rsvp policy control using xacml pontifícia universidade católica do paraná puc-pr, brazil...
TRANSCRIPT
RSVP Policy Control using XACML
Pontifícia Universidade Católica do Paraná PUC-PR, Brazil
Presented by: Emir [email protected]
Emir Toktar Edgard JamhourCarlos Maziero
Emir Toktar - Policy 2004 2
Summary
Motivation Proposal RSVP Policy Control XACML Framework XACML Extensions Example Conclusions Future Works
Emir Toktar - Policy 2004 3
Motivation
Many IETF publications for QoS management is based on PCIM extensions. PCIM is an information model PCIM deployment can be complex
XACML offers an alternative for defining policies in XML. A model suited for business level policies Easy to understand and deploy
IETF: Internet Engineering Task ForceOASIS: Organization for the Advancement of Structured Information StandardsPCIM: Policy Core Information ModelXACML: eXtensible Access Control Markup Language
Emir Toktar - Policy 2004 4
Motivation
RSVP Policy Control is an “Access Control” problem suited to be addressed by XACML.
However: For properly addressing the RSVP issue,
additional RSVP information must be returned with access control decision: e.g. Tspec
It requires XACML extensions
Policy Control is Not Admission Control
Policy Control is Not Admission Control
Emir Toktar - Policy 2004 5
Proposal
Define XACML extensions for addressing the RSVP Policy Control issue.
Compare the XACML-based framework with IETF PCIM-based framework with respect to: policy definition and framework implementation.
Emir Toktar - Policy 2004 6
RSVP Policy Control [RFC 2753] manage the use of network resources and
services based on policies derived from criteria such as: to identify users and applications, traffic/bandwidth requirements, security considerations and time-of-day/week.
Business Level Policies i.e. can be addressed by XACML
Emir Toktar - Policy 2004 7
RSVP Admission Control
Only takes into account the requester’s resource reservation request available capacity
The available capacity is a stateful information available in the routers, and it is not addressed in our proposal.
Emir Toktar - Policy 2004 8
XACMLPolicySet
Policy Combining Algorithm
Target ObligationsPolicy
Subject Resource ActionRule
Combining Algorithm
Rule
Effect
Condition
1..*
1
1
1
0..1
1
1..*
1
1..*
1
0..*1
11
0..1
1
0..1
1
0..1 10..*
10..*
1
1
10..*11
1
Policy Language Model
Emir Toktar - Policy 2004 9
Target Policy
Subject Resource Action
Rule Combining Algorithm
Rule
Effect
Condition
1..*
1
1
1
0..11
1..*
1
1..*
1
0..*
1
1
10..1
1
0..1 1
XACML Example
[email protected] =VideoServer =login
= Permit
= >08h00 and <17h00= UsersRegs
=Deny-Overrides
=Multimedia
“the user [email protected] can login on a Video Server in the period between 08:00AM and 05:00PM”
Emir Toktar - Policy 2004 10
XACML Framework adapted to RSVP
PEP element is a component of the Server Application PEP is responsible for all integration with RSVP daemon
The Applicaton is releasing from any task of QoS negotiation This approach can be implemented in any system that supports
RSPV APIs. XACML doesn´t define any Policy Transaction Protocol between PDP
and PEP.
RSVPpath
RSVP clientReceiver
Request connection
PEPMultimidia Server
Sender
RSVPpath
RSVPreservation
RouterRESV
PATH
Router
PDPPolicy Server
Policy.xml
XACML
Resources.xml
Subjects.xml
ur i-ref#xpointer( )
(XACML Request context )
(XACML Response context )
Emir Toktar - Policy 2004 11
XACML Problems
Resource and User Information is supposed to be defined in the policy document.
The reuse of resource and user information requires creating references to external information.
The issue of addressing external information was not well-developed in XACML 1.1.
Emir Toktar - Policy 2004 12
Proposal
Use XPointer language to create policies with reusable User and Resource Information.
uri-ref#xpointer( )
ur i- ref#xpointer( )
RSVPPolicy Set(XACML)
ResourceRepository
(XML)
Informationabout networkservices withRSVP support,including therequired Tspec.
