Generic AAA* based Bandwidth on Demand MB-NG workshop UCL London 20/02/2003 Leon Gommans Advanced...
-
Upload
lilian-veronica-daniels -
Category
Documents
-
view
215 -
download
0
Transcript of Generic AAA* based Bandwidth on Demand MB-NG workshop UCL London 20/02/2003 Leon Gommans Advanced...
Generic AAA* basedBandwidth on Demand
MB-NG workshop UCL London 20/02/2003 Leon Gommans
Advanced Internet Research GroupUniversity of Amsterdam
* Authentication Authorization & Accounting
Research funded by
Content- Goals and basic list of requirements.
- Lightpath and Lightpath control concepts
- Generic AAA concepts
- High level design and operation of proof of concept.
- Example of a simple request message and policy.
- Technical Design & Implementation: Bas.
Goal of BoD work at UvA.• Allow application demand to provision a L1/L2 network channel that does by-pass the regular internet connection. Regular Internet connection becomes control channel, L1/L2 network the transport channel.
- Rationale is that above a certain level of:
parallel required bandwidth / number of different destinations
a Layer-3 QoS network will become too expensive.- I.e. the requested bandwidth is in the order of the traffic generated by a nations NRN and only a few destinations need such connectivity. Examples can be found in HEP, radio-astronomy etc.However AAA concepts can also be used for L3 Diffserv connections
Other considerations
-TCP stack & transport channel needs tailored behavior to make optimal use of a high speed ( GB ), high delay (>100ms) channel
- Modifications tend to generate Internet “unfriendly” TCP traffic, that does not mix well unless routers are aware of the high bandwidth topology. Topology needs to be management somehow.
-Single Packet drop in standard TCP causes severe performance hits
- Limited memory buffer sizes in routers/switches do cause packet drops when the road “gets smaller” on long fat pipes. Equipment designed for MAN operation can not be in the chain.
- Firewalls do not support extreme high bandwidth connections.
- Possible option: Create dedicated channels that are intended to get utilized 100% for the required time. Cost model will determine if and when on-demand usage is required v.s. dedicated usage.
Rough requirements list.- Allow L 1, 2, 3 lightpath usage in a “demand driven” fashion.- Allow “hard” or “soft” pre-allocation.- Must support allocation and usage across multiple domains.- Must be integrated into middleware e.g. by allowing provisioned by-pass model to be supported by applications such as GridFTP.- Allow authorized VO’s or individual users to discover available lightpath destination (e.g. Via OGSA/WS).- Allow authorized users (with a certain role within the VO) to pre-allocate and use bypass for a limited amount of time and with limits on the allocated bandwidth.- Must integrate with existing authentication & user (role based) authorization system: Looking into EDG VOMS.- Incorporation of topology awareness is of later concern.
Rough requirements list.- Must hide complexity from user. Conceptually the
user must perform the process in 3 basic steps after login:1) Pre-allocate thru a discovery and scheduling
system -> BoD system issues authorization.2) Allow own or delegated job to allocate the network
resource whereby it uses the issued authorization.3) Once the job is finished, the authorization is
handed back/invalidated so resources can be freed.
- User (or scheduling system) must be allowed to change the reservation if the process flow so dictates.
- Allocating user may be different from ultimate user.- Allocating user may subdivide capacity amongst
users.- Must ultimately support Grid Economic Services
Architecture features to allow ad hoc creation.- Must ultimately provide Grid Accounting records for
billing or clearing and settlement.
Design considerations. - Group in Amsterdam does focus on deploying Generic
AAA (RFC2903/RFC2904) concepts to handle authorization of mainly L1/L2 lightpath. Group members were authors.
- Best suited to handle policy based authorization in a dynamic fashion either to build AuthZ tokens or process requests which contain AuthZ tokens.
- Authorizations between administrative domains must be done at a fairly high-level.
- Don’t want to address low level networking problems (path finding/setup) as vendors and researchers are already active in this area.
