PART IIBoD server prototype

Implementation & technical details

MB-NG workshop@UCL20/21 - Feb - 2003

Bas van OudenaardeAdvanced Internet Research Group

University of Amsterdamoudenaar@science.uva.nl

What to expect from this presentation

• Not a code walk, but highlight used concepts, model used behind Our first phase prototype of a BoD server ( based on Generic AAA)

• Giving an overview for DEMO

• Learn the details on building block of BoD server

Generic AAA:o AAA Server: may be involved in: Authorization,

Authentication, Accounting

o AAA request < > Driving Policy

o Behavior of the generic part is determined by the combination of Driving policies, ASMs and AAA requests

serv

authZcliententity

AAAServicehandlerserv

authZcliententity

AAA Servicehandlerserv

ASM

Serv*Serv*

policy

policy

“AAA protocol” > BoD request msg

authZ

Serv*

BoD request msg, using XML,SOAP

<AAARequest version="0.1" type="BoD" > <Authorization> <credential> <credential_type>simple</credential_type> <credential_ID>JanJansen</credential_ID> <credential_secret>#f034d</credential_secret> </credential> </Authorization> <BodData> <Source>192.168.1.2</Source> <Destination>192.168.1.5</Destination> <Bandwidth>1000</Bandwidth> <StartTime>now</StartTime> <Duration>20</Duration> </BodData></AAARequest>

Servlet in TOMCAT:

Using JAXM API

public class AAAServlet extends JAXMServlet implements ReqRespListener { private RBE theRBE;… public SOAPMessage onMessage( SOAPMessage message ) {…

try {

theRBE.parse( request, out ); << message check (DTD) + Policy fetch } catch( Exception ex ) { return error( ex.getMessage( ) ); } return createResponse( bout ); …

}

• Servlet Context

used to initiate the RBE, ASMs

• Java Reflection list methods of Object (ASMs)

Some details:

Driving Policy:

if( ASM::Authorization.authorize( << C++ like namespace Request::Authorization.credential.credential_type, Request::Authorization.credential.credential_ID,

Request::Authorization.credential.credential_secret ))Then * could work with simple data ( types

if ( ASM::RM.CheckConnection( Request::BodData.Source, Request::BodData.Destination )

• IF - THEN -ELSE structure

• Input for the Policy Objects, Javacc to serialize / used in Policy fetch

ASM overview:

For the BoD service we implemented:

• Resource Manager (RM) ASM (hardcoded) Network topology, state of network elements

• Switch ASMSNMP interface dealing with 802.1Q

• Authorization ASMAuthorization mechanism

RM ASM, BoD method:

public int BoD( String IPsrc, String IPdst, int size, String t, int dur ){

• Full control model

• Network element modeled as vertex with edges. State is updated in vertex. (link usage )

• using backtracking algorithm to find path ( recursive )

• collecting provisioning information, like VLAN id, ports etc

}

Switch ASM, provisioning:

/* (Single domain) Add port (+ Trunk) in VLAN. * * Cabletron ss6000 switch uses SNMP table: * ctVlanPortConfigTable * OID = "1.3.6.1.4.1.52.4.1.2.16.3.1.1" * OID.c.I1.I2 ( c= column, I1 index 1, I2 index 2 ) * */ public void setupPath( int port, int vid ) throws IOException,

SnmpDecodeException, SnmpResponseException { // Setup connection SnmpPeer peer = new SnmpPeer("localhost", InetAddress.getByName( host ),

SMI.PUBLIC ); SnmpConnection connection = new SnmpConnection(peer); // OID….

Authorized path discovery

• QoS path through multiple administrative domains

• AAA servers > Mechanism for advertising the connections they can establish

• Start with simplest QoS path > Full Control model

• Logical network link iso physical network link

•Decision tree for authorization of QoS elements

Authorization interactions:

AAA1,2

AAA1 AAA

2

N1 N2

D0

AAA0

N0 Nnl2,nl0,1

D1 D0

• Porting J2EE environment

• robust & scalable Runtime environment• Focusing on AAA concepts• developing generic RBE <-> ASM interface

•Still in progress…. :(

Future of AAA:

• Collaboration in developing an generic ASM interface, policy definitions, etc

Idea’s AAA in J2EE:

EJB Container

JCA Resource Adapters

web

ASMs api

ASM*

switch1

switch2

BoDreq

J2EE

Conclusions

• Our focus is on authorization in multi administrative domains

• The ASMs need to interface services, we need to provide a generic API

• Collaborations