Policy based co-allocation of connection oriented network resources using the principles of Generic...

Policy based co-allocation of connection oriented network resources using the principles of

Generic AAA

ON*VECTOR 3rd Annual Photonics Workshop San Diego - 03/01/04

Leon GommansUniversity of Amsterdam

http://www.uva.nl/

Connection Oriented Networks Rationale Generic Authentication Authorization Accounting

(AAA) short overview. Experiments: DataTAG - SC2003 Future Research

1 Mar 2004 ON*VECTOR Workshop Leon Gommans

Overview

Compared to router based Connectionless Networks, Connection Oriented Network use some form of switch technology to forward: Ethernet frames Sonet/SDH frames Light

Switches along the path are configured (statically or dynamically) with a particular path definition for the duration of a connection.Forms such as: MPLS Virtual Private Network Lightpath - UCLP Lambda

Connection Oriented Networks (CON)


Next to general Internet usage, in particular Grid users will start to ask for high bandwidth connections at low cost.

This kind of demand is now found in Scientific applications within HEP, Radio Astronomy, Bio Science, etc.

Forwarding large volumes of highly directional traffic is expensive when user routers.

Providers need to provision cheap bandwidth by authorizing applications to access the transport infrastructure in a flexible way with or without pre-established relations at business level.

Many functions already found in telephony networks.

Rationale and assumptions.


Ergo: Automate operator function for data


Providers have a number of different ways to transport data using both connection-oriented and connection-less methods using routers, switches, electron and photon based links.

Low per stream volume - many destinations - always on service: connectionless routing.

Medium to high volume - fewer destinations - defined contract periods: (G)MPLS, use of AAA possible.

High volume - specific/static destinations - reserved time slots: Application driven provisioning of “cheap” bandwidth based on authorization. Need AAA.

Use various network technologies which need flexible automatic control/provisioning solutions.

Provider perspective


Concepts are researched within the IRTF AAA Architecture Research Group which resulted in RFC’s 2903 (Generic AAA Architecture) and RFC 2904 (Authorization Sequence Framework).

Staff members at University of Amsterdam helped to form this IRTF research group.

Research funded as part of participation in EU IST DataTAG project and by SURFnet

Collaboration with EVL at UIC, Starlight/NWU, Alcatel, CA*Net, FZJ Jülich and Fraunhofer Institute.

Work is also input to AuthZ WG in GGF. Generic AAA toolkit is developed at UoA.

AAAarch IRTF RG and UvA .


RFC 2904 Authorization sequences that allow users to access a service based on a policy decision taken by a AAA component.

Service

AAA

User

Service

AAA

User

Service

AAA

User

Pull sequence

NAS (remote access)RSVP (network QoS)

Agent sequence

Agents, Brokers,Proxy’s.

Push sequence.

Tokens, Tickets,AC’s etc.

1

11

2 2

2

33 3

4

4

4


Example AuthZ pull sequence in CON.

Switch

AAAApplic.

AAA User HomeOrganization

Switch

AAA

Switch

AAA

Netw.I/F

Resource

Netw.I/F

User Domain A Domain B Domain C Resource


Switch

AAAApplic.

AAA User HomeDomain

Switch

AAA

Switch

AAA

Netw.I/F

Resource

Netw.I/F

User Network Domain A Network Domain B Network Domain C Resource


Example AuthZ agent / pull sequence in CON.

Switch

AAAApplic.

AAA

Switch

AAA

Switch

AAA

Netw.I/F

Resource

Netw.I/F


Broker


Example AuthZ push / pull sequence in CON.

Switch

AAA

AAA

Switch

AAA

Switch

AAA

Netw.I/F

Resource

Netw.I/F


Application


Example AuthZ agent sequence in CON.

Applic.

Switch

AAA

AAA

Switch

AAA

Switch

AAA

Netw.I/F

Resource

Netw.I/F



Positioned in TMN example reference model.

Network Management /Element ManagementLayer

ServiceManagementLayer

BusinessManagementLayer ?

Applic.

Base of Generic AAA Architecture - RAP

PolicyDecision

Point

PolicyEnforcement

Point

Fundamental idea’s inspired bywork of the IETF RAP WG thatin RFC 2753 describes a framework for Policy-basedAdmission Control.

The point where policydecisions are made.

The point where the policy

decisions are actually enforced.

RequestDecision

PolicyRepository

Basic Goal Generic AAA: Allow policy decisions to be made by multiple PDP’s belonging to different administrative domains.


Generic AAA Architecture - RFC2903

ApplicationSpecificModule

PolicyEnforcement

Point

Archieve goal by by separatingthe logical decision process fromthe application specific partswithin the PDP.

