Presentation is loading. Please wait.

Presentation is loading. Please wait.

Policy based co-allocation of connection oriented network resources using the principles of Generic AAA ON*VECTOR 3rd Annual Photonics Workshop San Diego.

Published byOlivia Bond Modified over 8 years ago

Similar presentations

Presentation on theme: "Policy based co-allocation of connection oriented network resources using the principles of Generic AAA ON*VECTOR 3rd Annual Photonics Workshop San Diego."— Presentation transcript:

1 Policy based co-allocation of connection oriented network resources using the principles of Generic AAA ON*VECTOR 3rd Annual Photonics Workshop San Diego - 03/01/04 Leon Gommans University of Amsterdam

2  Connection Oriented Networks  Rationale  Generic Authentication Authorization Accounting (AAA) short overview.  Experiments: DataTAG - SC2003  Future Research 1 Mar 2004 ON*VECTOR Workshop Leon Gommans Overview

3 Compared to router based Connectionless Networks, Connection Oriented Network use some form of switch technology to forward:  Ethernet frames  Sonet/SDH frames  Light Switches along the path are configured (statically or dynamically) with a particular path definition for the duration of a connection. Forms such as:  MPLS Virtual Private Network  Lightpath - UCLP  Lambda Connection Oriented Networks (CON) 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

4  Next to general Internet usage, in particular Grid users will start to ask for high bandwidth connections at low cost.  This kind of demand is now found in Scientific applications within HEP, Radio Astronomy, Bio Science, etc.  Forwarding large volumes of highly directional traffic is expensive when user routers.  Providers need to provision cheap bandwidth by authorizing applications to access the transport infrastructure in a flexible way with or without pre-established relations at business level.  Many functions already found in telephony networks. Rationale and assumptions. 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

5 Ergo: Automate operator function for data 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

6  Providers have a number of different ways to transport data using both connection-oriented and connection-less methods using routers, switches, electron and photon based links.  Low per stream volume - many destinations - always on service: connectionless routing.  Medium to high volume - fewer destinations - defined contract periods: (G)MPLS, use of AAA possible.  High volume - specific/static destinations - reserved time slots: Application driven provisioning of “cheap” bandwidth based on authorization. Need AAA.  Use various network technologies which need flexible automatic control/provisioning solutions. Provider perspective 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

7  Concepts are researched within the IRTF AAA Architecture Research Group which resulted in RFC’s 2903 (Generic AAA Architecture) and RFC 2904 (Authorization Sequence Framework).  Staff members at University of Amsterdam helped to form this IRTF research group.  Research funded as part of participation in EU IST DataTAG project and by SURFnet  Collaboration with EVL at UIC, Starlight/NWU, Alcatel, CA*Net, FZJ Jülich and Fraunhofer Institute.  Work is also input to AuthZ WG in GGF.  Generic AAA toolkit is developed at UoA. AAAarch IRTF RG and UvA. 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

8 RFC 2904 Authorization sequences that allow users to access a service based on a policy decision taken by a AAA component. Service AAA User Service AAA User Service AAA User Pull sequence NAS (remote access) RSVP (network QoS) Agent sequence Agents, Brokers, Proxy’s. Push sequence. Tokens, Tickets, AC’s etc. 1 1 1 22 2 3 33 4 4 4 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

9 Example AuthZ pull sequence in CON. Switch AAA Applic. AAA User Home Organization Switch AAA Switch AAA Netw. I/F Resource Netw. I/F UserDomain ADomain BDomain CResource 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

10 Switch AAA Applic. AAA User Home Domain Switch AAA Switch AAA Netw. I/F Resource Netw. I/F UserNetwork Domain ANetwork Domain BNetwork Domain CResource 1 Mar 2004 ON*VECTOR Workshop Leon Gommans Example AuthZ agent / pull sequence in CON.

11 Switch AAA Applic. AAA Switch AAA Switch AAA Netw. I/F Resource Netw. I/F UserNetwork Domain ANetwork Domain BNetwork Domain CResource Broker 1 Mar 2004 ON*VECTOR Workshop Leon Gommans Example AuthZ push / pull sequence in CON.

12 Switch AAA Switch AAA Switch AAA Netw. I/F Resource Netw. I/F UserNetwork Domain ANetwork Domain BNetwork Domain CResource Application 1 Mar 2004 ON*VECTOR Workshop Leon Gommans Example AuthZ agent sequence in CON. Applic.

13 Switch AAA Switch AAA Switch AAA Netw. I/F Resource Netw. I/F UserNetwork Domain ANetwork Domain BNetwork Domain CResource 1 Mar 2004 ON*VECTOR Workshop Leon Gommans Positioned in TMN example reference model. Network Management / Element Management Layer Service Management Layer Business Management Layer ? Applic.

