Multi-domain provisioning of Lower Layer Network Transports based on Generic AAA TERENA
Policy based co-allocation of connection oriented network resources using the principles of Generic...
-
Upload
olivia-bond -
Category
Documents
-
view
221 -
download
0
description
Transcript of Policy based co-allocation of connection oriented network resources using the principles of Generic...
Policy based co-allocation of connection oriented network resources using the principles of
Generic AAA
ON*VECTOR 3rd Annual Photonics Workshop San Diego - 03/01/04
Leon GommansUniversity of Amsterdam
Connection Oriented Networks Rationale Generic Authentication Authorization Accounting
(AAA) short overview. Experiments: DataTAG - SC2003 Future Research
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Overview
Compared to router based Connectionless Networks, Connection Oriented Network use some form of switch technology to forward: Ethernet frames Sonet/SDH frames Light
Switches along the path are configured (statically or dynamically) with a particular path definition for the duration of a connection.Forms such as: MPLS Virtual Private Network Lightpath - UCLP Lambda
Connection Oriented Networks (CON)
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Next to general Internet usage, in particular Grid users will start to ask for high bandwidth connections at low cost.
This kind of demand is now found in Scientific applications within HEP, Radio Astronomy, Bio Science, etc.
Forwarding large volumes of highly directional traffic is expensive when user routers.
Providers need to provision cheap bandwidth by authorizing applications to access the transport infrastructure in a flexible way with or without pre-established relations at business level.
Many functions already found in telephony networks.
Rationale and assumptions.
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Ergo: Automate operator function for data
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Providers have a number of different ways to transport data using both connection-oriented and connection-less methods using routers, switches, electron and photon based links.
Low per stream volume - many destinations - always on service: connectionless routing.
Medium to high volume - fewer destinations - defined contract periods: (G)MPLS, use of AAA possible.
High volume - specific/static destinations - reserved time slots: Application driven provisioning of “cheap” bandwidth based on authorization. Need AAA.
Use various network technologies which need flexible automatic control/provisioning solutions.
Provider perspective
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Concepts are researched within the IRTF AAA Architecture Research Group which resulted in RFC’s 2903 (Generic AAA Architecture) and RFC 2904 (Authorization Sequence Framework).
Staff members at University of Amsterdam helped to form this IRTF research group.
Research funded as part of participation in EU IST DataTAG project and by SURFnet
Collaboration with EVL at UIC, Starlight/NWU, Alcatel, CA*Net, FZJ Jülich and Fraunhofer Institute.
Work is also input to AuthZ WG in GGF. Generic AAA toolkit is developed at UoA.
AAAarch IRTF RG and UvA .
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
RFC 2904 Authorization sequences that allow users to access a service based on a policy decision taken by a AAA component.
Service
AAA
User
Service
AAA
User
Service
AAA
User
Pull sequence
NAS (remote access)RSVP (network QoS)
Agent sequence
Agents, Brokers,Proxy’s.
Push sequence.
Tokens, Tickets,AC’s etc.
1
11
2 2
2
33 3
4
4
4
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Example AuthZ pull sequence in CON.
Switch
AAAApplic.
AAA User HomeOrganization
Switch
AAA
Switch
AAA
Netw.I/F
Resource
Netw.I/F
User Domain A Domain B Domain C Resource
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Switch
AAAApplic.
AAA User HomeDomain
Switch
AAA
Switch
AAA
Netw.I/F
Resource
Netw.I/F
User Network Domain A Network Domain B Network Domain C Resource
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Example AuthZ agent / pull sequence in CON.
Switch
AAAApplic.
AAA
Switch
AAA
Switch
AAA
Netw.I/F
Resource
Netw.I/F
User Network Domain A Network Domain B Network Domain C Resource
Broker
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Example AuthZ push / pull sequence in CON.
Switch
AAA
AAA
Switch
AAA
Switch
AAA
Netw.I/F
Resource
Netw.I/F
User Network Domain A Network Domain B Network Domain C Resource
Application
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Example AuthZ agent sequence in CON.
Applic.
Switch
AAA
AAA
Switch
AAA
Switch
AAA
Netw.I/F
Resource
Netw.I/F
User Network Domain A Network Domain B Network Domain C Resource
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Positioned in TMN example reference model.
Network Management /Element ManagementLayer
ServiceManagementLayer
BusinessManagementLayer ?
Applic.
Base of Generic AAA Architecture - RAP
PolicyDecision
Point
PolicyEnforcement
Point
Fundamental idea’s inspired bywork of the IETF RAP WG thatin RFC 2753 describes a framework for Policy-basedAdmission Control.
The point where policydecisions are made.
The point where the policy
decisions are actually enforced.
RequestDecision
PolicyRepository
Basic Goal Generic AAA: Allow policy decisions to be made by multiple PDP’s belonging to different administrative domains.
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Generic AAA Architecture - RFC2903
ApplicationSpecificModule
PolicyEnforcement
Point
Archieve goal by by separatingthe logical decision process fromthe application specific partswithin the PDP.
