![Page 1: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/1.jpg)
Authorization of a QoS pathbased on Generic AAA
SC2002 Baltimore NOV 16-22
Bas van OudenaardeAdvanced Internet Research Group
University of [email protected]
EU IST-2001-32459
![Page 2: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/2.jpg)
Content
● Introduction
● Concepts of Generic Authorization, Authentication & Accounting (AAA)
● Authorization / Control models
● Authorized path discovery
● AAA server authorization interaction
● Test bed / Bandwidth on Demand Server
● Conclusions
![Page 3: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/3.jpg)
Introduction:● Users require guaranteed high bandwidth connections ● Project: middleware solution for authorization of Quality of Service (QoS) path● As network resources need to be managed with different security systems and policies, this project identifies the major problems and tries to find inter-Grid level mechanisms capable to interoperate with the administrative domain specific authentication, authorization and management rules and procedures ● Protoytpe:Bandwidth on Demand server based on Generic AAA
![Page 4: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/4.jpg)
Generic AAA:● AAA Server: may be involved in: Authorization, Authentication, Accounting
● AAA request < > Driving Policy
● Behavior of the generic part is determined by the combination of Driving policies, ASM's and AAA requests
![Page 5: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/5.jpg)
...Continue, Generic AAA
● Group has been participating on defining concepts for Generic AAA since march 1999 when AAA WG was formed at IETF-44.● Work became IRTF subject later on (AAAARCH RG).● RFC’s 2903 – 2906 describes framework, architecture, example applications and requirements.● Optical Networking within grid environment is a research application for Generic AAA.
![Page 6: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/6.jpg)
Generic AAA Architecture – RFC2903
PolicyDecision
Point
PolicyEnforcement
Point
Fundamental idea’sinspired by work of the IETF RAP WGthat in RFC 2753 describes a frameworkfor Policy-basedAdmission Control.
Foundation for COPS
The point where policy
decisions are made.
The point where the policydecisions are actually enforced.
RequestDecision
PolicyRepository
Basic Goal Generic AAA: Allow policy decisions to be made by multiple PDP’s belonging to different administrative domains.
![Page 7: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/7.jpg)
Generic AAA Architecture – RFC2903
ApplicationSpecificModule
PolicyEnforcement
Point
Achieve goal by separating the logical decision process fromthe application specificparts within the PDP.
RequestDecision
RuleBasedEngine
PolicyRepository
PDP
![Page 8: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/8.jpg)
Generic AAA Architecture – RFC2903
ApplicationSpecificModule
PolicyEnforcement
Point- allow RBE’s to talk to each other andexchange messages that can only have"boolean answers".- Policies are hidden from original requestor.
RequestDecision
RuleBasedEngine Policy
RepositoryApplicationSpecificModule
RuleBasedEngine
PolicyRepository
Users
ApplicationSpecificModule
RuleBasedEngine
PolicyRepository
Budgets
HR Dept.Finance Dept.
Service Provider
User A
AAAServer
AAAServer
AAAServer
Institute / Enterprise
![Page 9: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/9.jpg)
Generic AAA Framework – RFC2904
3 fundamentally different user initiated authorization sequences.
Service
AAA
User
Service
AAA
User
Service
AAA
User
Pull sequence
NAS, RSVP
Agent sequence
Brokers, agents.
Push sequence.
Token Based AccessKerberos Tickets
1
11
22
2
3 3 3
4
4
4
![Page 10: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/10.jpg)
Generic AAA Framework – RFC2904
Separating the User Awareness from the Serviceyield Roaming Models: Example roaming pull model.
Service
AAA
User1 2 5
6
AAA
3 4
User HomeOrganization
ServiceProvider
![Page 11: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/11.jpg)
Authorization / Control models
● Network nodes & network links; where the relevant parameters are under the control of an AAA Server
● Parameters are governed by a set of policies
● Consider; Simple unidirectional QoS path between two nodes:
Individual Control modelPartial Control modelFull Control model
![Page 12: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/12.jpg)
Individual Control model
N0
AAA
AAA
N1
AAA
![Page 13: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/13.jpg)
Partial Control model
N0
AAA
N1
AAA
![Page 14: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/14.jpg)
Full Control model
N0
AAA
N1
![Page 15: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/15.jpg)
Authorized path discovery
N0
AAA0
Nn
ĩ
• QoS path through multiple administrative domains
• AAA servers > Mechanism for advertising the connections they can establish
• Start with simplest QoS path > Full Control model
• Logical network link ĩ iso physical network link
•Decision tree for authorization of QoS elements
![Page 16: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/16.jpg)
Example of AAA server authorization interactions
AAA1,2
AAA1
AAA2
N1
N2ĩ
D0
AAA0
N0
Nnl
2,nl0,1
D1 D
0
![Page 17: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/17.jpg)
Test bed / Bandwidth on Demand
• Focus on optical networks; layer 1, 2 technologies
• 802.1Q VLAN switches
• Construct a private network
![Page 18: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/18.jpg)
Cabletron SS 6000
802.1Q VLANSwitch
AAA client
ControlPort
Grid Domain A
Optical N/WProvider
FE NetworkPorts
FE NetworkPorts
Cabletron SS 6000
802.1Q VLANSwitch
SNMP ControlPort
Lightpath
1GB
Grid Domain B
Generic AAA BoD: Agent sequence; Full Control modelauthorizing QoS path access via VLAN’s
“Internet”
Globus
AAA clientGlob
us
AAA clientAAA ServerAAA clientGlob
usGlob
usGlob
usXML/SOAP
XML/SOAP
![Page 19: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/19.jpg)
Grid Domain A
Optical N/WProviderProxy
GB NetworkPorts
GB NetworkPorts
CLI or XML
Grid Domain B
Replace fiber for GMPLS / or DWDM technology
“Internet”
GMPLS
AAA clientGlob
us
AAA clientGlob
us
AAA clientAAA ServerAAA clientGlob
usGlob
usGlob
us
Optimized TCP/IPOptimized TCP/IP
![Page 20: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/20.jpg)
Example BoD request
-<AAARequest version="0.1" type="BoD">- <AuthorizationData> <Credential type=”simple”> <ID>person1</ID> <Key>1#fdjkj9#esn34k</Key> </Credential> </AuthorizationData> <BodData> <Source>100.10.20.30</Source> <Destination>110.1.2.3</Destination> <Bandwidth>2500</Bandwidth> <StartTime>now</StartTime> <Duration>3600</Duration> </BodData></AAARequest>
![Page 21: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/21.jpg)
Example of BoD driving Policy
if( ( ASM::Authorizer.authorize( Request::AuthorizationData.Credential.ID, Request::AuthorizationData.Credential.Key ))then( ASM::RM.BoD( Request::ServiceData.SwitchData.Source, Request::ServiceData.SwitchData.Destination, Request::ServiceData.SwitchData.Bandwidth, Request::ServiceData.SwitchData.StartTime, Request::ServiceData.SwitchData.Duration ) ; Reply::Answer.Message = "Request successful")else( Reply::Error.Message = "Request failed")
![Page 22: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/22.jpg)
Summary / Conclusions
● AAA server behavior > ASMs, policies, AAA msg● RBE only takes logical decisions ( multi domain )● Implement ASMs for difficult tasks to support RBE
● Multi domain challenge > policies, AAA msg● ASM template supporting services, switching technologies● Building complex decision network <> scalability, stability and performance
![Page 23: Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8eb1/html5/thumbnails/23.jpg)
Thank you !