We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAngelo Alls
Modified over 2 years ago
Cisco Confidential © 2011 Cisco and/or its affiliates. All rights reserved. 1 XMPP-Grid for SACM Information Transport XMPP Protocol Extensions for Use in SACM Information Transport Syam Appala, Nancy Cam Winget 22 July 2014
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 XMPP-Grid Use-Case Design Considerations What is XMPP-Grid XMPP as XMPP-Grid Transport XMPP-Grid Controller & Control, Data Flow Segregations Client Authentication & Authorization XMPP-Grid Protocol Topics & Subtopics with message filters IF-MAP with XMPP-Grid
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 I have NBAR info! I need identity… I have firewall logs! I need identity… SIO I have sec events! I need reputation… I have NetFlow! I need entitlement… I have reputation info! I need threat data… I have MDM info! I need location… I have app inventory info! I need posture… I have identity & device-type! I need app inventory & vulnerability… I have application info! I need location & auth-group… I have threat data! I need reputation… I have location! I need identity…
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Visibility into “who is connecting”, “who is accessing what” Centralized, policy-based authorization – “who can do what” Secure, bidirectional connectivity Mutual certs-based authentication Flexible consumption APIs – real-time, on-demand, bulk transfer Client contextual needs support through semantic, syntactic filtering Ability for peers to negotiate out-of-band, secure p2p connection Standardize schemas & information models through XML Scalable to thousands of nodes Platform agnostic
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Policy-based Authorization Centralized control for authorization and client management Facilitates secure communication between authorized clients Scalable Architecture scales to thousands of clients/nodes Provide resilient, high availability support Agile Enable many different uses across the communication fabric i.e. context, policies … Should be platform agnostic (C/C++, Python, Java …) Negotiation for type of data plane communication & APIs Lightweight Client Enable adoption through small footprint & intuitive APIs Standards Enable adoption through standardization of schemas & information models Controller Transport XMPP-Grid Server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Scalable Architecture scales to 100K – 1M of nodes/clients Provide resilient, high availability support Reliable Provide message delivery guarantee Flexible Support semantic & syntactic filtering to serve contextual needs Support information time sensitivity needs Standards Enable adoption through standardization of schemas & information models
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Open – standards-based, decentralized (no single point of failure) and federated architecture Real-time eventing – using publish, subscribe notifications Security – Domain segregations; federation support; strong security via SASL and TLS Flexibility – Custom functionality can be built on top of XMPP; Easily extensible Bi-directional - avoids firewall tunneling Scalable – supports cluster mode deployment and message routing Peer-to-peer – directed queries and OOB file transfer support + Presence, service and device capability discovery …
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Plugs-in as external component to the XMPP server Responsible for – Account approvals of XMPP-Grid clients Authorization of client actions – subscribe, publish, query, bulk download Topic (information channel with publishers and subscribers sharing a well defined publisher data model) setup with subscription list Maintains directory of topics & topic subscriptions Communicates with other XMPP-Grid controller in cluster for HA Offers interfaces & statistics for management of clients & topics
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Publisher XMPP- Grid Client XMPP-Grid Controller XMPP Server XMPP- Grid Client Subscriber Authorize Publisher to topic sequence Authorize Subscriber to topic sequence Add Publisher to topic Add Subscriber to topic Authenticate & allow XMPP-Grid Controller Communication Publisher Auth Status & Account Authenticate & allow XMPP-Grid Controller Communication Subscriber Auth Status & Account Publish Message to topic Publish Success Published Message to subscriber Subscribe Success CONTROLCONTROL Topic & Publisher Discovery Request Topic & Publisher JID Response Out-of-Band Bulk Download Query Request Out-of-band Bulk data byte stream INFRAINFRA Out-of-Band Bulk Download Query Authorization
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Each XMPP-Grid client will go through the phases of authentication, registration and authorized access Certs-based mutual authentication between client and server using X.509 certificates Mutual authentication and tunnel establishment through XMPP “SASL External” If client certificate passes validation client registration requests are relayed only to XMPP-Grid controller for account approval If client certificate does not pass validation, the connection is terminated with XMPP standards-based error messages
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Auto registration Clients with the right cert will have their accounts auto created after authentication Clients can specify authorization group of interest Manual registration Administrator has to approve/decline client accounts after their authentication Administrator can assign authorization group to the client resulting in client logoff and logging back in for the group change to take effect 3 layer security model – Mutual-cert based authentication + account approval + authorization group assignment with policy control
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Client XMPP-Grid Controller XMPP Server TLS Connect(username, cert) Track(User name, cert) Register(username, cert) Register(username) Approve & Authorize Account Create User Account (username) Registration Successful Login() Pub/Sub/Query Logout()