- Could work in parallel to GARA BB efforts to add policies to handling authorized provisioning of QoS tunnels.
Lightpath
Def*: Any uni-directional point to point connection with effective guaranteed bandwidth
Examples of LightPaths:* L1: Analog wavelength on a CWDM or DWDM system* L1: Gigabit Ethernet over dedicated fiber strand* L2: STS channel on a SONET or SDH circuit* L2: ATM CBR circuit* L2: MPLS VLAN* L3: Diff serv “gold” service on a packet based network
* Definition by Bill St. Arnoud of Canarie
Control models
In multidomain scenario’s you must have some awareness of the underlying high-level concept of the connection.
Must understand what piece of the conceptual connection the AAA entity is controlling:
• Collector switch at the ingress and its connected networks or equipment• The link• Distributor switch at the egress and its connected networks or equipment
Full Control modelSelectorSwitch
DistributorSwitch
SelectorSwitch
DistributorSwitch
Domain X
Domain Y
Domain XDomainY
Hybrid models
Domain B Domain C
Domain A
Domain D
Domain X Domain X
Domain X
DomainY
Full control modelSelectorSwitch
DistributorSwitchDomain X
Domain Y
AAA
Domain AAA engine must controlboth selector and distributor switch andInterconnecting network
Partial control modelSelectorSwitch
DistributorSwitchDomain A Domain B
AAA
Domain AAA engine must control the selectoror distributor switch and one of the AAA Serversmust control intermediate network
AAA
Generic AAAo 5 years ago a AAA server was known as a server supporting dail-in boxes thru the RADIUS protocol (at IETF).o IETF42 (in same hotel as GGF6) held first AAA BOF as it wasrecognized AAA could be used in other type of applications.o Amsterdam group has been participating on defining concepts for Generic AAA since march 1999 when AAA WG was formed at IETF-44o Work became IRTF subject end of 1999 (AAA ARCH RG).o ID’s that became RFC’s 2903 – 2906 were submitted after the Adelaide IETF march 2000. RFC’s describe framework, architecture, example applications and requirements.o Optical Networking within grid environment is a research application for Generic AAA.
RFC 2904 Generic AAA Framework basic principles
3 fundamentally different user initiated authorization sequences. Note: RFC2904 does not show step 5 – service access.
Service
AAA
User
Service
AAA
User
Service
AAA
User
Pull sequence
NAS (remote access)RSVP (network QoS)
Agent sequence
Agents, Brokers,Proxy’s.
Push sequence.
Tokens, Tickets,AC’s etc.
1
11
2 2
2
33 3
4
4
4
Generic AAA Framework
Separating the User Awareness from the Serviceyield Roaming Models: Example roaming pull model.
Service
AAA
User1 2 5
6
AAA
3 4
User HomeOrganization
ServiceProvider
Generic AAA Framework
Distributed Services Models allow many typesand combination of authorization sequences ..
Service
AAA
User
AAAUser HomeOrganization
ServiceProvider A
Service
AAA
ServiceProvider B
AAAClient
Generic AAA Architecture – RFC2903
PolicyDecision
Point
PolicyEnforcement
Point
Fundamental idea’s inspired bywork of the IETF RAP WG thatin RFC 2753 describes a framework for Policy-basedAdmission Control.
Foundation for COPS
The point where policy
decisions are made.
The point where the policy
decisions are actually enforced.
RequestDecision
PolicyRepository
Basic Goal Generic AAA: Allow policy decisions to be made by multiple PDP’s belonging to different administrative domains.
Generic AAA Architecture – RFC2903
ApplicationSpecificModule
PolicyEnforcement
Point
Achieve goal by by separatingthe logical decision process fromthe application specific partswithin the PDP.
RequestDecision
RuleBasedEngine
PolicyRepository
PDP
Example of Generic AAA Architecture – RFC2903
ApplicationSpecificModule
BandwidthBroker
RuleBasedEngine
PolicyRepository
ApplicationSpecificModule
RuleBasedEngine
PolicyRepository
Users
ApplicationSpecificModule
RuleBasedEngine
PolicyRepository
ContractsBudgets
Registration Dept.Purchase Dept.
