Presentation is loading. Please wait.

Presentation is loading. Please wait.

Generic AAA* based Bandwidth on Demand MB-NG workshop UCL London 20/02/2003 Leon Gommans Advanced Internet Research Group University of Amsterdam

Published byLilian Veronica Daniels Modified over 8 years ago

Similar presentations

Presentation on theme: "Generic AAA* based Bandwidth on Demand MB-NG workshop UCL London 20/02/2003 Leon Gommans Advanced Internet Research Group University of Amsterdam"— Presentation transcript:

1 Generic AAA* based Bandwidth on Demand MB-NG workshop UCL London 20/02/2003 Leon Gommans Advanced Internet Research Group University of Amsterdam lgommans@science.uva.nl * Authentication Authorization & Accounting Research funded by

2 Content - Goals and basic list of requirements. - Lightpath and Lightpath control concepts - Generic AAA concepts - High level design and operation of proof of concept. - Example of a simple request message and policy. - Technical Design & Implementation: Bas.

3 Goal of BoD work at UvA. Allow application demand to provision a L1/L2 network channel that does by-pass the regular internet connection. Regular Internet connection becomes control channel, L1/L2 network the transport channel. - Rationale is that above a certain level of: parallel required bandwidth / number of different destinations a Layer-3 QoS network will become too expensive. - I.e. the requested bandwidth is in the order of the traffic generated by a nations NRN and only a few destinations need such connectivity. Examples can be found in HEP, radio-astronomy etc. However AAA concepts can also be used for L3 Diffserv connections

4 Other considerations -TCP stack & transport channel needs tailored behavior to make optimal use of a high speed ( GB ), high delay (>100ms) channel - Modifications tend to generate Internet “unfriendly” TCP traffic, that does not mix well unless routers are aware of the high bandwidth topology. Topology needs to be management somehow. -Single Packet drop in standard TCP causes severe performance hits - Limited memory buffer sizes in routers/switches do cause packet drops when the road “gets smaller” on long fat pipes. Equipment designed for MAN operation can not be in the chain. - Firewalls do not support extreme high bandwidth connections. - Possible option: Create dedicated channels that are intended to get utilized 100% for the required time. Cost model will determine if and when on-demand usage is required v.s. dedicated usage.

5 Rough requirements list. - Allow L 1, 2, 3 lightpath usage in a “demand driven” fashion. - Allow “hard” or “soft” pre-allocation. - Must support allocation and usage across multiple domains. - Must be integrated into middleware e.g. by allowing provisioned by-pass model to be supported by applications such as GridFTP. - Allow authorized VO’s or individual users to discover available lightpath destination (e.g. Via OGSA/WS). - Allow authorized users (with a certain role within the VO) to pre-allocate and use bypass for a limited amount of time and with limits on the allocated bandwidth. - Must integrate with existing authentication & user (role based) authorization system: Looking into EDG VOMS. - Incorporation of topology awareness is of later concern.

6 Rough requirements list. -Must hide complexity from user. Conceptually the user must perform the process in 3 basic steps after login: 1)Pre-allocate thru a discovery and scheduling system -> BoD system issues authorization. 2)Allow own or delegated job to allocate the network resource whereby it uses the issued authorization. 3)Once the job is finished, the authorization is handed back/invalidated so resources can be freed. -User (or scheduling system) must be allowed to change the reservation if the process flow so dictates. -Allocating user may be different from ultimate user. -Allocating user may subdivide capacity amongst users. -Must ultimately support Grid Economic Services Architecture features to allow ad hoc creation. -Must ultimately provide Grid Accounting records for billing or clearing and settlement.

7 Design considerations. -Group in Amsterdam does focus on deploying Generic AAA (RFC2903/RFC2904) concepts to handle authorization of mainly L1/L2 lightpath. Group members were authors. -Best suited to handle policy based authorization in a dynamic fashion either to build AuthZ tokens or process requests which contain AuthZ tokens. -Authorizations between administrative domains must be done at a fairly high-level. -Don’t want to address low level networking problems (path finding/setup) as vendors and researchers are already active in this area. -Could work in parallel to GARA BB efforts to add policies to handling authorized provisioning of QoS tunnels.

8 Lightpath Def*: Any uni-directional point to point connection with effective guaranteed bandwidth Examples of LightPaths: * L1: Analog wavelength on a CWDM or DWDM system * L1: Gigabit Ethernet over dedicated fiber strand * L2: STS channel on a SONET or SDH circuit * L2: ATM CBR circuit * L2: MPLS VLAN * L3: Diff serv “gold” service on a packet based network * Definition by Bill St. Arnoud of Canarie

9 Control models In multidomain scenario’s you must have some awareness of the underlying high-level concept of the connection. Must understand what piece of the conceptual connection the AAA entity is controlling: Collector switch at the ingress and its connected networks or equipment The link Distributor switch at the egress and its connected networks or equipment

10 Full Control model Selector Switch Distributor Switch Selector Switch Distributor Switch Domain X Domain Y Domain X DomainY

