policy-based automatic configuration of network elements in separate segments
DESCRIPTION
Policy-based Automatic Configuration of Network Elements in Separate Segments. Tomomi Yoshioka, Tomohiro Igakura, and Toshio Tonouchi NEC Corporation Networking Research Laboratories 4-1-1 Miyazaki , Miyamae -ku, K awasaki -city , K anagawa 21 6 -8 555 , Japan - PowerPoint PPT PresentationTRANSCRIPT
Policy-based Automatic Configuration of Network Elements in Separate Segments
Tomomi Yoshioka, Tomohiro Igakura, and Toshio Tonouchi
NEC Corporation
Networking Research Laboratories4-1-1 Miyazaki, Miyamae-ku, Kawasaki-city,
Kanagawa 216-8555, JapanE-mail: {t-yoshioka@ab, t-igakura@bx, tonouchi@cw}.jp.nec.com
(2)
Introduction – Corporate Network• Large networks always suffer from
heterogeneity.• Networks divided by division firewalls bring
inconsistency. • Evolving corporate network requires frequent
management system update.
ServerFirewall
Client Firewall Client Firewall
ServerFirewall
Client Firewall
Client FirewallServerFirewall
Client Firewall
NMS
Policy based management
system
ServerFirewall
(3)
Issues
• COPS Policy Server [RFC 2748] – Distributes the same policy set
to all network elements
– Supports homogeneous environment only
• General Purpose Policy Control Language such as [Sloman94]– Focuses on the control of a
network element.– Lacks the ability to describe
relationship among managed network elements.
Policy Server
policypolicypolicy
Policy deployment
policy enforcement points
Policy ServerPolicy deployment
policy enforcement points
(4)
Proposal; Policy-based Automatic Configuration System
• Policy Server;– accepts policies that determine messages sent to network elements,– receives the control command messages, and forwards the message to hosts that have to receive it.
• Therefore;– this policy-based automatic network control system is able to handle heterogeneity because the Policy
Server can receive and send messages to any kinds of network elements,– since the message forwarding is managed with the policy on the server, each network element receives
messages that do relate the element.
Bob
Policy Server
PrinterPrinter
ManagerPagerServer
2
1
From: BobMessage Acceptance Policy: (policy data)
From: BobMessage Acceptance Policy: (policy data)
3
To: (features of NE)To do: (control data)
To: (features of NE)To do: (control data)
Bob registers his policy in the Policy Server.
The printer sends a control command message.
The Policy Server forwards the message to a host whose policy indicates that it offers that particular service.
Receiver Content
Administrator Console
All errors
Printer Manager Printer Error
Bob Paper Jam
Pager Server Any severe trouble
(5)
Policy-based System Architecture ~Automatic management consistent over separated segments~• Network structure : Three segments
– Personnel Department– Research Department– System Administration Department
• For a Client in the Research Department to use a service offered by the Personnel Department…
FirewallFirewall
Firewall
Client AP Service Server
Policy ServerAuthentication Server
Research Department Personnel Department
System Administration Department
VPN
1. Authentication of a Client
2. Reconfiguration of all relevant firewalls
3. Access to the AP Service Server
VPN : Virtual Private Network
(6)
Policy-based System Architecture~Configuration Sequence~
• A Client logs onto the network control system.