14 Base of Generic AAA Architecture - RAP Policy Decision Point Policy Enforcement Point Fundamental idea’s inspired by work of the IETF RAP WG that in RFC 2753 describes a framework for Policy-based Admission Control. The point where policy decisions are made. The point where the policy decisions are actually enforced. Request Decision Policy Repository Basic Goal Generic AAA: Allow policy decisions to be made by multiple PDP’s belonging to different administrative domains. 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

15 Generic AAA Architecture - RFC2903 Application Specific Module Policy Enforcement Point Archieve goal by by separating the logical decision process from the application specific parts within the PDP. Request Decision Rule Based Engine Policy Repository PDP Generic AAA Engine A Driving Policy Orchestrates the Usage of ASM’s 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

16 Generic AAA Architecture Application Specific Module Policy Enforcement Point AAA Request Decision Rule Based Engine Policy Repository PDP Application Specific Module Rule Based Engine Policy Repository PDP User Rights Service RSVP Service Request 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

17 Generic AAA Architecture Application Specific Module Policy Enforcement Point XML AAA Request Provision Rule Based Engine Policy Repository PDP Application Specific Module Rule Based Engine Policy Repository PDP User Rights Service Service Access 1 Mar 2004 ON*VECTOR Workshop Leon Gommans Ack

18 Enterasys 802.1Q VLAN Switch PC RBE Enterasys 802.1Q VLAN Switch Single - domain 802.1Q VLAN setup Demo iGrid 2002 SNMP Dot 1Q Bridge MIB SNMP Dot 1Q Bridge MIB AAA Request Message (XML/SOAP) ASM Policy Database 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

19  simple JanJansen #f034d 192.168.1.5 192.168.1.6 1000 now 20 Example XML request message WHY WHAT 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

20 if ( ASM::RM.CheckConnection( Request::BodData.Source, Request::BodData.Destination ) && ( Request::BodData.Bandwidth <= 1000 ) ) then ( ASM::RM.RequestConnection( Request::BodData.Source, Request::BodData.Destination, Request::BodData.Bandwidth, Request::BodData.StartTime, Request::BodData.Duration ) ; Reply::Answer.Message = "Request successful" ) else ( Reply::Error.Message = "Request failed" Example part of a Driving Policy 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

21 Enterasys 802.1Q VLAN Switch PC RBE Single - domain 802.1Q VLAN setup Demo iGrid 2002 SNMP Dot 1Q Bridge MIB SNMP Dot 1Q Bridge MIB AAA Request Message (XML/SOAP) ASM Policy Database 1 Mar 2004 ON*VECTOR Workshop Leon Gommans Create RED VLAN and Define it on trunk port, Include Port X. Enterasys 802.1Q VLAN Switch

22 PC RBE Single - Domain Calient PXC setup Calient PXC Switch TL-1 AAA Request Message (XML/SOAP) ASM Policy Database 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

23 PC RBE Multi - domain setup Calient PXC Switch AAA Request Message (XML/SOAP) TL-1 SNMP Dot 1Q Bridge MIB SNMP Dot 1Q Bridge MIB ASM Policy Database ASM Policy Database 1 Mar 2004 ON*VECTOR Workshop Leon Gommans Enterasys 802.1Q VLAN Switch Enterasys 802.1Q VLAN Switch

24 802.1Q VLAN Switch PC RBE Multi - domain setup using a TMN domain AAA Request Message (XML/SOAP) SNMP Dot 1Q Bridge MIB SNMP Dot 1Q Bridge MIB ASM Alcatel 1670 ADM 1355 BOND + 1354 1353 EM Alcatel 1670 ADM ASM Policy Database ASM 1 Mar 2004 ON*VECTOR Workshop Leon Gommans ISO TMN DOMAIN Enterasys 802.1Q VLAN Switch

25 PC RBE Collaborative Multi-domain experiment at SC2003 Calient PXC PIN PC Calient PXC PIN PC PDC Policy Database ASM AuthZ Resource Mgr PHOTONIC INTERDOMAIN NEGOTIATOR PHOTONIC DOMAIN CONTROLLER Note: PIN and PDC are developed by EVL at UIC headed by Oliver Yu PHOTONIC POLICY BASED ACCESS CONTROLLER PIN DOES ROUTE DETERMINATION BASED ON SOURCE ROUTING 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

26 PC RBE Collaborative Multi-domain experiment at SC2003 Calient PXC PC Calient PXC PC Policy Database ASM OGSI WS I/F ASM OGSI Client I/F Policy Database ASM AuthZ Resource Mgr RBE Policy Database ASM RBE 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

27  Research ways to integrate networks into the Grid by using the principles of Generic AAA to authorize on demand usage via mechanisms such as GridFTP.  Inclusion of state awareness in driving policy e.g. using WSRF notifications  Include concurrency in driving policy execution.  Identify further Grid requirements towards advance reservation and VO integration.  Integrate (WS based) electronic payment system to allow operation without pre-established business relationships. Future Research. 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

28 Thank you ! Research funded by EU IST DataTAG project and SURFnet Leon Gommans lgommans@science.uva.nl

Download ppt "Policy based co-allocation of connection oriented network resources using the principles of Generic AAA ON*VECTOR 3rd Annual Photonics Workshop San Diego."

