authorization of a qos path based on generic aaa sc2002 baltimore nov 16-22 bas van oudenaarde...
Post on 18-Dec-2015
212 views
TRANSCRIPT
Authorization of a QoS pathbased on Generic AAA
SC2002 Baltimore NOV 16-22
Bas van OudenaardeAdvanced Internet Research Group
University of [email protected]
EU IST-2001-32459
Content
● Introduction
● Concepts of Generic Authorization, Authentication & Accounting (AAA)
● Authorization / Control models
● Authorized path discovery
● AAA server authorization interaction
● Test bed / Bandwidth on Demand Server
● Conclusions
Introduction:● Users require guaranteed high bandwidth connections ● Project: middleware solution for authorization of Quality of Service (QoS) path● As network resources need to be managed with different security systems and policies, this project identifies the major problems and tries to find inter-Grid level mechanisms capable to interoperate with the administrative domain specific authentication, authorization and management rules and procedures ● Protoytpe:Bandwidth on Demand server based on Generic AAA
Generic AAA:● AAA Server: may be involved in: Authorization, Authentication, Accounting
● AAA request < > Driving Policy
● Behavior of the generic part is determined by the combination of Driving policies, ASM's and AAA requests
...Continue, Generic AAA
● Group has been participating on defining concepts for Generic AAA since march 1999 when AAA WG was formed at IETF-44.● Work became IRTF subject later on (AAAARCH RG).● RFC’s 2903 – 2906 describes framework, architecture, example applications and requirements.● Optical Networking within grid environment is a research application for Generic AAA.
Generic AAA Architecture – RFC2903
PolicyDecision
Point
PolicyEnforcement
Point
Fundamental idea’sinspired by work of the IETF RAP WGthat in RFC 2753 describes a frameworkfor Policy-basedAdmission Control.
Foundation for COPS
The point where policy
decisions are made.
The point where the policydecisions are actually enforced.
RequestDecision
PolicyRepository
Basic Goal Generic AAA: Allow policy decisions to be made by multiple PDP’s belonging to different administrative domains.
Generic AAA Architecture – RFC2903
ApplicationSpecificModule
PolicyEnforcement
Point
Achieve goal by separating the logical decision process fromthe application specificparts within the PDP.
RequestDecision
RuleBasedEngine
PolicyRepository
PDP
Generic AAA Architecture – RFC2903
ApplicationSpecificModule
PolicyEnforcement
Point- allow RBE’s to talk to each other andexchange messages that can only have"boolean answers".- Policies are hidden from original requestor.
RequestDecision
RuleBasedEngine Policy
RepositoryApplicationSpecificModule
RuleBasedEngine
PolicyRepository
Users
ApplicationSpecificModule
RuleBasedEngine
PolicyRepository
Budgets
HR Dept.Finance Dept.
Service Provider
User A
AAAServer
AAAServer
AAAServer
Institute / Enterprise
Generic AAA Framework – RFC2904
3 fundamentally different user initiated authorization sequences.
Service
AAA
User
Service
AAA
User
Service
AAA
User
Pull sequence
NAS, RSVP
Agent sequence
Brokers, agents.
Push sequence.
Token Based AccessKerberos Tickets
1
11
22
2
3 3 3
4
4
4
Generic AAA Framework – RFC2904
Separating the User Awareness from the Serviceyield Roaming Models: Example roaming pull model.
Service
AAA
User1 2 5
6
AAA
3 4
User HomeOrganization
ServiceProvider
Authorization / Control models
● Network nodes & network links; where the relevant parameters are under the control of an AAA Server
● Parameters are governed by a set of policies
● Consider; Simple unidirectional QoS path between two nodes:
Individual Control modelPartial Control modelFull Control model
Individual Control model
N0
AAA
AAA
N1
AAA
Partial Control model
N0
AAA
N1
AAA
Full Control model
N0
AAA
N1
Authorized path discovery
N0
AAA0
Nn
ĩ
• QoS path through multiple administrative domains
• AAA servers > Mechanism for advertising the connections they can establish
• Start with simplest QoS path > Full Control model
• Logical network link ĩ iso physical network link
•Decision tree for authorization of QoS elements
Example of AAA server authorization interactions
AAA1,2
AAA1
AAA2
N1
N2ĩ
D0
AAA0
N0
Nnl
2,nl0,1
D1 D
0
Test bed / Bandwidth on Demand
• Focus on optical networks; layer 1, 2 technologies
• 802.1Q VLAN switches
• Construct a private network
Cabletron SS 6000
802.1Q VLANSwitch
AAA client
ControlPort
Grid Domain A
Optical N/WProvider
FE NetworkPorts
FE NetworkPorts
Cabletron SS 6000
802.1Q VLANSwitch
SNMP ControlPort
Lightpath
1GB
Grid Domain B
Generic AAA BoD: Agent sequence; Full Control modelauthorizing QoS path access via VLAN’s
“Internet”
Globus
AAA clientGlob
us
AAA clientAAA ServerAAA clientGlob
usGlob
usGlob
usXML/SOAP
XML/SOAP
Grid Domain A
Optical N/WProviderProxy
GB NetworkPorts
GB NetworkPorts
CLI or XML
Grid Domain B
Replace fiber for GMPLS / or DWDM technology
“Internet”
GMPLS
AAA clientGlob
us
AAA clientGlob
us
AAA clientAAA ServerAAA clientGlob
usGlob
usGlob
us
Optimized TCP/IPOptimized TCP/IP
Example BoD request
-<AAARequest version="0.1" type="BoD">- <AuthorizationData> <Credential type=”simple”> <ID>person1</ID> <Key>1#fdjkj9#esn34k</Key> </Credential> </AuthorizationData> <BodData> <Source>100.10.20.30</Source> <Destination>110.1.2.3</Destination> <Bandwidth>2500</Bandwidth> <StartTime>now</StartTime> <Duration>3600</Duration> </BodData></AAARequest>
Example of BoD driving Policy
if( ( ASM::Authorizer.authorize( Request::AuthorizationData.Credential.ID, Request::AuthorizationData.Credential.Key ))then( ASM::RM.BoD( Request::ServiceData.SwitchData.Source, Request::ServiceData.SwitchData.Destination, Request::ServiceData.SwitchData.Bandwidth, Request::ServiceData.SwitchData.StartTime, Request::ServiceData.SwitchData.Duration ) ; Reply::Answer.Message = "Request successful")else( Reply::Error.Message = "Request failed")
Summary / Conclusions
● AAA server behavior > ASMs, policies, AAA msg● RBE only takes logical decisions ( multi domain )● Implement ASMs for difficult tasks to support RBE
● Multi domain challenge > policies, AAA msg● ASM template supporting services, switching technologies● Building complex decision network <> scalability, stability and performance
Thank you !