1. Multi-Domain Lightpath Authorization Architecture using Tokens By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Yuri Demchenko, Li Xu, Ralph Koning, University of Amsterdam By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Yuri Demchenko, Li Xu, Ralph Koning, University of Amsterdam

2. 1 To enable fast passage at a checkpoint 2 To allow checking at any place in the service network 3 To separate authorized use from unauthorized use 4 To authorize in advance 5 To separate authorization complexity from usage 6 That can be linked to advance reservations 7 To support both pay-before (pre-pay) or pay-later (billing) T T T T T T T T T T T T T T T T Tokens are a proven concept:.

3. Main rationale: Time consuming service authorization process can be separate from fast service access. Service HRM Network Service Network Service Provider A Service Provider A User Home Org User Home Org Finance Work Group Work Group Service Provider B Service Provider B Network Service Network Service T T T T T

4. Testbed shows data- & control plane and involved domains.

5. Application sends reservation request to IDC Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service

6. A Global Resource Identifier (GRI) is created as reference Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service GRI

7. GRI is passed as part of IDC protocol to last domain Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service

8. GRI is handed to the Token Validation Service Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service GRI

9. Token Key Token Key The GRI is “stamped” using an HMAC algorithm into a token. Token = GRI + few bytes of secure hash result HMAC-SHA1 based algoritm HMAC-SHA1 based algoritm GRI T

10. Token is send to PEP and IDC and stored along with GRI Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service T T

11. Token is returned to upstream domain and kept for future enforcement Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service TT

12. Token is handed to reservation application via IDC reply Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service T

13. Token is copied onto USB memory stick Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service T T

14. Take USB memory stick with token to HD display station Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service

15. HD display station requests to open connection to IDC including the token in the request message. Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service T

16. The IDC may decide not check the validity of the token and provisions the path in its domain. Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service

17. The token is passed to the next IDC. The TVS checks the validity of the token - or alternatively.. Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service T

18. .. the token is passed to the GMPLS signaling layer via a gateway such that the token becomes part of RSVP-TE Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service T RSVP Gateway

19. The last domain checks the token and provisions its circuit Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service T

20. 1 Tokens are a simple, fast and flexible way to authorize lightpaths 2 Tokens can be recognized by multiple domains 3 Tokens are authentic symbols where an identifier points to a meaning. 4 Tokens symbolize a commit of advance reservations by each domain 5 Tokens can be used at different layers in the network 6 Domains may or may not choose to enforce tokens (be transparent) 7 The Token Validation Service supporting different Control Plane types T T T T T T T T T T T T T T T T The demo shows:.

21. Yuri Demchenko: Token Validation Service - Phosphorus Project Fred Wan: Signaling model interfaces - Tree v.s. Chain - NextGrid Project Marten Hoekstra: Signaling and IDC deployment - GigaPort Project Li Xu: Token Enforcement at GMPLS layer - StarPlane project Ralph Koning: HD video content - CineGrid Project Leon Gommans: Authorization Architecture - GigaPort Project. Cees de Laat: Scientific group leader T T T T T T T T T T T T T T T T Talk to us to understand our research:.

22. Internet2 ESNET SURFnet NL GigaPort RoN project EU Phosphorus Project EU NextGrid Project Electronic Visualisation Lab CineGrid project GLIF Acknowledgement..

23. Thank you for watching