Policy based co-allocation of connection oriented network resources using the principles of Generic AAA ON*VECTOR 3rd Annual Photonics Workshop San Diego.

Slides:

Advertisements

Similar presentations

Authentication Authorization Accounting and Auditing

Advertisements

Electronic Visualization Laboratory University of Illinois at Chicago EVL Optical Networking Research Oliver Yu Electronic Visualization Laboratory University.

Photonic TeraStream and ODIN By Jeremy Weinberger The iCAIR iGRID2002 Demonstration Shows How Global Applications Can Use Intelligent Signaling to Provision.

Generic AAA* based Bandwidth on Demand EVL at UIC meeting Leon Gommans

GT 4 Security Goals & Plans Sam Meder

All rights reserved © 2005, Alcatel Grid services over IP Multimedia Subsystem  Antoine Pichot, Olivier Audouin, Alcatel  GridNets ’06.

Application-Based Network Operations (ABNO) IETF 88 – SDN RG

Electronic Visualization Laboratory University of Illinois at Chicago Photonic Interdomain Negotiator (PIN): Interoperate Heterogeneous Control & Management.

8/10/2001GGF - 3 / Leon Gommans - UvA1 Observations on the CAS architecture made from the Generic AAA perspective. 3rd Global Gridforum Oct. 7-10th 2001.

Multi-Domain Lightpath Authorization Architecture using Tokens By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Yuri Demchenko,

Token Based Authorization of GMPLS Networks By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Li Xu University of Amsterdam By:

Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.

Tiziana FerrariWP2.3 Advance Reservation Demonstration: Description and set-up 1 WP2.3 Advance Reservation Demonstration: Description and set-up DRAFT,

Policy-based Accounting Tanja Zseby, Georg Carle, Sebastian Zander GMD FOKUS - German National Research Institute for Information Technology Competence.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Tiziana FerrariWP2.3 Advance Reservation Demonstration: Description and set-up 1 WP2.3 Advance Reservation Demonstration: Description and set-up DRAFT,

Optical networking research in Amsterdam Paola Grosso UvA - AIR group.

DWDM-RAM: DARPA-Sponsored Research for Data Intensive Service-on-Demand Advanced Optical Networks DWDM RAM DWDM RAM BUSINESS WITHOUT BOUNDARIES.

Generic AAA based provisioning Of Network Elements Status update EVL 9/10/03 Leon Gommans University of Amsterdam.

Policy-based Accounting Draft Sebastian Zander, Tanja Zseby GMD FOKUS - German National Research Institute for Information Technology Competence Center.

AAA-ARCH IRTF-RG Authentication Authorisation and Accounting ARCHitecture Research Group chairs: C. de Laat J. Vollbrecht Content of this talk has contributions.

Policy-based Accounting: Accounting Issues Georg Carle, Sebastian Zander, Tanja Zseby GMD FOKUS - German National Research Center for Information Technology.

IRTF - AAAARCH - RG Authentication Authorisation Accounting ARCHitecture RG chairs: C. de Laat and J. Vollbrecht RFC 2903,

1 CHEETAH software OCS/AAA module Routing decision module Signaling module VLSR module Include TL1 proxy for Cisco MSPP Router disconnect module.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Trust Framework for Multi-Domain Authorization Internet2 Spring Meeting Arlington April 25 th 2012 Leon Gommans:

TeraPaths: A QoS Collaborative Data Sharing Infrastructure for Petascale Computing Research Bruce Gibbard & Dantong Yu High-Performance Network Research.

NORDUnet NORDUnet The Fibre Generation Lars Fischer CTO NORDUnet.

IRTF - AAAARCH - RG Authentication Authorisation Accounting ARCHitecture RG chairs: C. de Laat and J. Vollbrecht RFC 2903, 2904, 2905,

TeraPaths TeraPaths: establishing end-to-end QoS paths - the user perspective Presented by Presented by Dimitrios Katramatos, BNL Dimitrios Katramatos,

A Framework for Internetworking Heterogeneous High-Performance Networks via GMPLS and Web Services Xi Yang, Tom Lehman Information Sciences Institute (ISI)

Hybrid MLN DOE Office of Science DRAGON Hybrid Network Control Plane Interoperation Between Internet2 and ESnet Tom Lehman Information Sciences Institute.

© 2002, Cisco Systems, Inc. All rights reserved..

