Multi-domain provisioning of Lower Layer Network Transports based on Generic AAA TERENA

Multi-domain provisioning of Lower Layer Network Transports

based on Generic AAA

TERENATF-AACE Workshop 21/11/03

Leon GommansUniversity of Amsterdam

http://www.uva.nl/

Low Layer Network Transport (LLNT) Rationale to provide LLNT’s Generic Authentication Authorization Accounting

(AAA) overview and usage in LLNT’s Current experiments: DataTAG - SC2003 Future Research projects: GRANDE / Nextgrid.

21 Nov 2003 TERENA TF-AACE Leon Gommans

Overview

Connection oriented network paradigm using some form of switch technology that transports:

Ethernet frames (MPLS VPN, 802.1 Q VLAN,..) Sonet/SDH frames (ADM) Light (OXC)

Goes by specific names such as: L2 VPN

lightpath lambda


Lower Layer Network Transport (LLNT)

Next to general Internet usage, user will start to ask for high bandwidth connections at low cost.

High demand is now found in scientific Grid applications (HEP, Radio Astronomy, Bio Science, etc.)

Demand is typically between specific locations. Forwarding large volumes of highly directional

traffic is expensive when using routers. A patch panel cheap in terms of cost per Gbp/s. NRN’s need flexible and automated ways to

provision cheap bandwidth based on application demand by authorizing access to transport infrastructure.


Rationale to provide LLNT’s as NRN.


Ergo: Automate operator function

NRN’s have a number of different ways of transporting traffic using connection-oriented and connection-less forwarding paradigms (Routers, L2 switches, Sonet/SDH links, optical links)

Low per stream volume - many destinations - always on service: routing on top of LLNT infra.

Medium to high volume - fewer destinations - defined contract periods: (G)MPLS with LLNT infra, use of AAA possible.

High volume - specific/static destinations - reserved time slots: Application driven provisioning of “cheap” LLNT’s based on authorizations. Need AAA.

Use various network technologies which need flexible automatic control/provisioning solutions.

NRN perspective


Concepts were researched within the IRTF AAA Architecture Research Group which resulted in RFC’s 2903 (Generic AAA Architecture) and RFC 2904 (Authorization Sequence Framework).

Advanced Internet Research (AIR) group at UvA helped to form this IRTF research group.

Empirical research into Generic AAA concepts is also done within AIR group.

Research funded as part of participation in EU IST DataTAG project and by SURFnet

External collaboration with EVL at UIC, Starlight/NWU, Alcatel and FZJ Julich.

Work is active input into standards bodies such as GGF and OASIS.

Generic AAA.


RFC 2904 Authorization sequences that allow users to access a service based on a policy decision taken by a AAA component.

Service

AAA

User

Service

AAA

User

Service

AAA

User

Pull sequence

NAS (remote access)RSVP (network QoS)

Agent sequence

Agents, Brokers,Proxy’s.

Push sequence.

Tokens, Tickets,AC’s etc.

1

11

2 2

2

33 3

4

4

4


AuthZ sequence combinations:Roaming using agent & pull sequence

Service

AAA

User

1

2

56

AAA

3

4

User HomeOrganization

ServiceProviders


Example AuthZ sequence in LLNT’s withIntelligent switches

Switch

AAAApplic.

AAA User HomeOrganization

Switch

AAA

Switch

AAA

Netw.I/F

Resource

Netw.I/F

User Domain A Domain B Domain C Resource


Example AuthZ sequences in LLNT’s with dumb switches

Switch

AAAApplic.

AAA User HomeDomain

Switch

AAA

Switch

AAA

Netw.I/F

Resource

Netw.I/F

User Network Domain A Network Domain B Network Domain C Resource


Example AuthZ sequences in LLNT’s withbroker

Switch

AAA

Applic.AAA

Switch

AAA

Switch

AAA

Netw.I/F

Resource

Netw.I/F

User Network Domain A Network Domain B Network Domain C Resource

Broker

Base of Generic AAA Architecture - RAP

PolicyDecision

Point

PolicyEnforcement

Point

Fundamental idea’s inspired bywork of the IETF RAP WG thatin RFC 2753 describes a framework for Policy-basedAdmission Control.

Foundation for COPS

The point where policydecisions are made.

The point where the policy

decisions are actually enforced.

RequestDecision

PolicyRepository

Basic Goal Generic AAA: Allow policy decisions to be made by multiple PDP’s belonging to different administrative domains.

9 Oct 2003 Update meeting EVL Leon Gommans

Generic AAA Architecture - RFC2903

ApplicationSpecificModule

PolicyEnforcement

Point

Archieve goal by by separatingthe logical decision process fromthe application specific partswithin the PDP.

