PART II BoD server prototype Implementation & technical details MB-NG UCL 20/21 - Feb Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam

What to expect from this presentation Not a code walk, but highlight used concepts, model used behind Our first phase prototype of a BoD server ( based on Generic AAA) Giving an overview for DEMO Learn the details on building block of BoD server

Generic AAA: o AAA Server: may be involved in: Authorization, Authentication, Accounting o AAA request Driving Policy o Behavior of the generic part is determined by the combination of Driving policies, ASMs and AAA requests

serv authZ client entity AAA Service handler serv authZ client entity AAA Service handler serv ASM Serv* policy “AAA protocol” > BoD request msg

authZ Serv* BoD request msg, using XML,SOAP simple JanJansen #f034d now 20

Servlet in TOMCAT: Using JAXM API public class AAAServlet extends JAXMServlet implements ReqRespListener { private RBE theRBE; … public SOAPMessage onMessage( SOAPMessage message ) { … t ry { theRBE.parse( request, out ); << message check (DTD) + Policy fetch } catch( Exception ex ) { return error( ex.getMessage( ) ); } return createResponse( bout ); … }

Servlet Context used to initiate the RBE, ASMs Java Reflection list methods of Object (ASMs) Some details:

Driving Policy: if ( ASM::Authorization.authorize( << C++ like namespace Request::Authorization.credential.credential_type, Request::Authorization.credential.credential_ID, Request::Authorization.credential.credential_secret ) Then* could work with simple data ( types if ( ASM::RM.CheckConnection( Request::BodData.Source, Request::BodData.Destination ) IF - THEN -ELSE structure Input for the Policy Objects, Javacc to serialize / used in Policy fetch

ASM overview: For the BoD service we implemented: Resource Manager (RM) ASM (hardcoded) Network topology, state of network elements Switch ASM SNMP interface dealing with 802.1Q Authorization ASM Authorization mechanism

RM ASM, BoD method: public int BoD( String IPsrc, String IPdst, int size, String t, int dur ){ Full control model Network element modeled as vertex with edges. State is updated in vertex. (link usage ) using backtracking algorithm to find path ( recursive ) collecting provisioning information, like VLAN id, ports etc }

Switch ASM, provisioning: /* (Single domain) Add port (+ Trunk) in VLAN. * * Cabletron ss6000 switch uses SNMP table: * ctVlanPortConfigTable * OID = " " * OID.c.I1.I2 ( c= column, I1 index 1, I2 index 2 ) * */ public void setupPath( int port, int vid ) throws IOException, SnmpDecodeException, SnmpResponseException { // Setup connection SnmpPeer peer = new SnmpPeer("localhost", InetAddress.getByName( host ), SMI.PUBLIC ); SnmpConnection connection = new SnmpConnection(peer); // OID ….

Authorized path discovery QoS path through multiple administrative domains AAA servers > Mechanism for advertising the connections they can establish Start with simplest QoS path > Full Control model Logical network link iso physical network link Decision tree for authorization of QoS elements

Authorization interactions: AAA 1, 2 AAA 1 AAA 2 N1N1 N2N2 D0D0 AAA 0 N0N0 NnNn l 2,n l 0,1 D1D1 D0D0

Porting J2EE environment robust & scalable Runtime environment Focusing on AAA concepts developing generic RBE ASM interface Still in progress…. :( Future of AAA: Collaboration in developing an generic ASM interface, policy definitions, etc

Idea’s AAA in J2EE: EJB Container JCA Resource Adapters web ASMs api ASM* switch1 switch2 BoDreq J2EE

Conclusions Our focus is on authorization in multi administrative domains The ASMs need to interface services, we need to provide a generic API Collaborations