Generic AAA* based Bandwidth on Demand MB-NG workshop UCL London 20/02/2003 Leon Gommans Advanced Internet Research Group University of Amsterdam

Techs in Paradise 2004, Honolulu / Lambda Networking BOF / Jan 27 NetherLight day-to-day experience APAN lambda networking BOF Erik Radius Manager Network.

OIF NNI: The Roadmap to Non- Disruptive Control Plane Interoperability Dimitrios Pendarakis

PART II BoD server prototype Implementation & technical details MB-NG UCL 20/21 - Feb Bas van Oudenaarde Advanced Internet Research Group.

TeraPaths TeraPaths: Establishing End-to-End QoS Paths through L2 and L3 WAN Connections Presented by Presented by Dimitrios Katramatos, BNL Dimitrios.

1 Integrating security in a quality aware multimedia delivery platform Paul Koster 21 november 2001.

Dynamic Lightpath Services on the Internet2 Network Rick Summerhill Director, Network Research, Architecture, Technologies, Internet2 TERENA May.

Co-Allocation of Compute and Network Resources in the VIOLA Testbed Christoph Barz and Markus Pilz University of Bonn Institute of Computer Science IV.

Optical Architecture Invisible Nodes, Elements, Hierarchical, Centrally Controlled, Fairly Static Traditional Provider Services: Invisible, Static Resources,

GridNets, October 1, AR-PIN/PDC: Flexible Advance Reservation of Intradomain and Interdomain Lightpaths Eric He, Xi Wang, Jason Leigh Electronic.

IETF67 DIME WG Towards the specification of a Diameter Resource Control Application Dong Sun IETF 67, San Diego, Nov 2006 draft-sun-dime-diameter-resource-control-requirements-00.txt.

Page 1 ADANETS Workshop Jan 29, 2003ADANETS-WP2-Alcatel-SLIDE/ V1.0 ADANETS WP2: QoS management ADANETS Workshop 29/01/2003 L.Maknavicius.

The concepts of Generic AAA are described in RFC2903 [1] (Generice AAA Architecture) and RFC2904 [2] (Authorization Framework). Several.

Switching Topic 2 VLANs.

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

TeraPaths: A QoS Enabled Collaborative Data Sharing Infrastructure for Petascale Computing Research The TeraPaths Project Team Usatlas Tier 2 workshop.

Internet2 Dynamic Circuit Services and Tools Andrew Lake, Internet2 July 15, 2007 JointTechs, Batavia, IL.

Generic AAA* based Bandwidth on Demand UKERNA meeting Amsterdam 24/04/2003 Leon Gommans Advanced Internet Research Group University of Amsterdam

Extended QoS Authorization for the QoS NSLP Hannes Tschofenig, Joachim Kross.

AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework pdf.

Multi-domain provisioning of Lower Layer Network Transports based on Generic AAA TERENA TF-AACE Workshop 21/11/03 Leon Gommans University of Amsterdam.

Supporting Advanced Scientific Computing Research Basic Energy Sciences Biological and Environmental Research Fusion Energy Sciences High Energy Physics.

1 Network related topics Bartosz Belter, Wojbor Bogacki, Marcin Garstka, Maciej Głowiak, Radosław Krzywania, Roman Łapacz FABRIC meeting Poznań, 25 September.

MPLS Introduction How MPLS Works ?? MPLS - The Motivation MPLS Application MPLS Advantages Conclusion.

Multi-layer software defined networking in GÉANT

Use Case for Distributed Data Center in SUPA

Grid Optical Burst Switched Networks

StarPlane: Application Specific Management of Photonic Networks

Grid Network Services: Lessons from SC04 draft-ggf-bas-sc04demo-0.doc

Integration of Network Services Interface version 2 with the JUNOS Space SDK

University of Technology

Firewalls and GMPLS Networks: A token based approach

Generic AAA* based Bandwidth on Demand EVL at UIC meeting Leon Gommans

AAA: A Survey and a Policy- Based Architecture and Framework

Standards, Models and Language

Presentation transcript:

Policy based co-allocation of connection oriented network resources using the principles of Generic AAA ON*VECTOR 3rd Annual Photonics Workshop San Diego - 03/01/04 Leon Gommans University of Amsterdam

 Connection Oriented Networks  Rationale  Generic Authentication Authorization Accounting (AAA) short overview.  Experiments: DataTAG - SC2003  Future Research 1 Mar 2004 ON*VECTOR Workshop Leon Gommans Overview

