Multi-domain provisioning of Lower Layer Network Transports
based on Generic AAA
TERENATF-AACE Workshop 21/11/03
Leon GommansUniversity of Amsterdam
Low Layer Network Transport (LLNT) Rationale to provide LLNT’s Generic Authentication Authorization Accounting
(AAA) overview and usage in LLNT’s Current experiments: DataTAG - SC2003 Future Research projects: GRANDE / Nextgrid.
21 Nov 2003 TERENA TF-AACE Leon Gommans
Overview
Connection oriented network paradigm using some form of switch technology that transports:
Ethernet frames (MPLS VPN, 802.1 Q VLAN,..) Sonet/SDH frames (ADM) Light (OXC)
Goes by specific names such as: L2 VPN
lightpath lambda
21 Nov 2003 TERENA TF-AACE Leon Gommans
Lower Layer Network Transport (LLNT)
Next to general Internet usage, user will start to ask for high bandwidth connections at low cost.
High demand is now found in scientific Grid applications (HEP, Radio Astronomy, Bio Science, etc.)
Demand is typically between specific locations. Forwarding large volumes of highly directional
traffic is expensive when using routers. A patch panel cheap in terms of cost per Gbp/s. NRN’s need flexible and automated ways to
provision cheap bandwidth based on application demand by authorizing access to transport infrastructure.
21 Nov 2003 TERENA TF-AACE Leon Gommans
Rationale to provide LLNT’s as NRN.
21 Nov 2003 TERENA TF-AACE Leon Gommans
Ergo: Automate operator function
NRN’s have a number of different ways of transporting traffic using connection-oriented and connection-less forwarding paradigms (Routers, L2 switches, Sonet/SDH links, optical links)
Low per stream volume - many destinations - always on service: routing on top of LLNT infra.
Medium to high volume - fewer destinations - defined contract periods: (G)MPLS with LLNT infra, use of AAA possible.
High volume - specific/static destinations - reserved time slots: Application driven provisioning of “cheap” LLNT’s based on authorizations. Need AAA.
Use various network technologies which need flexible automatic control/provisioning solutions.
NRN perspective
21 Nov 2003 TERENA TF-AACE Leon Gommans
Concepts were researched within the IRTF AAA Architecture Research Group which resulted in RFC’s 2903 (Generic AAA Architecture) and RFC 2904 (Authorization Sequence Framework).
Advanced Internet Research (AIR) group at UvA helped to form this IRTF research group.
Empirical research into Generic AAA concepts is also done within AIR group.
Research funded as part of participation in EU IST DataTAG project and by SURFnet
External collaboration with EVL at UIC, Starlight/NWU, Alcatel and FZJ Julich.
Work is active input into standards bodies such as GGF and OASIS.
Generic AAA.
21 Nov 2003 TERENA TF-AACE Leon Gommans
RFC 2904 Authorization sequences that allow users to access a service based on a policy decision taken by a AAA component.
Service
AAA
User
Service
AAA
User
Service
AAA
User
Pull sequence
NAS (remote access)RSVP (network QoS)
Agent sequence
Agents, Brokers,Proxy’s.
Push sequence.
Tokens, Tickets,AC’s etc.
1
11
2 2
2
33 3
4
4
4
21 Nov 2003 TERENA TF-AACE Leon Gommans
AuthZ sequence combinations:Roaming using agent & pull sequence
Service
AAA
User
1
2
56
AAA
3
4
User HomeOrganization
ServiceProviders
21 Nov 2003 TERENA TF-AACE Leon Gommans
Example AuthZ sequence in LLNT’s withIntelligent switches
Switch
AAAApplic.
AAA User HomeOrganization
Switch
AAA
Switch
AAA
Netw.I/F
Resource
Netw.I/F
User Domain A Domain B Domain C Resource
21 Nov 2003 TERENA TF-AACE Leon Gommans
Example AuthZ sequences in LLNT’s with dumb switches
Switch
AAAApplic.
AAA User HomeDomain
Switch
AAA
Switch
AAA
Netw.I/F
Resource
Netw.I/F
User Network Domain A Network Domain B Network Domain C Resource
21 Nov 2003 TERENA TF-AACE Leon Gommans
Example AuthZ sequences in LLNT’s withbroker
Switch
AAA
Applic.AAA
Switch
AAA
Switch
AAA
Netw.I/F
Resource
Netw.I/F
User Network Domain A Network Domain B Network Domain C Resource
Broker
Base of Generic AAA Architecture - RAP
PolicyDecision
Point
PolicyEnforcement
Point
Fundamental idea’s inspired bywork of the IETF RAP WG thatin RFC 2753 describes a framework for Policy-basedAdmission Control.
Foundation for COPS
The point where policydecisions are made.
The point where the policy
decisions are actually enforced.
RequestDecision
PolicyRepository
Basic Goal Generic AAA: Allow policy decisions to be made by multiple PDP’s belonging to different administrative domains.
9 Oct 2003 Update meeting EVL Leon Gommans
Generic AAA Architecture - RFC2903
ApplicationSpecificModule
PolicyEnforcement
Point
Archieve goal by by separatingthe logical decision process fromthe application specific partswithin the PDP.