11 Partial control model Domain BDomain C Domain A Domain D

12 Hybrid models Domain BDomain C Domain A Domain D Domain X DomainY

13 Full control model Selector Switch Distributor Switch Domain X Domain Y AAA Domain AAA engine must control both selector and distributor switch and Interconnecting network

14 Partial control model Selector Switch Distributor Switch Domain ADomain B AAA Domain AAA engine must control the selector or distributor switch and one of the AAA Servers must control intermediate network AAA

15 Generic AAA o 5 years ago a AAA server was known as a server supporting dail-in boxes thru the RADIUS protocol (at IETF). o IETF42 (in same hotel as GGF6) held first AAA BOF as it was recognized AAA could be used in other type of applications. o Amsterdam group has been participating on defining concepts for Generic AAA since march 1999 when AAA WG was formed at IETF-44 o Work became IRTF subject end of 1999 (AAA ARCH RG). o ID’s that became RFC’s 2903 – 2906 were submitted after the Adelaide IETF march 2000. RFC’s describe framework, architecture, example applications and requirements. o Optical Networking within grid environment is a research application for Generic AAA.

16 RFC 2904 Generic AAA Framework basic principles 3 fundamentally different user initiated authorization sequences. Note: RFC2904 does not show step 5 – service access. Service AAA User Service AAA User Service AAA User Pull sequence NAS (remote access) RSVP (network QoS) Agent sequence Agents, Brokers, Proxy’s. Push sequence. Tokens, Tickets, AC’s etc. 1 1 1 22 2 3 33 4 4 4

17 Generic AAA Framework Separating the User Awareness from the Service yield Roaming Models: Example roaming pull model. Service AAA User 1 2 5 6 AAA 3 4 User Home Organization Service Provider

18 Generic AAA Framework Distributed Services Models allow many types and combination of authorization sequences.. Service AAA User AAA User Home Organization Service Provider A Service AAA Service Provider B AAA Client

19 Generic AAA Architecture – RFC2903 Policy Decision Point Policy Enforcement Point Fundamental idea’s inspired by work of the IETF RAP WG that in RFC 2753 describes a framework for Policy-based Admission Control. Foundation for COPS The point where policy decisions are made. The point where the policy decisions are actually enforced. Request Decision Policy Repository Basic Goal Generic AAA: Allow policy decisions to be made by multiple PDP’s belonging to different administrative domains.

20 Generic AAA Architecture – RFC2903 Application Specific Module Policy Enforcement Point Achieve goal by by separating the logical decision process from the application specific parts within the PDP. Request Decision Rule Based Engine Policy Repository PDP

21 Example of Generic AAA Architecture – RFC2903 Application Specific Module Bandwidth Broker Rule Based Engine Policy Repository Application Specific Module Rule Based Engine Policy Repository Users Application Specific Module Rule Based Engine Policy Repository Contracts Budgets Registration Dept.Purchase Dept. Bandwidth Provider AAA Server AAA Server AAA Server (Virtual) User Organization QoS Enabled Network User Service Service Organization

22 802.1Q VLAN Switch Enterasys Matrix E5 A B C D 802.1Q VLAN Switch Enterasys Matrix E5 1 GB SX AA A 192.168. 1.5 iGrid2002 Policy DB AAA Request 192.168. 1.6 192.168. 2.3 192.168. 2.4 Generic AAA (RFC2903) based Bandwidth on Demand

23 Example XML Lightpath request simple JanJansen #f034d 192.168.1.5 192.168.1.6 1000 now 20

24 Policy (significant part) executed by AAA Rule Based Engine if ( ASM::RM.CheckConnection( Request::BodData.Source, Request::BodData.Destination ) && ( Request::BodData.Bandwidth <= 1000 ) ) then ( ASM::RM.RequestConnection( Request::BodData.Source, Request::BodData.Destination, Request::BodData.Bandwidth, Request::BodData.StartTime, Request::BodData.Duration ) ; Reply::Answer.Message = "Request successful" ) else ( Reply::Error.Message = "Request failed" )

25 L2/L3 Setup using GARA based network provisioning 802.1Q VLAN Switch Enterasys SS6000 A B C D 802.1Q VLAN Switch Enterasys SS6000 GARA (multidomain) QoS network AA A Bo DSe rv IP A IP B IP C IP D GAR A Band w Brok er VO MS

26 WS + Service Discovery VOMS GARA Agent BB USER Role Request + Reply Pseudo Cert Grid Authentication Auth DB Advance Reservation request / reply QoS Path request / reply Slot Table BGP Topology advertisements + Reservation indications Path Provision indications QoS Networks AAAAAA Policy DB

27 AAA Core Run Time Env User/ Organization Integration Service Control + Integration Accounting Security Integration Management And Monitoring J2EE, Apache –Axis Web Services – OGSA AAA protocol PKI, KERBEROS, VOMS Layer N networking Scheduling Advance Reservation Service Discovery and Ontology CA, CA policy Authentication Devices, Protocol Security Billing, Clearing & Settlement Policy Language Standards Body Liaison + Architect. Managemnt & Document. WP 2 manpwr WP 4 manpwr

28 Design considerations o Full control model was chosen for first implementation. o Single AAA engine controls both ingress and egress switch by creating 802.1Q VLAN’s using the dot1Q Bridge MIB extentions via SNMP. o 1 GB channel between switches carry 802.1Q tagged ethernet frames. An 802.1Q trunk can carry up to 4096 VLAN’s. o End stations will register with AAA engine and subsequently send request to reach other stations (pointed to via its public IP address). o By-pass communication channel uses a private IP address space. Destinations are identified by main IP address.