Request Decision
RuleBasedEngine Policy
Repository
PDP
Generic AAAEngine
A Driving PolicyOrchestrates theUsage of ASM’s
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Generic AAA Architecture
ApplicationSpecificModule
PolicyEnforcement
Point
AAA RequestDecision
RuleBasedEngine
PolicyRepository
PDP
ApplicationSpecificModule
RuleBasedEngine Policy
Repository
PDP
UserRights
Service
RSVPService Request
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Generic AAA Architecture
ApplicationSpecificModule
PolicyEnforcement
Point
XMLAAA Request
Provision
RuleBasedEngine
PolicyRepository
PDP
ApplicationSpecificModule
RuleBasedEngine Policy
Repository
PDP
UserRights
ServiceService Access
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Ack
Enterasys802.1QVLANSwitch
PC
PC PC
PC
RBE
Enterasys802.1QVLANSwitch
Single - domain 802.1Q VLAN setupDemo iGrid 2002
SNMPDot 1Q Bridge MIB
SNMPDot 1Q Bridge MIB
AAA Request Message(XML/SOAP) ASM ASM
PolicyDatabase
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
<AAARequest version="0.1" type="BoD" > <Authorization> <credential> <credential_type>simple</credential_type> <credential_ID>JanJansen</credential_ID> <credential_secret>#f034d</credential_secret> </credential> </Authorization> <BodData> <Source>192.168.1.5</Source> <Destination>192.168.1.6</Destination> <Bandwidth>1000</Bandwidth> <StartTime>now</StartTime> <Duration>20</Duration> </BodData></AAARequest>
Example XML request message
WHY
WHAT
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
if( ( ASM::RM.CheckConnection( Request::BodData.Source, Request::BodData.Destination ) &&
( Request::BodData.Bandwidth <= 1000 ) ))then( ASM::RM.RequestConnection( Request::BodData.Source, Request::BodData.Destination, Request::BodData.Bandwidth, Request::BodData.StartTime, Request::BodData.Duration ) ; Reply::Answer.Message = "Request successful")else( Reply::Error.Message = "Request failed"
Example part of a Driving Policy
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Enterasys802.1QVLANSwitch
PC
PC PC
PC
RBE
Single - domain 802.1Q VLAN setupDemo iGrid 2002
SNMPDot 1Q Bridge MIB
SNMPDot 1Q Bridge MIB
AAA Request Message(XML/SOAP) ASM ASM
PolicyDatabase
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Create RED VLAN andDefine it on trunk port,Include Port X.
Enterasys802.1QVLANSwitch
PC
PC PC
PC
RBE
Single - Domain Calient PXC setup
CalientPXC
Switch
TL-1
AAA Request Message(XML/SOAP) ASM Policy
Database
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
PC
PC PC
PC
RBE
RBE
Multi - domain setup
CalientPXC
Switch
AAA Request Message(XML/SOAP)
TL-1SNMPDot 1Q Bridge MIB
SNMPDot 1Q Bridge MIB
ASM
ASM PolicyDatabase
ASM ASM
PolicyDatabase
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Enterasys802.1QVLANSwitch
Enterasys802.1QVLANSwitch
802.1QVLANSwitch
PC
PC PC
PC
RBE
Multi - domain setup using a TMN domain
AAA Request Message(XML/SOAP)
SNMPDot 1Q Bridge MIB
SNMPDot 1Q Bridge MIB
ASM
Alcatel1670ADM
1355 BOND + 1354
1353 EM
Alcatel1670ADM
ASM
PolicyDatabase
ASM
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
ISO TMNDOMAIN
Enterasys802.1QVLANSwitch
PC
PC
RBE
Collaborative Multi-domain experiment at SC2003
CalientPXC
PIN
PC
CalientPXC
PIN
PC
PDCPolicy
Database
ASMASMASMAuthZ
Resource Mgr
PHOTONIC INTERDOMAINNEGOTIATOR
PHOTONIC DOMAINCONTROLLER
Note: PIN and PDC are
developed by EVL at UIC
headed by Oliver Yu
PHOTONIC POLICYBASED ACCESS CONTROLLER
PIN DOES ROUTE DETERMINATION BASED ON SOURCE ROUTING
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
PC
PC
RBE
Collaborative Multi-domain experiment at SC2003
CalientPXC
PC
CalientPXC
PC
PolicyDatabase
ASM
OGSIWS I/F
ASM
OGSIClient I/F
PolicyDatabase
ASM
ASMASMAuthZ
Resource Mgr
RBEPolicy
DatabaseASM
RBE
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Research ways to integrate networks into the Grid by using the principles of Generic AAA to authorize on demand usage via mechanisms such as GridFTP.
Inclusion of state awareness in driving policy e.g. using WSRF notifications
Include concurrency in driving policy execution. Identify further Grid requirements towards
advance reservation and VO integration. Integrate (WS based) electronic payment system
to allow operation without pre-established business relationships.
Future Research.
1 Mar 2004 ON*VECTOR Workshop Leon Gommans
Thank you !
Research funded by EU IST DataTAG project and SURFnet
Leon Gommans