Datastructure schematics - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

Datastructure schematics

Description:

This may safe one roundtrip time. june 28, 2001. 6. Generic AAA models. Observations: ... The second and third attributes form a unique pair. ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 19
Provided by: free81
Category:

less

Transcript and Presenter's Notes

Title: Datastructure schematics


1
Datastructure schematics
  • Walter Weiss
  • John Vollbrecht
  • Dave Spence
  • Amol Kulkarni
  • Ravi Sahita
  • Leon Gommans
  • Cees de Laat
  • Freek Dijkstra

2
Device names
time
U S E R
P E P
P D P
Access request
Access notification
Access decision
Access decision
  • USER Requester of the services
  • PEP Policy Enforcement Point (a NAD, Network
    Access Device, in AAA-terminology)
  • PDP Policy Decision Point (an AAA-Server)

3
Connection steps
time
U S E R
P E P
P D P
4
Connection names
5
Allowable combination of messages
  • Combine provisioning and session approval

Is it possible to (optionally) combine provision
requests and access decision messages. It might
sometimes be useful to avoid waiting to the
provision response (an acknowledge) and sent the
Go approval (access decision) right away. This
may safe one roundtrip time.
6
Generic AAA models
Observations a-f are generic request messages,
separated from b-c which is authentication stuff
and d-e which is provisioning stuff.
7
SessionTable Datastructure
Session InstanceId TableType SessionStatus Binding
-to-other-sessions
An instance of this class is created by the PEP
and sent to the PDP. The PDP will fill in the
SessionStatus field and send the instance back
when sending a decision.
AuthExtensions InstanceIdReferenceId of
Session Other attributes
This is a transient class. Its instances are
temporary and are deleted by the PEP after a
certain time/event. Thus it MUST NOT be referred
to by the server. Also, since instances are
deleted, InstanceIds may be reused.
8
SessionTable Datastructure
Session InstanceId TableType SessionStatus Binding
-to-other-sessions
  • InstanceId is the PRID
  • TableType defines the extended class (i.e. EAP,
    PAP, CHAP, etc.)
  • SessionStatus is a tells if the session has been
    accepted or rejected by the PDP (the result of
    the AccessDecision)
  • Binding to other sessions is the PRID to an
    upstream session. It is used to support
    single-sign on.
  • PRID to interface (not in table?) is a referece
    to the InterfaceTable.
  • The AuthExtensions differ per protocol used
    between the PEP and the User workstation.

AuthExtensions InstanceIdReferenceId of
Session Other attributes
9
InterfaceTable Datastructure
InterfaceTable
InstanceId SessionId
Type PRID to i/f
Type PRID to i/f
Type PRID to i/f
... ...
SessionId is a PRID to the SessionTable. Next is
a table of PRIDs to application-specific
interface datastructures. (e.g. a dialup
information for a typical NAD, or an IP address
and URL if a user wants to buy a book from a
webserver and needs to be identified.)
10
Example InterfaceTable Datastructure
Session
InstanceId TableType SessionStatus Binding to
other sessions Prid to interface
InterfaceTable
InstanceId SessionId
Type PRID to i/f
Type PRID to i/f
Type PRID to i/f
... ...
Layer3
Call data
Layer2
Bookname
IP port
MAC addr. ...
dialup number ...
URL ...
11
Accessor Datastructure
AccesorTable InstanceId TriggerAuthentication
Attributes defining other semantics
Accesor Association InstanceId ReferenceId of
Accessor PRID of associated element
The Accessor Table is used to provision a PEP to
know upon which event whould trigger an
authentication request from the PEP to the PDP,
and what InterfaceTables need to be sent to the
PDP.
TriggerAuthentication is a boolean value,
indicating whether or not to do authentication.
The accessor table needs to define the semantics,
and also what else needs to accompany the auth
request. The last portion is done by the Accessor
Association table.
12
Policy Datastructure
Policy Association InstanceId ReferenceId of
Session PRID of Policy
Associates a session with policies. The second
and third attributes form a unique pair. A
ReferenceId has been used here because that
attribute will always point to the session table.
Policy InstanceId Other attributes
13
Alternative Datastructure
PEP
PDP
Session Request InstanceId Session Status PRID to
Interface Table PRID to Authorization
Table Binding to other Sessions
Session Response InstanceId Session Status Prid
to Service Table Prid to User Profile
User Profile InstanceId User ID Authentication
method Time of authentication
Authorization InstanceId Type Prid to PDP session
Interface InstanceId Type
Service InstanceId Prid to Service Session
14
Example Session Hierarchy
Session InstanceId 5 TableType SessionStatus Bin
ding-to-other-sessions 0
Session InstanceId 7 TableType SessionStatus Bin
ding-to-other-sessions 5
15
Authentication semantical model
16
Single sign on
PDP1
PDP2
User
PEP1
PEP2
Service
17
Single sign on Case 1
PDP1
PDP2
User
PEP1
PEP2
18
Single sign on Case 2
PDP1
PDP2
User
PEP1
PEP2
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Datastructure schematics" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!