Request Decision

RuleBasedEngine Policy

Repository

PDP

Generic AAAEngine

A Driving PolicyOrchestrates theUsage of ASM’s

Generic AAA Architecture


PolicyEnforcement

Point

AAA RequestDecision

RuleBasedEngine

PolicyRepository

PDP


RuleBasedEngine Policy

Repository

PDP

UserRights

ServiceService Request


<AAARequest version="0.1" type="BoD" > <Authorization> <credential> <credential_type>simple</credential_type> <credential_ID>JanJansen</credential_ID> <credential_secret>#f034d</credential_secret> </credential> </Authorization> <BodData> <Source>192.168.1.5</Source> <Destination>192.168.1.6</Destination> <Bandwidth>1000</Bandwidth> <StartTime>now</StartTime> <Duration>20</Duration> </BodData></AAARequest>

Example XML request message


WHY

WHAT

if( ( ASM::RM.CheckConnection( Request::BodData.Source, Request::BodData.Destination ) &&

( Request::BodData.Bandwidth <= 1000 ) ))then( ASM::RM.RequestConnection( Request::BodData.Source, Request::BodData.Destination, Request::BodData.Bandwidth, Request::BodData.StartTime, Request::BodData.Duration ) ; Reply::Answer.Message = "Request successful")else( Reply::Error.Message = "Request failed"

Example part of a Driving Policy


802.1QVLANSwitch

PC

PC PC

PC

RBE

802.1QVLANSwitch

Single - domain 802.1Q VLAN setupDemo iGrid 2002

SNMPDot 1Q Bridge MIB


AAA Request Message(XML/SOAP) ASM ASM

PolicyDatabase


PC

PC PC

PC

RBE

Single - Domain Calient OXC setup

CalientDaimondWave

Photonic Switch

TL-1

AAA Request Message(XML/SOAP) ASM Policy

Database


802.1QVLANSwitch

PC

PC PC

PC

RBE

RBE

802.1QVLANSwitch

Multi - domain setup

CalientDaimondWave

Photonic Switch

AAA Request Message(XML/SOAP)

TL-1SNMPDot 1Q Bridge MIB


ASM

ASM PolicyDatabase


ASM ASM

PolicyDatabase

802.1QVLANSwitch

PC

PC PC

PC

RBE

802.1QVLANSwitch

Multi - domain setup using Alcatel 1355 BonD

AAA Request Message(XML/SOAP)



ASM

Alcatel1670ADM

1355 BOND + 1354

1353 EM

Alcatel1670ADM


ASM

PolicyDatabase

ASM

PC

PC

RBE

Collaborative Multi-domain experiment at SC2003

CalientPXC

PIN

PC

CalientPXC

PIN

PC

PDCPolicy

Database

ASMASMASMAuthZ

Resource Mgr


PHOTONIC INTERDOMAINNEGOTIATOR

PHOTONIC DOMAINCONTROLLER

PIN AND PDC ARE DEVELOPMENTS FROM EVL

PHOTONIC POLICYBASED ACCESS CONTROLLER

PIN DOES ROUTE DETERMINATION BASED ON SOURCE ROUTING

PC

PC

RBE

AAA based Multi-domain experiment at SC2003

Calient

PC

CalientPC

PolicyDatabase

ASM

OGSIWS I/F

ASM

OGSIClient I/F

PolicyDatabase

ASM

ASMASMAuthZ

Resource Mgr

RBE


PolicyDatabase

ASMRBE

RBE and ASM run within a J2EE EJB container Send RBE XML based request messages. Send RBE requests or control devices via Java

Connector Architecture (JCA) as part of an ASM via CLI, TL-1, SNMP, Radius, SOAP/XML etc.

J2EE environment gives Web Services features. Integrated Grid OGSA based interface into RBE Toolkit will give user RBE, ASM skeletons and a

policy language editor / compiler. Uses MySQL to store compiled policies using a

very simple nested if - then - else grammar. Supports all 3 authorization sequence types. Library of ASM’s that includes support for GARA,

VOMS, Enterasys, Calient, Alcatel NMS.

Generic AAA server toolkit of UvAMain features


Research ways to integrate networks into the Grid by using the principles of Generic AAA to authorize on demand usage.

Research ways to use the principles of Generic AAA in future generation grids.

Identify requirements and develop Generic AAA toolkit functions that can be used in both intra- and inter-domain service management scenario’s.

Propose standards and standard ways of operation.

Future Research.


“Cheap” network components can be used to create on demand high-bandwidth network transports between selected locations.

By turning networks transports into objects using ASM’s they become software controllable entities that can be orchestrated using driving policies that run within an RBE.

The AAA toolkit can be used to create flexible provisioning scenario’s with many types and abstractions of network equipment.

Conclusions

Thank you !

Research funded by EU IST DataTAG project and SURFnet

Leon Gommans

[email protected]

http://www.uva.nl/

Multi-domain provisioning of Lower Layer Network Transports based on Generic AAA TERENA

Documents

Transcript of Multi-domain provisioning of Lower Layer Network Transports based on Generic AAA TERENA