Research Department
Personnel Department
System Administration Department
VPN
FirewallFirewall
Firewall
AP Service Server
Policy Server
Authentication Server
Client
1
2
3
67
89
message: sendmessageid: 003receivers: /net/fw/(syncopation)
HeadsName “ClientNatAndFw”;pName “thruClient”;rID 8;BodysT,”192.168.0.50”;sT,”10.56.33.54”End
message: sendmessageid: 003receivers: /net/fw/(syncopation)
HeadsName “ClientNatAndFw”;pName “thruClient”;rID 8;BodysT,”192.168.0.50”;sT,”10.56.33.54”End
FW of the ResearchDepartment receivers=/net/fw/research/xxx01
:FW ID
FW of the Personnel
Department
receivers=/net/fw/personnel/xxx01
:FW ID
AP Service Server 1 sv=vvv01 :Service name
pt=9000 :Port number
Command message
4. A request to conduct a further reconfiguration of the firewalls
Policy
5. Forward messages requesting reconfiguration
(7)
Policy-based System Architecture~Control Command Message and Policy~
message: sendmessageid: 003receivers: /net/fw/(syncopation)
HeadsName “ClientNatAndFw”;pName “thruClient”;rID 8;BodysT,”192.168.0.50”;sT,”10.56.33.54”;End
message: sendmessageid: 003receivers: /net/fw/(syncopation)
HeadsName “ClientNatAndFw”;pName “thruClient”;rID 8;BodysT,”192.168.0.50”;sT,”10.56.33.54”;End
Command name to be executed
Parameter value, which is the string data indicating the IP address of the Research firewall.
FW of the ResearchDepartment receivers=/net/fw/research/xxx01
:FW ID
FW of the Personnel Department
receivers=/net/fw/personnel/xxx01
:FW ID
AP Service Server 1 sv=vvv01 :Service name
pt=9000 :Port number
Policy
Control command message
Header, which thePolicy Server compares to registered policies.
Payload, which contains the control command to reconfigure firewalls. The control command is written in “cDR”.
Attribute “receivers” indicates destination(s) of messages to be forwarded.
Parameter name of Command
Parameter value of the IP address of the Client.
(8)
Feature 1~Plug and Play of a New AP Service Server~
FirewallFirewall
Firewall
Research DepartmentPersonnel Department
System Administration Department
VPNAP Service
Server
Policy Server
DHCP Server
• The server registers itself to Policy Server.
• The Policy Server reconfigures the related firewalls.
2. AP Service Server registers its policy into the Policy Server.
3. The AP service server reconfigures firewalls.
4. The AP service server requests the reconfiguration of the Research Department firewall.
5. The Policy server also reconfigures the client side firewall.
1. A DHCP request is sent to the DHCP server. DHCP server assigns an IP address to the new AP Service Server and replies it a DHCP reply.
DHCP : Dynamic Host Configuration Protocol
(9)
Feature 2 ~Automatic Failure Recovery (1)~
• Failed AP Service Server deregistration process
FirewallFirewall
Firewall
Research Department Personnel Department
System Administration Department
VPN
AP Service Server 1
Policy ServerFault Management Server
ClientAP Service Server 2FailureExecution request
message to the failed AP Service Server 1
1. Error response
2. Error report
3. Error report forward
4. A request message to deregister AP Service Server 1 policy
(10)
Feature 2 ~Automatic Failure Recovery (2)~
• AP Service Server 2 take-over process
FirewallFirewall
Firewall
Research Department
Personnel Department
System Administration Department
VPN
AP Service Server 1
Policy ServerFault Management Server
Client
AP Service Server 2Failure
5. Take-over request message
6. Forward of the take-over request message
7. Result for the request
8. Result forward
9. Result return
10. Result notification
(11)
Feature 3 ~Reconfiguration of Network Segments~
Department
FirewallFirewall
Firewall
Research DepartmentDepartment
System Administration Department
VPNAP Service Server
Firewall
Policy Server
Authentication Server
Client
AP Service Server
Even if a new network segment is added, existing policies is required no modifications.
2. Registration of AP Service Server
1. Registration of firewall at Department
5. Forward of message requesting reconfiguration
3
4
5
5
(12)
Conclusion & Future Work• Conclusion
– We proposed a network control system utilizing our Policy Server and made a proof-of-concept implementation.
– Important features of this network control system are:• Enabling to apply policy control even in heterogeneous network
environment• Adapting policy controls respecting the relationship among network
elements– The example applications of our system are:
• Plug and play of a new AP Service Server• Automatic failure recovery• Reconfiguration of network segments
• Future Work• A translator which makes stubs changing protocols from WSDL• An application tool which helps administrators to write policy• Quantitative evaluation• A study of next-generation autonomous system