Request Decision

RuleBasedEngine Policy

Repository

PDP

Generic AAAEngine

A Driving PolicyOrchestrates theUsage of ASM’s


Generic AAA Architecture


PolicyEnforcement

Point

AAA RequestDecision

RuleBasedEngine

PolicyRepository

PDP



Repository

PDP

UserRights

Service

RSVPService Request


Generic AAA Architecture


PolicyEnforcement

Point

XMLAAA Request

Provision

RuleBasedEngine

PolicyRepository

PDP



Repository

PDP

UserRights

ServiceService Access


Ack

Enterasys802.1QVLANSwitch

PC

PC PC

PC

RBE


Single - domain 802.1Q VLAN setupDemo iGrid 2002

SNMPDot 1Q Bridge MIB


AAA Request Message(XML/SOAP) ASM ASM

PolicyDatabase


<AAARequest version="0.1" type="BoD" > <Authorization> <credential> <credential_type>simple</credential_type> <credential_ID>JanJansen</credential_ID> <credential_secret>#f034d</credential_secret> </credential> </Authorization> <BodData> <Source>192.168.1.5</Source> <Destination>192.168.1.6</Destination> <Bandwidth>1000</Bandwidth> <StartTime>now</StartTime> <Duration>20</Duration> </BodData></AAARequest>

Example XML request message

WHY

WHAT


if( ( ASM::RM.CheckConnection( Request::BodData.Source, Request::BodData.Destination ) &&

( Request::BodData.Bandwidth <= 1000 ) ))then( ASM::RM.RequestConnection( Request::BodData.Source, Request::BodData.Destination, Request::BodData.Bandwidth, Request::BodData.StartTime, Request::BodData.Duration ) ; Reply::Answer.Message = "Request successful")else( Reply::Error.Message = "Request failed"

Example part of a Driving Policy



PC

PC PC

PC

RBE

Single - domain 802.1Q VLAN setupDemo iGrid 2002



AAA Request Message(XML/SOAP) ASM ASM

PolicyDatabase


Create RED VLAN andDefine it on trunk port,Include Port X.


PC

PC PC

PC

RBE

Single - Domain Calient PXC setup

CalientPXC

Switch

TL-1

AAA Request Message(XML/SOAP) ASM Policy

Database


PC

PC PC

PC

RBE

RBE

Multi - domain setup

CalientPXC

Switch

AAA Request Message(XML/SOAP)

TL-1SNMPDot 1Q Bridge MIB


ASM

ASM PolicyDatabase

ASM ASM

PolicyDatabase




802.1QVLANSwitch

PC

PC PC

PC

RBE

Multi - domain setup using a TMN domain

AAA Request Message(XML/SOAP)



ASM

Alcatel1670ADM

1355 BOND + 1354

1353 EM

Alcatel1670ADM

ASM

PolicyDatabase

ASM


ISO TMNDOMAIN


PC

PC

RBE

Collaborative Multi-domain experiment at SC2003

CalientPXC

PIN

PC

CalientPXC

PIN

PC

PDCPolicy

Database

ASMASMASMAuthZ

Resource Mgr

PHOTONIC INTERDOMAINNEGOTIATOR

PHOTONIC DOMAINCONTROLLER

Note: PIN and PDC are

developed by EVL at UIC

headed by Oliver Yu

PHOTONIC POLICYBASED ACCESS CONTROLLER

PIN DOES ROUTE DETERMINATION BASED ON SOURCE ROUTING


PC

PC

RBE

Collaborative Multi-domain experiment at SC2003

CalientPXC

PC

CalientPXC

PC

PolicyDatabase

ASM

OGSIWS I/F

ASM

OGSIClient I/F

PolicyDatabase

ASM

ASMASMAuthZ

Resource Mgr

RBEPolicy

DatabaseASM

RBE


Research ways to integrate networks into the Grid by using the principles of Generic AAA to authorize on demand usage via mechanisms such as GridFTP.

Inclusion of state awareness in driving policy e.g. using WSRF notifications

Include concurrency in driving policy execution. Identify further Grid requirements towards

advance reservation and VO integration. Integrate (WS based) electronic payment system

to allow operation without pre-established business relationships.

Future Research.


Thank you !

Research funded by EU IST DataTAG project and SURFnet

Leon Gommans

[email protected]

http://www.uva.nl/

Policy based co-allocation of connection oriented network resources using the principles of Generic...

Documents

Transcript of Policy based co-allocation of connection oriented network resources using the principles of Generic...