29 Related work: 1)Separate ASM and RBE and allow ASM’s to be loaded/unloaded dynamically using J2EE. 2)Implement pre-allocation mechanisms (based on GARA slot table) 3)Create ASM for Bandwidth Broker 4)Create ASM to find out high level domain topology (will be using hard coded info at first). 5)Allow RBE’s to talk to each other (define messages). 6)Integrate BoD AAA client into middleware eg by allowing integration with GridFTP and integration with VOMS authentication and user authorization system. 7)Build WS interface abstraction for pre-allocation and subsequent usage.

30 Technical Design and Implementation overview Bas van Oudenaarde

31 Thank you ! lgommans@science.uva.nl

Download ppt "Generic AAA* based Bandwidth on Demand MB-NG workshop UCL London 20/02/2003 Leon Gommans Advanced Internet Research Group University of Amsterdam"

Similar presentations

Authentication Authorization Accounting and Auditing

Authentication Authorization Accounting and Auditing
Photonic TeraStream and ODIN By Jeremy Weinberger The iCAIR iGRID2002 Demonstration Shows How Global Applications Can Use Intelligent Signaling to Provision.

Photonic TeraStream and ODIN By Jeremy Weinberger The iCAIR iGRID2002 Demonstration Shows How Global Applications Can Use Intelligent Signaling to Provision.
Generic AAA* based Bandwidth on Demand EVL at UIC meeting Leon Gommans

Generic AAA* based Bandwidth on Demand EVL at UIC meeting Leon Gommans
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
All rights reserved © 2005, Alcatel Grid services over IP Multimedia Subsystem  Antoine Pichot, Olivier Audouin, Alcatel  GridNets ’06.

All rights reserved © 2005, Alcatel Grid services over IP Multimedia Subsystem  Antoine Pichot, Olivier Audouin, Alcatel  GridNets ’06.
IP over ATM Integrated Network Services Almerindo Graziano.

IP over ATM Integrated Network Services Almerindo Graziano.
Token Based Authorization of GMPLS Networks By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Li Xu University of Amsterdam By:

Token Based Authorization of GMPLS Networks By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Li Xu University of Amsterdam By:
Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.

Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.
Tiziana FerrariWP2.3 Advance Reservation Demonstration: Description and set-up 1 WP2.3 Advance Reservation Demonstration: Description and set-up DRAFT,

Tiziana FerrariWP2.3 Advance Reservation Demonstration: Description and set-up 1 WP2.3 Advance Reservation Demonstration: Description and set-up DRAFT,
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.
Tiziana FerrariWP2.3 Advance Reservation Demonstration: Description and set-up 1 WP2.3 Advance Reservation Demonstration: Description and set-up DRAFT,

Tiziana FerrariWP2.3 Advance Reservation Demonstration: Description and set-up 1 WP2.3 Advance Reservation Demonstration: Description and set-up DRAFT,
Generic AAA based provisioning Of Network Elements Status update EVL 9/10/03 Leon Gommans University of Amsterdam.

Generic AAA based provisioning Of Network Elements Status update EVL 9/10/03 Leon Gommans University of Amsterdam.
Resource Management – a Solution for Providing QoS over IP Tudor Dumitraş, Frances Jen-Fung Ning and Humayun Latif.

Resource Management – a Solution for Providing QoS over IP Tudor Dumitraş, Frances Jen-Fung Ning and Humayun Latif.
AAA-ARCH IRTF-RG Authentication Authorisation and Accounting ARCHitecture Research Group chairs: C. de Laat J. Vollbrecht Content of this talk has contributions.

AAA-ARCH IRTF-RG Authentication Authorisation and Accounting ARCHitecture Research Group chairs: C. de Laat J. Vollbrecht Content of this talk has contributions.
A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.
1 CHEETAH software OCS/AAA module Routing decision module Signaling module VLSR module Include TL1 proxy for Cisco 15454 MSPP Router disconnect module.

1 CHEETAH software OCS/AAA module Routing decision module Signaling module VLSR module Include TL1 proxy for Cisco MSPP Router disconnect module.
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
ESnet On-demand Secure Circuits and Advance Reservation System (OSCARS) Chin Guok Network Engineering Group Thomas Ndousse Visit February 6 2008 Energy.

ESnet On-demand Secure Circuits and Advance Reservation System (OSCARS) Chin Guok Network Engineering Group Thomas Ndousse Visit February Energy.
Abstraction and Control of Transport Networks (ACTN) BoF

Abstraction and Control of Transport Networks (ACTN) BoF
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Similar presentations

Ads by Google