Informationabout user andattributes
UserRepository
(XML)
Emir Toktar - Policy 2004 13
Proposal
<?xml version="1.0" encoding="UTF-8" ?>
– <PolicySet PolicySetId="RSVP_Aware_server_Application">
+ <Target> <!-- Defines the Services (RESOURCES) to which the policy applies -->
– <Policy PolicyId="Service Level 1"> <!-- Policy 1 - e.g. SERVICE GOLD -->
– <Rule>
– <Target> <!-- Subjects to Which the policy applies --> </Target>
– <Condition> <!-- Time and client’s IP address restrictions--> </Condition>
</Rule>
– <Obligations> <!-- Tspec specifications for Service Level 1 --> </Obligations>
</Policy>
+ <Policy PolicyId="Service Level 2"> <!-- Policy 2 - e.g. SERVICE SILVER -->
+ <Policy PolicyId="Service Level 3"> <!-- Policy 3 - e.g. SERVICE BRONZE -->
+ <Policy PolicyId="Default Policy"> <!-- Policy 4 - usually Deny All -->
</PolicySet>
The strategy adopted for describing a RSVP policy
Emir Toktar - Policy 2004 14
Proposal
QoS information is returned by the Obligations
Single service can offer different service levels
A XML schema for RSVP parameters for building the PATH msg
Tspec {r,b,p,m,M} type of service (GS / CL) reservation style
described in the RFC 2210 and RFC 2215
Emir Toktar - Policy 2004 15
Example
a) Registered students have permission to access any server in the campus offering a “TutorialVideoStreaming” service without time restrictions.
If a student connects to a server using a client host from inside the campus, he will receive a “GOLD” or “SILVER” service level.
Otherwise, it will receive a “BRONZE” service level.
Emir Toktar - Policy 2004 16
Example
b) Unregistered students can have access to the “TutorialVideoStreaming” service only from the internal network and not in business-time.
They can receive only the “BRONZE” service level.
Emir Toktar - Policy 2004 17
RSVP clientReceiver
Request connection
PEPMultimidia Server
Sender
RESV
PATH
PDPPolicy Server
(XACML Request context)
Router
Scenario example… XACML Request context
<Subject> <"...:subject-id"> etoktar </Attribute><"...:ip-address:receiver"> 192.168.0.1 </Attribute>
</Subject><Resource>
<"...:resource-id"> TutorialVideo </Attribute><"...:ip-address:sender"> 192.168.200.10 </Attribute>
</Resource><Action>
<"...:action-id:ServerAction"> getResourceQoS </Attribute></Action>
Receiver
Sender
etoktar
192.168.0.1 192.168.200.10
TutorialVideo
getResourceQos
Emir Toktar - Policy 2004 18
Example of Service Document<?xml version="1.0" encoding="UTF-8"?><service serviceId="TutorialVideoStreaming"> <description>tutorial videos in the university campus</description> + <sap>
<serviceLevel serviceId="Gold"> + <ResourceRsvp AttributeId="qosG711" RsvpClass="G711"></serviceLevel><serviceLevel serviceId="Silver"> + <ResourceRsvp AttributeId="qosH261Q" RsvpClass="H261QCIF"></serviceLevel><serviceLevel serviceId="Bronze"> + <ResourceRsvp AttributeId="qosH263C" RsvpClass="H263CIF"></serviceLevel>
</service>
Resources.xml
Emir Toktar - Policy 2004 19
Example of User Document<?xml version="1.0" encoding="UTF-8"?><subjects> – <user>
<cn>Emir Toktar</cn><sn>Toktar</sn><uid>etoktar</uid><mail>[email protected]</mail><businessCategory>RegisteredStudent</businessCategory>
</user> – <user>
<cn>Luiz Cesar</cn><sn>Cezar</sn><uid>lcezar</uid><mail>[email protected]</mail><businessCategory>RegisteredStudent</businessCategory>
</user> + <user> – <user>
<cn>Guest</cn><uid>guest</uid><businessCategory>UnregisteredStudent</businessCategory>
</user> + <user> + <user> + <user></subjects>
Subjects.xml
Emir Toktar - Policy 2004 20
<?xml version="1.0" encoding="UTF-8" ?>
– <PolicySet PolicySetId="TutorialVideo" xmlns="... " xmlns:xsi="..." xsi:schemaLocation="..."