Request Decision
RuleBasedEngine Policy
Repository
PDP
Generic AAAEngine
A Driving PolicyOrchestrates theUsage of ASM’s
Generic AAA Architecture
ApplicationSpecificModule
PolicyEnforcement
Point
AAA RequestDecision
RuleBasedEngine
PolicyRepository
PDP
ApplicationSpecificModule
RuleBasedEngine Policy
Repository
PDP
UserRights
ServiceService Request
21 Nov 2003 TERENA TF-AACE Leon Gommans
<AAARequest version="0.1" type="BoD" > <Authorization> <credential> <credential_type>simple</credential_type> <credential_ID>JanJansen</credential_ID> <credential_secret>#f034d</credential_secret> </credential> </Authorization> <BodData> <Source>192.168.1.5</Source> <Destination>192.168.1.6</Destination> <Bandwidth>1000</Bandwidth> <StartTime>now</StartTime> <Duration>20</Duration> </BodData></AAARequest>
Example XML request message
21 Nov 2003 TERENA TF-AACE Leon Gommans
WHY
WHAT
if( ( ASM::RM.CheckConnection( Request::BodData.Source, Request::BodData.Destination ) &&
( Request::BodData.Bandwidth <= 1000 ) ))then( ASM::RM.RequestConnection( Request::BodData.Source, Request::BodData.Destination, Request::BodData.Bandwidth, Request::BodData.StartTime, Request::BodData.Duration ) ; Reply::Answer.Message = "Request successful")else( Reply::Error.Message = "Request failed"
Example part of a Driving Policy
21 Nov 2003 TERENA TF-AACE Leon Gommans
802.1QVLANSwitch
PC
PC PC
PC
RBE
802.1QVLANSwitch
Single - domain 802.1Q VLAN setupDemo iGrid 2002
SNMPDot 1Q Bridge MIB
SNMPDot 1Q Bridge MIB
AAA Request Message(XML/SOAP) ASM ASM
PolicyDatabase
21 Nov 2003 TERENA TF-AACE Leon Gommans
PC
PC PC
PC
RBE
Single - Domain Calient OXC setup
CalientDaimondWave
Photonic Switch
TL-1
AAA Request Message(XML/SOAP) ASM Policy
Database
21 Nov 2003 TERENA TF-AACE Leon Gommans
802.1QVLANSwitch
PC
PC PC
PC
RBE
RBE
802.1QVLANSwitch
Multi - domain setup
CalientDaimondWave
Photonic Switch
AAA Request Message(XML/SOAP)
TL-1SNMPDot 1Q Bridge MIB
SNMPDot 1Q Bridge MIB
ASM
ASM PolicyDatabase
21 Nov 2003 TERENA TF-AACE Leon Gommans
ASM ASM
PolicyDatabase
802.1QVLANSwitch
PC
PC PC
PC
RBE
802.1QVLANSwitch
Multi - domain setup using Alcatel 1355 BonD
AAA Request Message(XML/SOAP)
SNMPDot 1Q Bridge MIB
SNMPDot 1Q Bridge MIB
ASM
Alcatel1670ADM
1355 BOND + 1354
1353 EM
Alcatel1670ADM
21 Nov 2003 TERENA TF-AACE Leon Gommans
ASM
PolicyDatabase
ASM
PC
PC
RBE
Collaborative Multi-domain experiment at SC2003
CalientPXC
PIN
PC
CalientPXC
PIN
PC
PDCPolicy
Database
ASMASMASMAuthZ
Resource Mgr
21 Nov 2003 TERENA TF-AACE Leon Gommans
PHOTONIC INTERDOMAINNEGOTIATOR
PHOTONIC DOMAINCONTROLLER
PIN AND PDC ARE DEVELOPMENTS FROM EVL
PHOTONIC POLICYBASED ACCESS CONTROLLER
PIN DOES ROUTE DETERMINATION BASED ON SOURCE ROUTING
PC
PC
RBE
AAA based Multi-domain experiment at SC2003
Calient
PC
CalientPC
PolicyDatabase
ASM
OGSIWS I/F
ASM
OGSIClient I/F
PolicyDatabase
ASM
ASMASMAuthZ
Resource Mgr
RBE
21 Nov 2003 TERENA TF-AACE Leon Gommans
PolicyDatabase
ASMRBE
RBE and ASM run within a J2EE EJB container Send RBE XML based request messages. Send RBE requests or control devices via Java
Connector Architecture (JCA) as part of an ASM via CLI, TL-1, SNMP, Radius, SOAP/XML etc.
J2EE environment gives Web Services features. Integrated Grid OGSA based interface into RBE Toolkit will give user RBE, ASM skeletons and a
policy language editor / compiler. Uses MySQL to store compiled policies using a
very simple nested if - then - else grammar. Supports all 3 authorization sequence types. Library of ASM’s that includes support for GARA,
VOMS, Enterasys, Calient, Alcatel NMS.
Generic AAA server toolkit of UvAMain features
21 Nov 2003 TERENA TF-AACE Leon Gommans
Research ways to integrate networks into the Grid by using the principles of Generic AAA to authorize on demand usage.
Research ways to use the principles of Generic AAA in future generation grids.
Identify requirements and develop Generic AAA toolkit functions that can be used in both intra- and inter-domain service management scenario’s.
Propose standards and standard ways of operation.
Future Research.
21 Nov 2003 TERENA TF-AACE Leon Gommans
“Cheap” network components can be used to create on demand high-bandwidth network transports between selected locations.
By turning networks transports into objects using ASM’s they become software controllable entities that can be orchestrated using driving policies that run within an RBE.
The AAA toolkit can be used to create flexible provisioning scenario’s with many types and abstractions of network equipment.
Conclusions
Thank you !
Research funded by EU IST DataTAG project and SURFnet
Leon Gommans