Generic AAA based provisioning Of Network Elements Status
Generic AAA based provisioning Of Network Elements Status update EVL 9/10/03 Leon Gommans University of Amsterdam
Update § Generic AAA quick overview § Generic AAA server status & features § Testbed options § Example policy and request message § Discussion on request message format. 9 Oct 2003 Update meeting EVL Leon Gommans
Main functions AAA server § AAA server may not be a good name. As it does: § Receive a request message that may contain authorization information + other attributes § Fetch a driving policy and evaluate information contained within the request and take an authorization decision § Take one or more policy actions based on the outcome of the policy decision. § Evaluation of policy may involve other AAA servers. 9 Oct 2003 Update meeting EVL Leon Gommans
Auth. Z sequences * AAA 1 AAA 2 User 2 1 4 3 Service User 4 2 User 3 Service 3 4 Service Pull sequence Agent sequence Push sequence. NAS (remote access) RSVP (network Qo. S) Agents, Brokers, Proxy’s. Tokens, Tickets, AC’s etc. * Source RFC 2904 9 Oct 2003 Update meeting EVL Leon Gommans
Example of AAA server combinations: Roaming using agent & pull sequence User Home Organization AAA 2 AAA 1 User 3 6 5 4 Service Providers Service 9 Oct 2003 Update meeting EVL Leon Gommans
Generic AAA Architecture RFC 2903 Fundamental idea’s inspired by work of the IETF RAP WG that in RFC 2753 describes a framework for Policy-based Admission Control. Foundation for COPS Policy Decision Point The point where policy decisions are made. Policy Repository Request Decision Policy Enforcement Point The point where the policy decisions are actually enforced. Basic Goal Generic AAA: Allow policy decisions to be made by multiple PDP’s belonging to different administrative domains. 9 Oct 2003 Update meeting EVL Leon Gommans
Generic AAA Architecture Archieve goal by by separating the logical decision process from the application specific parts within the PDP Rule Based Engine Policy Repository Application Specific Module Request Decision Policy Enforcement Point 9 Oct 2003 Update meeting EVL Leon Gommans
Generic AAA Architecture Rule Based Engine PDP Rule Based Engine Policy Repository Application Specific Module AAA Request Service Request 9 Oct 2003 Application Specific Module PDP Policy Repository User Rights Decision Policy Enforcement Point Service Update meeting EVL Leon Gommans
Generic AAA server Implementation at Uv. A § First implementation RBE and ASM’s was build as servlet on an Apache / Axis webserver environment. Demo’d at i. Grid 2002. § Converted RBE and ASM to run within a J 2 EE EJB container (J 2 EE V 1. 4 beta 2 reference edition) § Needed Java Connector Architecture which became available in 1. 4 to communicate to the outside world to talk CLI/TL-1 or SNMP. § Using JCA was major effort (no/bad documentation - non running example code etc. ) § J 2 EE gives us WS features. § Integrated simple OGSA service as test. 9 Oct 2003 Update meeting EVL Leon Gommans
Example XML request message §<AAARequest version="0. 1" type="Bo. D" > <Authorization> <credential_type>simple</credential_type> <credential_ID>Jan. Jansen</credential_ID> <credential_secret>#f 034 d</credential_secret> </credential> </Authorization> <Bod. Data> <Source>192. 168. 1. 5</Source> <Destination>192. 168. 1. 6</Destination> <Bandwidth>1000</Bandwidth> <Start. Time>now</Start. Time> <Duration>20</Duration> </Bod. Data> </AAARequest> 9 Oct 2003 Update meeting EVL Leon Gommans
Example part of a Driving Policy if ( ( ASM: : RM. Check. Connection( Request: : Bod. Data. Source, Request: : Bod. Data. Destination ) && ( Request: : Bod. Data. Bandwidth <= 1000 ) ) ) then ( ASM: : RM. Request. Connection( Request: : Bod. Data. Source, Request: : Bod. Data. Destination, Request: : Bod. Data. Bandwidth, Request: : Bod. Data. Start. Time, Request: : Bod. Data. Duration ) ; Reply: : Answer. Message = "Request successful" ) else ( Reply: : Error. Message = "Request failed" 9 Oct 2003 Update meeting EVL Leon Gommans
J 2 EE implementation, AAA Toolkit port. Beans XML RBE Slot_table Beans JCA 1. 5 EIS Calient Resrc Adp GARA VOMS Logical ASM Policy repository 9 Oct 2003 (EIS = Enterprise Information System) Update meeting EVL Leon Gommans
Calient Diamond. Wave API PXC i AAA RBE ASM TL 1 j § layer 1 optical cross connect § Calient TL 1 interface; developed TL 1 mngr API § persistence data: [ port, cross_port ] § TL 1 mngr API: cross() , break(), port. State() and connection methods to the Calient 9 Oct 2003 Update meeting EVL Leon Gommans
Single - domain 802. 1 Q VLAN setup Demo i. Grid 2002 AAA Request Message (XML/SOAP) SNMP Dot 1 Q Bridge MIB 802. 1 Q VLAN Switch 9 Oct 2003 AAA 1000 SX Update meeting EVL 802. 1 Q VLAN Switch Leon Gommans
Single - domain Calient setup Available AAA Request Message (XML/SOAP) AAA TL-1 1000 LX 9 Oct 2003 Calient PXC Update meeting EVL 1000 LX Leon Gommans
Multi - domain setup Awaiting hardware AAA Request Message (XML/SOAP) AAA SNMP Dot 1 Q Bridge MIB 802. 1 Q VLAN Switch 9 Oct 2003 Dot 1 Q Bridge MIB TL-1 1000 LX Calient PXC Update meeting EVL 1000 LX 802. 1 Q VLAN Switch Leon Gommans
Multi-domain Calient setup SC 2003 opt 1 AAA Request Message (XML/SOAP) AAA Request message ? PIN TL-1 1000 LX Calient PXC 15454 Calient PXC US Domain 9 Oct 2003 Update meeting EVL Leon Gommans
Multi-domain Calient setup SC 2003 opt 2 AAA Request Message (XML/SOAP) AAA Request message ? PIN AAA TL-1 1000 LX Calient PXC 15454 Calient PXC US Domain 9 Oct 2003 Update meeting EVL Leon Gommans
Multi - domain setup future option AAA Request Message (XML/SOAP) AAA PIN AAA 802. 1 Q VLAN Switch 1000 LX Calient PXC 15454 Netherlight 9 Oct 2003 Update meeting EVL Calient PXC US Domain Leon Gommans
Thank you ! Research funded by EU Data. TAG project and SURFnet Leon Gommans lgommans@science. uva. nl
- Slides: 20