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Authorization policies can be based on attributes such as Authorization group, Topic name, client name, device type, operation … Controller authorizes clients to publish or subscribe to a topic at “subscribe” time Publisher, when it receives a directed (peer-to-peer) or bulk download query from a subscriber, asks the controller for authorization using XMPP- Grid client identity
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Publisher/Subsc riber XMPP-Grid Controller XMPP Server Publish or Subscribe is authorized? (identity, publish/ subscribe) Publish or Subscribe extract identity
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Subscriber Publisher query request query response is authorized? (identity, cert chain, service) extract Identity, certificate chain XMPP-Grid
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Infrastructure protocol that enables client application to be agnostic to data plane protocol, XMPP Makes use of the XMPP transport and introduces an application layer protocol leveraging XML and XMPP extensions to define the protocol Provides interfaces for Register, login, logout Query to discover topics, capability provider discovery, directed peer-to-peer Register as a publisher or subscriber to topic (information channel with publishers and subscribers sharing a well defined publisher data model) XMPP-Grid clients connect to the XMPP-Grid using the XMPP-Grid Protocol Capability providers extend the XMPP-Grid Protocol infrastructure model and define capability specific models, allowing a cleaner separation of infrastructure and capabilities that can run on XMPP-Grid
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 / / Capability Provider Discovery Request com.domain.ise.session.SessionQuery / / Capability Provider Discovery Response
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Capability provider publishes information with a defined schema on XMPP topic(s) Capability provider defines XML schema, topic version, available queries and notifications for each topic Capability provider publishes the messages to one or more XMPP topics depending on – Mutually exclusive schemas – create one topic per schema Same schema, but subscribers desire only a subset of attributes and values – XMPP- Grid creates subtopics and uses message filters to deliver filtered information Topics are discoverable on XMPP-Grid through XMPP-Grid protocol query
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Capability provider specifies semantic filters such as location, domain etc it supports for a given topic at subscribe time to the controller Subscribers discover the topics & supported message filters, and specify filters of interest to them to the controller Controller groups subscribers based on the expressed message filters, creates subtopics under the main topic and notifies the Publisher about the created subtopic Publisher publishes a message on the main topic and on the subtopics, after applying the message filter
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Controller cleans up the subtopics if subscription list is 0, to avoid proliferation of subtopics Pub/Sub, directed and bulk query can be supported for subtopics also – it all depends on the capability provider Message filters can be applied on XMPP-Grid server side instead –instead of publishing on subtopic, capability provider publishes on main topic and XMPP-Grid Pub/Sub component can apply filter messages Server-side message filters and specific message filter mechanisms such as XPATH are beyond the scope of this specification
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 XMPP-Grid to substitute the SOAP-based IF-MAP standard interface between the MAP server and other elements in the network IF-MAP data models for use-cases such as network security can be overlaid on XMPP-Grid transport to achieve model consistency for both IF-MAP enabled and XMPP-Grid enabled deployment scenarios MAP Server will be the participant in both the IF-MAP enabled network and the XMPP-Grid enabled network serving as aggregator and publisher of information MAP server can play the role of subscribers and/or publishers depending on the MAP graphs and the contextual metadata to be aggregated and/or published
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 PDPPEP MAP Server Flow Controllers Sensors Others IF-MAP PDPPEP Flow Controllers Sensors Others XMPP- Grid Server Cluster XMPP-Grid IF-MAP Enabled Devices XMPP-Grid Enabled Devices
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 MAP Server XMPP- Grid Server XMPP-Grid Flow Controller s Sensors XMPP-Grid PDP PEP XMPP-Grid MAP Server XMPP- Grid Server XMPP-Grid Flow Controller s Sensors XMPP-Grid PDP PEP XMPP-Grid Region 1Region 2 XMPP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 MAP Server could publish the MAP graph attribute changes to interested subscribers Message filter criteria supported for subtopics could be based on metadata types metadata-identifier linkage attributes metadata class existing IF-MAP search criteria
Cisco Confidential © 2011 Cisco and/or its affiliates. All rights reserved. 25 Backup 25
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Client XMPP-Grid Controller XMPP Server Subscribe with filter Translate & validate filter Check if sub-topic for filter exists Create subtopic if it does not exist Subscribe Success Add Publisher & Subscriber to subtopic Capability Provider Notify Publisher
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Client XMPP-Grid Controller XMPP Server Register as Publisher Add Publisher to main topic & all subtopics Publish message to main topic Return registration success & list of subtopics with filtering criteria Publish message to main topic Check filtering criteria & identity subtopics to publish Capability Provider Publish message to subtopic that matched the filter Notify
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: XML framework for component communication Date Submitted: July.