Similar presentations

Authentication Authorization Accounting and Auditing

Authentication Authorization Accounting and Auditing
Electronic Visualization Laboratory University of Illinois at Chicago EVL Optical Networking Research Oliver Yu Electronic Visualization Laboratory University.

Electronic Visualization Laboratory University of Illinois at Chicago EVL Optical Networking Research Oliver Yu Electronic Visualization Laboratory University.
Photonic TeraStream and ODIN By Jeremy Weinberger The iCAIR iGRID2002 Demonstration Shows How Global Applications Can Use Intelligent Signaling to Provision.

Photonic TeraStream and ODIN By Jeremy Weinberger The iCAIR iGRID2002 Demonstration Shows How Global Applications Can Use Intelligent Signaling to Provision.
Generic AAA* based Bandwidth on Demand EVL at UIC meeting Leon Gommans

Generic AAA* based Bandwidth on Demand EVL at UIC meeting Leon Gommans
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
All rights reserved © 2005, Alcatel Grid services over IP Multimedia Subsystem  Antoine Pichot, Olivier Audouin, Alcatel  GridNets ’06.

All rights reserved © 2005, Alcatel Grid services over IP Multimedia Subsystem  Antoine Pichot, Olivier Audouin, Alcatel  GridNets ’06.
Application-Based Network Operations (ABNO) IETF 88 – SDN RG

Application-Based Network Operations (ABNO) IETF 88 – SDN RG
Electronic Visualization Laboratory University of Illinois at Chicago Photonic Interdomain Negotiator (PIN): Interoperate Heterogeneous Control & Management.

Electronic Visualization Laboratory University of Illinois at Chicago Photonic Interdomain Negotiator (PIN): Interoperate Heterogeneous Control & Management.
8/10/2001GGF - 3 / Leon Gommans - UvA1 Observations on the CAS architecture made from the Generic AAA perspective. 3rd Global Gridforum Oct. 7-10th 2001.

8/10/2001GGF - 3 / Leon Gommans - UvA1 Observations on the CAS architecture made from the Generic AAA perspective. 3rd Global Gridforum Oct. 7-10th 2001.
Multi-Domain Lightpath Authorization Architecture using Tokens By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Yuri Demchenko,

Multi-Domain Lightpath Authorization Architecture using Tokens By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Yuri Demchenko,
Token Based Authorization of GMPLS Networks By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Li Xu University of Amsterdam By:

Token Based Authorization of GMPLS Networks By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Li Xu University of Amsterdam By:
Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.

Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.
Tiziana FerrariWP2.3 Advance Reservation Demonstration: Description and set-up 1 WP2.3 Advance Reservation Demonstration: Description and set-up DRAFT,

Tiziana FerrariWP2.3 Advance Reservation Demonstration: Description and set-up 1 WP2.3 Advance Reservation Demonstration: Description and set-up DRAFT,
Policy-based Accounting Tanja Zseby, Georg Carle, Sebastian Zander GMD FOKUS - German National Research Institute for Information Technology Competence.

Policy-based Accounting Tanja Zseby, Georg Carle, Sebastian Zander GMD FOKUS - German National Research Institute for Information Technology Competence.
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.
Tiziana FerrariWP2.3 Advance Reservation Demonstration: Description and set-up 1 WP2.3 Advance Reservation Demonstration: Description and set-up DRAFT,

Tiziana FerrariWP2.3 Advance Reservation Demonstration: Description and set-up 1 WP2.3 Advance Reservation Demonstration: Description and set-up DRAFT,
Optical networking research in Amsterdam Paola Grosso UvA - AIR group.

Optical networking research in Amsterdam Paola Grosso UvA - AIR group.
DWDM-RAM: DARPA-Sponsored Research for Data Intensive Service-on-Demand Advanced Optical Networks DWDM RAM DWDM RAM BUSINESS WITHOUT BOUNDARIES.

DWDM-RAM: DARPA-Sponsored Research for Data Intensive Service-on-Demand Advanced Optical Networks DWDM RAM DWDM RAM BUSINESS WITHOUT BOUNDARIES.
Generic AAA based provisioning Of Network Elements Status update EVL 9/10/03 Leon Gommans University of Amsterdam.

Generic AAA based provisioning Of Network Elements Status update EVL 9/10/03 Leon Gommans University of Amsterdam.
Policy-based Accounting Draft Sebastian Zander, Tanja Zseby GMD FOKUS - German National Research Institute for Information Technology Competence Center.

Policy-based Accounting Draft Sebastian Zander, Tanja Zseby GMD FOKUS - German National Research Institute for Information Technology Competence Center.

Similar presentations

Ads by Google