Bandwidth Provider
AAAServer
AAAServer
AAAServer
(Virtual) User Organization
QoS EnabledNetwork
Use
r
Service
Service Organization
802.1QVLANSwitch
EnterasysMatrix E5
A
B
C
D
802.1QVLANSwitch
EnterasysMatrix E5
1 GB SX
AAA
192.168.1.5
iGrid2002
Policy DBAAARequest
192.168.1.6
192.168.2.3
192.168.2.4
Generic AAA (RFC2903) based Bandwidth on Demand
Example XML Lightpath request<AAARequest version="0.1" type="BoD" > <Authorization> <credential> <credential_type>simple</credential_type> <credential_ID>JanJansen</credential_ID> <credential_secret>#f034d</credential_secret> </credential> </Authorization> <BodData> <Source>192.168.1.5</Source> <Destination>192.168.1.6</Destination> <Bandwidth>1000</Bandwidth> <StartTime>now</StartTime> <Duration>20</Duration> </BodData></AAARequest>
Policy (significant part) executed by AAA Rule Based Engineif( ( ASM::RM.CheckConnection( Request::BodData.Source, Request::BodData.Destination ) &&
( Request::BodData.Bandwidth <= 1000 ) ))then( ASM::RM.RequestConnection( Request::BodData.Source, Request::BodData.Destination, Request::BodData.Bandwidth, Request::BodData.StartTime, Request::BodData.Duration ) ; Reply::Answer.Message = "Request successful")else( Reply::Error.Message = "Request failed")
L2/L3 Setup using GARA based network provisioning
802.1QVLANSwitch
EnterasysSS6000
A
B
C
D
802.1QVLANSwitch
EnterasysSS6000
GARA (multidomain)QoS network
AAA BoDServ
IP A
IP B
IP C
IP DGARABandwBroker
VOMS
WS + Service Discovery
VOMS
GARAAgent
BB
USER
Role Request +Reply Pseudo Cert
GridAuthentication
AuthDB
Advance Reservationrequest / reply
QoS Pathrequest / reply
SlotTable
BGP Topology advertisements +Reservation indications
Path Provisionindications
QoSNetworks
AAA
PolicyDB
AAA Core
RunTimeEnv
User/OrganizationIntegration
ServiceControl +
IntegrationAccounting
SecurityIntegration
ManagementAnd
Monitoring
J2EE, Apache –AxisWeb Services – OGSAAAA protocol
PKI,KERBEROS,VOMS
Layer N networkingSchedulingAdvance ReservationService Discoveryand Ontology
CA, CA policyAuthenticationDevices,Protocol Security
Billing, Clearing & Settlement
Policy Language
StandardsBody Liaison+ Architect.
Managemnt&
Document.
WP 2 manpwr
WP 4 manpwr
Design considerationso Full control model was chosen for first implementation.o Single AAA engine controls both ingress and egress switch by creating 802.1Q VLAN’s using the dot1Q Bridge MIB extentions via SNMP.o 1 GB channel between switches carry 802.1Q tagged ethernet frames. An 802.1Q trunk can carry up to 4096 VLAN’s.o End stations will register with AAA engine and subsequently send request to reach other stations (pointed to via its public IP address).o By-pass communication channel uses a private IP address space. Destinations are identified by main IP address.
Related work:
1) Separate ASM and RBE and allow ASM’s to be loaded/unloaded dynamically using J2EE.
2) Implement pre-allocation mechanisms (based on GARA slot table)
3) Create ASM for Bandwidth Broker 4) Create ASM to find out high level domain topology
(will be using hard coded info at first).5) Allow RBE’s to talk to each other (define
messages).6) Integrate BoD AAA client into middleware eg by
allowing integration with GridFTP and integration with VOMS authentication and user authorization system.
7) Build WS interface abstraction for pre-allocation and subsequent usage.