Compared to router based Connectionless Networks, Connection Oriented Network use some form of switch technology to forward:  Ethernet frames  Sonet/SDH frames  Light Switches along the path are configured (statically or dynamically) with a particular path definition for the duration of a connection. Forms such as:  MPLS Virtual Private Network  Lightpath - UCLP  Lambda Connection Oriented Networks (CON) 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

 Next to general Internet usage, in particular Grid users will start to ask for high bandwidth connections at low cost.  This kind of demand is now found in Scientific applications within HEP, Radio Astronomy, Bio Science, etc.  Forwarding large volumes of highly directional traffic is expensive when user routers.  Providers need to provision cheap bandwidth by authorizing applications to access the transport infrastructure in a flexible way with or without pre-established relations at business level.  Many functions already found in telephony networks. Rationale and assumptions. 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

Ergo: Automate operator function for data 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

 Providers have a number of different ways to transport data using both connection-oriented and connection-less methods using routers, switches, electron and photon based links.  Low per stream volume - many destinations - always on service: connectionless routing.  Medium to high volume - fewer destinations - defined contract periods: (G)MPLS, use of AAA possible.  High volume - specific/static destinations - reserved time slots: Application driven provisioning of “cheap” bandwidth based on authorization. Need AAA.  Use various network technologies which need flexible automatic control/provisioning solutions. Provider perspective 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

 Concepts are researched within the IRTF AAA Architecture Research Group which resulted in RFC’s 2903 (Generic AAA Architecture) and RFC 2904 (Authorization Sequence Framework).  Staff members at University of Amsterdam helped to form this IRTF research group.  Research funded as part of participation in EU IST DataTAG project and by SURFnet  Collaboration with EVL at UIC, Starlight/NWU, Alcatel, CA*Net, FZJ Jülich and Fraunhofer Institute.  Work is also input to AuthZ WG in GGF.  Generic AAA toolkit is developed at UoA. AAAarch IRTF RG and UvA. 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

RFC 2904 Authorization sequences that allow users to access a service based on a policy decision taken by a AAA component. Service AAA User Service AAA User Service AAA User Pull sequence NAS (remote access) RSVP (network QoS) Agent sequence Agents, Brokers, Proxy’s. Push sequence. Tokens, Tickets, AC’s etc Mar 2004 ON*VECTOR Workshop Leon Gommans

Example AuthZ pull sequence in CON. Switch AAA Applic. AAA User Home Organization Switch AAA Switch AAA Netw. I/F Resource Netw. I/F UserDomain ADomain BDomain CResource 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

Switch AAA Applic. AAA User Home Domain Switch AAA Switch AAA Netw. I/F Resource Netw. I/F UserNetwork Domain ANetwork Domain BNetwork Domain CResource 1 Mar 2004 ON*VECTOR Workshop Leon Gommans Example AuthZ agent / pull sequence in CON.

Switch AAA Applic. AAA Switch AAA Switch AAA Netw. I/F Resource Netw. I/F UserNetwork Domain ANetwork Domain BNetwork Domain CResource Broker 1 Mar 2004 ON*VECTOR Workshop Leon Gommans Example AuthZ push / pull sequence in CON.

Switch AAA Switch AAA Switch AAA Netw. I/F Resource Netw. I/F UserNetwork Domain ANetwork Domain BNetwork Domain CResource Application 1 Mar 2004 ON*VECTOR Workshop Leon Gommans Example AuthZ agent sequence in CON. Applic.

Switch AAA Switch AAA Switch AAA Netw. I/F Resource Netw. I/F UserNetwork Domain ANetwork Domain BNetwork Domain CResource 1 Mar 2004 ON*VECTOR Workshop Leon Gommans Positioned in TMN example reference model. Network Management / Element Management Layer Service Management Layer Business Management Layer ? Applic.