1 A Cloud Reference Framework … for discussion only … Please send comments and suggestions to Bhumip Khasnabish Friday,
Peer-to-peer and agent-based computing JXTA. peer-to-peer and agent-based computing 2 Project JXTA Conceived by Bill Joy (SUN Microsystems) –Also the.
Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Overcoming the SOA Network Fallacy Roberto Medrano.
Winter 2001 VoN Developers Conference -- January 24, 2001 SIP Proxies Jonathan Rosenberg Chief Scientist.
Grid Monitoring Futures with Globus Jennifer M. Schopf Argonne National Lab April 2003.
© 2011 Infoblox Inc. All Rights Reserved. IF-MAP and GENI Richard Kagan – Infoblox.
1 Note content copyright © 2004 Ian Sommerville. NU-specific content copyright © 2004 M. E. Kabay. All rights reserved. Distributed Systems Architectures.
September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT, EUA, PWP, DSIG IHE Vendors Workshop 2006 IHE IT Infrastructure Education Robert Horn,
1 © 2007 Avaya Inc. All rights reserved. Understanding SIPs Role in Intelligent Communications Tom Doria Director – Avaya P2P Technical Business Development.
The Architecture of Transaction Processing Systems Chapter 26.
©Silberschatz, Korth and Sudarshan8.1Database System Concepts, 5 th Ed, slide version 5.0, August Chapter 8: Application Design and Development.
1 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
RMS and Scheduling for Future Generation Grids Ramin Yahyapour University Dortmund Leader CoreGRID Institute on Resource Management and Scheduling CoreGRID.
Presented to: SOA Brown Bag #12 By: Paul Caron, SWIM T&E Lead Date: December 13, 2011 Federal Aviation Administration System Wide Information Management.
Version 4.1 CCNA Discovery 2– Chapter 7. Contents 7.1: ISP Services : TCP / IP Protocols 7.2: 7.3: DNS 7.3: 7.4: Application Layer Protocols 7.4.
L ON W ORKS Network Design Overview. Welcome! 1-2.
RESTful (Web) Applications In Practice Nupul Kukreja CS 577b 6 th February
Microsoft ® Lync™ 2010 Instant Messaging and Presence Experience Module 07 Microsoft Corporation.
2010 FutureGrid User Advisory Meeting Architecture Roadmap Long term vision 10:00-10:45, Monday, August 2, 2010 Pittsburgh, PA Gregor von Laszewski Representing.
Agility Craig Thompson, Steve Ford, Tom Bannon, Paul Pazandak, David Wells Object Services and Consulting, Inc. (OBJS) Main Idea - agents for the masses.
Distributed Monitoring and Information Services for the Grid Jennifer M. Schopf UK National eScience Centre Argonne National Lab April 27, 2005.
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
1 Capability Set - Detail. 2 Bb Academic Suite Capability Set by : System.
OGSI Evolution: WS-Resource Framework and WS-Notification Carl Kesselman Globus USC/ISI
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 10Slide 1 Chapter 10 Architectural Design.
Practical ebXML Registry uses for interoperable eBusiness Open Forum 2003 on Metadata Registries 8:40am to 10am January 22, 2003.
1 Copyright © 2011 The Printer Working Group. All rights reserved. 1 MFD CWMP BOF October 4, 2011 Cupertino, CA PWG F2F Meeting.
Lecture 14 Pervasive Computing Applications Wireless Networks and Mobile Systems.
© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public ROUTE v6 Chapter 5 1 Chapter 5: Implement Path Control CCNP ROUTE: Implementing IP.
© 2016 SlidePlayer.com Inc. All rights reserved.