• collecting provisioning information, like VLAN id, ports etc
}
Switch ASM, provisioning:
/* (Single domain) Add port (+ Trunk) in VLAN. * * Cabletron ss6000 switch uses SNMP table: * ctVlanPortConfigTable * OID = "1.3.6.1.4.1.52.4.1.2.16.3.1.1" * OID.c.I1.I2 ( c= column, I1 index 1, I2 index 2 ) * */ public void setupPath( int port, int vid ) throws IOException,
SnmpDecodeException, SnmpResponseException { // Setup connection SnmpPeer peer = new SnmpPeer("localhost", InetAddress.getByName( host ),
SMI.PUBLIC ); SnmpConnection connection = new SnmpConnection(peer); // OID….
Authorized path discovery
• QoS path through multiple administrative domains
• AAA servers > Mechanism for advertising the connections they can establish
• Start with simplest QoS path > Full Control model
• Logical network link iso physical network link
•Decision tree for authorization of QoS elements
Authorization interactions:
AAA1,2
AAA1 AAA
2
N1 N2
D0
AAA0
N0 Nnl2,nl0,1
D1 D0
• Porting J2EE environment
• robust & scalable Runtime environment• Focusing on AAA concepts• developing generic RBE <-> ASM interface
•Still in progress…. :(
Future of AAA:
• Collaboration in developing an generic ASM interface, policy definitions, etc
Idea’s AAA in J2EE:
EJB Container
JCA Resource Adapters
web
ASMs api
ASM*
switch1
switch2
BoDreq
J2EE
Conclusions
• Our focus is on authorization in multi administrative domains
• The ASMs need to interface services, we need to provide a generic API
• Collaborations