Base of Generic AAA Architecture - RAP Policy Decision Point Policy Enforcement Point Fundamental idea’s inspired by work of the IETF RAP WG that in RFC 2753 describes a framework for Policy-based Admission Control. The point where policy decisions are made. The point where the policy decisions are actually enforced. Request Decision Policy Repository Basic Goal Generic AAA: Allow policy decisions to be made by multiple PDP’s belonging to different administrative domains. 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

Generic AAA Architecture - RFC2903 Application Specific Module Policy Enforcement Point Archieve goal by by separating the logical decision process from the application specific parts within the PDP. Request Decision Rule Based Engine Policy Repository PDP Generic AAA Engine A Driving Policy Orchestrates the Usage of ASM’s 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

Generic AAA Architecture Application Specific Module Policy Enforcement Point AAA Request Decision Rule Based Engine Policy Repository PDP Application Specific Module Rule Based Engine Policy Repository PDP User Rights Service RSVP Service Request 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

Generic AAA Architecture Application Specific Module Policy Enforcement Point XML AAA Request Provision Rule Based Engine Policy Repository PDP Application Specific Module Rule Based Engine Policy Repository PDP User Rights Service Service Access 1 Mar 2004 ON*VECTOR Workshop Leon Gommans Ack

Enterasys 802.1Q VLAN Switch PC RBE Enterasys 802.1Q VLAN Switch Single - domain 802.1Q VLAN setup Demo iGrid 2002 SNMP Dot 1Q Bridge MIB SNMP Dot 1Q Bridge MIB AAA Request Message (XML/SOAP) ASM Policy Database 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

 simple JanJansen #f034d now 20 Example XML request message WHY WHAT 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

if ( ASM::RM.CheckConnection( Request::BodData.Source, Request::BodData.Destination ) && ( Request::BodData.Bandwidth <= 1000 ) ) then ( ASM::RM.RequestConnection( Request::BodData.Source, Request::BodData.Destination, Request::BodData.Bandwidth, Request::BodData.StartTime, Request::BodData.Duration ) ; Reply::Answer.Message = "Request successful" ) else ( Reply::Error.Message = "Request failed" Example part of a Driving Policy 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

Enterasys 802.1Q VLAN Switch PC RBE Single - domain 802.1Q VLAN setup Demo iGrid 2002 SNMP Dot 1Q Bridge MIB SNMP Dot 1Q Bridge MIB AAA Request Message (XML/SOAP) ASM Policy Database 1 Mar 2004 ON*VECTOR Workshop Leon Gommans Create RED VLAN and Define it on trunk port, Include Port X. Enterasys 802.1Q VLAN Switch

PC RBE Single - Domain Calient PXC setup Calient PXC Switch TL-1 AAA Request Message (XML/SOAP) ASM Policy Database 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

PC RBE Multi - domain setup Calient PXC Switch AAA Request Message (XML/SOAP) TL-1 SNMP Dot 1Q Bridge MIB SNMP Dot 1Q Bridge MIB ASM Policy Database ASM Policy Database 1 Mar 2004 ON*VECTOR Workshop Leon Gommans Enterasys 802.1Q VLAN Switch Enterasys 802.1Q VLAN Switch

802.1Q VLAN Switch PC RBE Multi - domain setup using a TMN domain AAA Request Message (XML/SOAP) SNMP Dot 1Q Bridge MIB SNMP Dot 1Q Bridge MIB ASM Alcatel 1670 ADM 1355 BOND EM Alcatel 1670 ADM ASM Policy Database ASM 1 Mar 2004 ON*VECTOR Workshop Leon Gommans ISO TMN DOMAIN Enterasys 802.1Q VLAN Switch

PC RBE Collaborative Multi-domain experiment at SC2003 Calient PXC PIN PC Calient PXC PIN PC PDC Policy Database ASM AuthZ Resource Mgr PHOTONIC INTERDOMAIN NEGOTIATOR PHOTONIC DOMAIN CONTROLLER Note: PIN and PDC are developed by EVL at UIC headed by Oliver Yu PHOTONIC POLICY BASED ACCESS CONTROLLER PIN DOES ROUTE DETERMINATION BASED ON SOURCE ROUTING 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

PC RBE Collaborative Multi-domain experiment at SC2003 Calient PXC PC Calient PXC PC Policy Database ASM OGSI WS I/F ASM OGSI Client I/F Policy Database ASM AuthZ Resource Mgr RBE Policy Database ASM RBE 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

 Research ways to integrate networks into the Grid by using the principles of Generic AAA to authorize on demand usage via mechanisms such as GridFTP.  Inclusion of state awareness in driving policy e.g. using WSRF notifications  Include concurrency in driving policy execution.  Identify further Grid requirements towards advance reservation and VO integration.  Integrate (WS based) electronic payment system to allow operation without pre-established business relationships. Future Research. 1 Mar 2004 ON*VECTOR Workshop Leon Gommans

Thank you ! Research funded by EU IST DataTAG project and SURFnet Leon Gommans