PolicyCombiningAlgId="...:policy-combining-algorithm:first-applicable">
+ <Target>
<!-- Policy 1 --> + <Policy PolicyId="...:policy:TutorialRegStudentsInternal"
RuleCombiningAlgId="...:rule-combining-algorithm:first-applicable">
<!-- Policy 02 --> + <Policy PolicyId="...:policy:TutorialRegStudentsExternal"
RuleCombiningAlgId="...:rule-combining-algorithm:first-applicable">
<!-- Policy 03 --> + <Policy PolicyId="...:policy:TutorialRegStudentsGuest"
RuleCombiningAlgId="...:rule-combining-algorithm:first-applicable">
<!-- Policy 04 - Deny for All --> + <Policy PolicyId="...:policy:TutorialDenyForOthers"
RuleCombiningAlgId="...:rule-combining-algorithm:first-applicable">
</PolicySet>
Example of Policy DocumentPolicy.xml
Emir Toktar - Policy 2004 21
<Target> + <Subjects> – <Resources>
– <Resource>
– <ResourceMatch MatchId="...:function:string-equal"> <…Value>TutorialVideo</…>
<…Designator …="...:resource-id" /></ResourceMatch>
– <ResourceMatch MatchId="...:function:xpath-node-match"><…Value>http://pdp/resources.xml#xpointer(//service[@serviceId
="TutorialVideoStreaming"]/sap/inetaddress/text())</…> <…Designator …="...ip-address:sender"/>
</ResourceMatch>
</Resource> </Resources>+ <Actions></Target>
Example of Policy – PolicySet Target
Policy.xml
Resources.xml
ur i- ref#xpointer( )
Request context
Request context
Emir Toktar - Policy 2004 22
<Policy PolicyId="...:TutorialRegStudentsInternal" RuleCombiningAlgId="...">+ <Target>
– <Rule RuleId=".:Reg_Studens_Internal_Get_Gold_Silver" Effect="Permit">
– <Target> <!-- it was supressed other elements -->
– <SubjectMatch MatchId="...:function:xpath-node-match"><…Value>http://pdp/subjects.xml#xpointer(//subjects
/user[businessCategory='RegisteredStudent']/uid/text())</…><…Designator …="...:subject-id“/>
</SubjectMatch>
– <ActionMatch MatchId="...:function:string-equal"><…Value …>getResourceQoS</…><…Designator …="...:action-id:ServerAction"/>
</ActionMatch>
</Target>
Example of Policy # 1
Request context
Request context
Emir Toktar - Policy 2004 23
<!-- Continue of Rule… -->
– <Condition FunctionId="...:function:or"> <!--IP IntraNet Range-->
– <Apply FunctionId="...:function:any-of"> <Function FunctionId="...:function:regexp-string-match" />
<…Value …>192.168.0.*</…> <…Designator …="…:ip-address:receiver"…/> </Apply>
</Condition></Rule>
– <Obligations>– <Obligation ObligationId="...:GoldSilverStudentsInternal" FulfillOn="Permit">
<AttributeAssignment AttributeId="...:qosG711" …> http://pdp/resources.xml#xpointer(//service/serviceLevel[@serviceId='Gold']/ResourceRsvp/*)</AttributeAssignment>
<AttributeAssignment AttributeId="...:qosH261Q“ …>http://pdp/resources.xml#xpointer(//service/serviceLevel[@serviceId='Silver']/ResourceRsvp/*)</AttributeAssignment>
</Obligation> </Obligations></Policy>
Example of Policy Document # 1
Request context
Emir Toktar - Policy 2004 24
<!-- Policy 04 - Deny for All -->
<Policy PolicyId="...:TutorialDenyForOthers" RuleCombiningAlgId="...">
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule RuleId="...:Tutorial_Deny_Rule_For_Others" Effect="Deny"/>
</Policy>
Example of Policy Document # 4
Emir Toktar - Policy 2004 25
Example of Response<?xml version="1.0" encoding="UTF-8"?><Response xmlns="...:context" xmlns:xsi="..." xsi:schemaLocation="... cs-xacml-schema-context-01.xsd"><Result><Decision>Permit</Decision>
+ <Status><Obligations xmlns="...:policy"><Obligation ObligationId="...:qos:GoldSilverStudentsInternal" FulfillOn="Permit"><AttributeAssignment AttributeId="RsvpClass#1" DataType="...#string">G711</AttributeAssignment><AttributeAssignment AttributeId="TokenBucketRate_r#1" DataType="...#double">9250.0</AttributeAssignment><AttributeAssignment AttributeId="TokenBucketSize_b#1" DataType="...#double">680.0</AttributeAssignment><AttributeAssignment AttributeId="PeakRate_p#1" DataType="...#double">13875.0</AttributeAssignment><AttributeAssignment AttributeId="MinimumPoliceUnit_m#1" DataType="...#integer">13875</AttributeAssignment><AttributeAssignment AttributeId="MaximumPacketSize_M#1" DataType="...#integer">13875</AttributeAssignment><AttributeAssignment AttributeId="RsvpService#1" DataType="...#string">Guaranteed</AttributeAssignment><AttributeAssignment AttributeId="ServiceQoS#1" DataType="...#string">FF</AttributeAssignment><AttributeAssignment AttributeId="RsvpClass#2" DataType="...#string">H261QCIF</AttributeAssignment><AttributeAssignment AttributeId="TokenBucketRate_r#2" DataType="...#double">12000.0</AttributeAssignment><AttributeAssignment AttributeId="TokenBucketSize_b#2" DataType="...#double">6000.0</AttributeAssignment><AttributeAssignment AttributeId="PeakRate_p#2" DataType="...#double">12000.0</AttributeAssignment><AttributeAssignment AttributeId="MinimumPoliceUnit_m#2" DataType="...#integer">80</AttributeAssignment><AttributeAssignment AttributeId="MaximumPacketSize_M#2" DataType="...#integer">2500</AttributeAssignment><AttributeAssignment AttributeId="RsvpService#2" DataType="...#string">Controlled-load</AttributeAssignment><AttributeAssignment AttributeId="ServiceQoS#2" DataType="...#string">SE</AttributeAssignment>
</Obligation></Obligations>
</Result></Response>
Emir Toktar - Policy 2004 26
Framework Implementation
Sun Package for XACML at (URL): http://sourceforge.net/projects/sunxacml/
SUN ONE Studio 4 update1
Java™ 2 SDK, Standard Edition 1.4.2
XACML XPath functions are optional they are not implemented
Emir Toktar - Policy 2004 27
Framework Modifications for supporting the Proposal Used JAXEN to support XPath statements
Stand-alone XPath implementation Works with DOM, JDOM and EletricXML
RSVP XML schema definition RSVP parameters (Tspec) to support definitions of
Resources XMLSpy® v.5.0, release 4
Function xpath-node-match developed Syntax type of expressions: “full XPointers”
uri-reference#scheme(expression) scheme(expression)… scheme name: xpointer(xptr-expr)
Emir Toktar - Policy 2004 28
Conclusions
XACML is suited for business level policies The available framework is easy to use and extend PCIM has not addressed the business level issue, it
is focused on device configuration. XACML requires additional specification for creating
policies that refer to external documents The obligation structure must be extended to
support a more flexible strategy for returning parameters.
XACML is an open standard that enables the setting of new tools for controlling the managing of policies.
Emir Toktar - Policy 2004 30
Example of Service Document - SAP<?xml version="1.0" encoding="UTF-8"?><service serviceId="TutorialVideoStreaming"> <description>tutorial videos in the university campus</description>– <sap> <!-- BACK -->
<inetaddress>192.168.200.10</inetaddress><inetaddress>192.168.200.25</inetaddress><inetaddress>192.168.5.3</inetaddress><protocol>TCP</protocol><port>8976</port>
</sap><serviceLevel serviceId="Gold">+ <ResourceRsvp AttributeId="qosG711" RsvpClass="G711"></serviceLevel><serviceLevel serviceId="Silver">+ <ResourceRsvp AttributeId="qosH261Q" RsvpClass="H261QCIF"></serviceLevel><serviceLevel serviceId="Bronze">+ <ResourceRsvp AttributeId="qosH263C" RsvpClass="H263CIF"></serviceLevel>
</service>
Emir Toktar - Policy 2004 31
Example of Service Document - RSVP<?xml version="1.0" encoding="UTF-8"?><service serviceId="TutorialVideoStreaming"> <description>tutorial videos in the university campus</description>+ <sap>
<serviceLevel serviceId="Gold">– <ResourceRsvp AttributeId="qosG711" RsvpClass="G711"> <!--BACK-->
<TspecBucketRate_r>9250</TspecBucketRate_r><TspecBucketSize_b>680</TspecBucketSize_b><TspecPeakRate_p>13875</TspecPeakRate_p><TspecMinPoliceUnit_m>340</TspecMinPoliceUnit_m><TspecMaxPacketSize_M>340</TspecMaxPacketSize_M><RsvpService>Guaranteed</RsvpService><RsvpStyle>FF</RsvpStyle>
</ResourceRsvp></serviceLevel><serviceLevel serviceId="Silver">+ <ResourceRsvp AttributeId="qosH261Q" RsvpClass="H261QCIF"></serviceLevel><serviceLevel serviceId="Bronze">+ <ResourceRsvp AttributeId="qosH263C" RsvpClass="H263CIF"></serviceLevel>
</service>