Generic AAA based provisioning

1
Generic AAA based provisioning Of Network
Elements Status update EVL 9/10/03 Leon
Gommans University of Amsterdam
2
Update

• Generic AAA quick overview
• Generic AAA server status features
• Testbed options
• Example policy and request message
• Discussion on request message format.

9 Oct 2003 Update meeting EVL
Leon Gommans
3
Main functions AAA server

• AAA server may not be a good name. As it does
• Receive a request message that may contain
  authorization information other attributes
• Fetch a driving policy and evaluate information
• contained within the request and take an
  authorization decision
• Take one or more policy actions based on the
  outcome of the policy decision.
• Evaluation of policy may involve other AAA
  servers.

9 Oct 2003 Update meeting EVL
Leon Gommans
4
AuthZ sequences
AAA
AAA
AAA
1
1
User
User
2
User
4
2
2
3
1
3
3
Service
Service
Service
4
4
Pull sequence NAS (remote access) RSVP (network
QoS)
Agent sequence Agents, Brokers, Proxys.
Push sequence. Tokens, Tickets, ACs etc.
Source RFC 2904
9 Oct 2003 Update meeting EVL
Leon Gommans
5
Example of AAA server combinations Roaming using
agent pull sequence
AAA
User Home Organization
2
3
AAA
1
User
Service Providers
6
4
5
Service
9 Oct 2003 Update meeting EVL
Leon Gommans
6
Generic AAA Architecture RFC2903

Policy Decision Point
Fundamental ideas inspired by work of the IETF
RAP WG that in RFC 2753 describes a framework
for Policy-based Admission Control. Foundation
for COPS
The point where policy decisions are made.
Policy Repository
Request
Decision
Policy Enforcement Point
The point where the policy decisions are actually
enforced.
Basic Goal Generic AAA Allow policy decisions to
be made by multiple PDPs belonging to different
administrative domains.
9 Oct 2003 Update meeting EVL
Leon Gommans
7
Generic AAA Architecture
PDP
Rule Based Engine
Archieve goal by by separating the logical
decision process from the application specific
parts within the PDP.
Policy Repository
Application Specific Module
Request
Decision
Policy Enforcement Point
9 Oct 2003 Update meeting EVL
Leon Gommans
8
Generic AAA Architecture
PDP
Rule Based Engine
PDP
Policy Repository
Rule Based Engine
Application Specific Module
Policy Repository
Application Specific Module
User Rights
AAA Request
Decision
Policy Enforcement Point
Service
Service Request
9 Oct 2003 Update meeting EVL
Leon Gommans
9
Generic AAA server Implementation at UvA

• First implementation RBE and ASMs was build as
  servlet on an Apache / Axis webserver
  environment. Demod at iGrid2002.
• Converted RBE and ASM to run within a J2EE
• EJB container (J2EE V1.4 beta2 reference edition)
• Needed Java Connector Architecture which became
  available in 1.4 to communicate to the outside
  world to talk CLI/TL-1 or SNMP.
• Using JCA was major effort (no/bad documentation
  - non running example code etc.)
• J2EE gives us WS features.
• Integrated simple OGSA service as test.

9 Oct 2003 Update meeting EVL
Leon Gommans
10
Example XML request message

• ltAAARequest version"0.1" type"BoD" gt 
  ltAuthorizationgt      ltcredentialgt        
  ltcredential_typegtsimplelt/credential_typegt        
  ltcredential_IDgtJanJansenlt/credential_IDgt        
  ltcredential_secretgtf034dlt/credential_secretgt   
     lt/credentialgt  lt/Authorizationgt 
  ltBodDatagt      ltSourcegt192.168.1.5lt/Sourcegt     
  ltDestinationgt192.168.1.6lt/Destinationgt     
  ltBandwidthgt1000lt/Bandwidthgt     
  ltStartTimegtnowlt/StartTimegt     
  ltDurationgt20lt/Durationgt  lt/BodDatagtlt/AAARequestgt

9 Oct 2003 Update meeting EVL
Leon Gommans
11
Example part of a Driving Policy
if ( ( ASMRM.CheckConnection(
RequestBodData.Source,
RequestBodData.Destination
) (
RequestBodData.Bandwidth lt 1000 )
) ) then ( ASMRM.RequestConnection(
RequestBodData.Source,
RequestBodData.Destination,
RequestBodData.Bandwidth,
RequestBodData.StartTime,
RequestBodData.Duration )
ReplyAnswer.Message "Request
successful" ) else ( ReplyError.Message
"Request failed"
9 Oct 2003 Update meeting EVL
Leon Gommans
12
J2EE implementation, AAA Toolkit
EIS
Calient
portBeans
JCA1.5
Calient Resrc Adp
Slot_table Beans
GARA
XML
GARA Resrc Adp
RBE
VOMS
Logical ASM
Policy repository

• (EIS Enterprise Information System)

9 Oct 2003 Update meeting EVL
Leon Gommans
13
Calient DiamondWave API
?i
PXC
AAA
TL1
?j
RBE
ASM

• layer1 optical cross connect
• Calient TL1 interface developed TL1 mngr API
• persistence data port, cross_port
• TL1mngr API cross() , break(), portState() and
  connection methods to the Calient

9 Oct 2003 Update meeting EVL
Leon Gommans
14
Single - domain 802.1Q VLAN setup Demo iGrid 2002
AAA
AAA Request Message (XML/SOAP)
SNMP Dot 1Q Bridge MIB
SNMP Dot 1Q Bridge MIB
802.1Q VLAN Switch
802.1Q VLAN Switch
1000SX
9 Oct 2003 Update meeting EVL
Leon Gommans
15
Single - domain Calient setup Available
AAA
AAA Request Message (XML/SOAP)
TL-1
Calient PXC
1000LX
1000LX
1000LX
1000LX
9 Oct 2003 Update meeting EVL
Leon Gommans
16
Multi - domain setup Awaiting hardware
AAA
AAA Request Message (XML/SOAP)
AAA
SNMP Dot 1Q Bridge MIB
SNMP Dot 1Q Bridge MIB
TL-1
802.1Q VLAN Switch
Calient PXC
802.1Q VLAN Switch
1000LX
1000LX
1000LX
1000LX
9 Oct 2003 Update meeting EVL
Leon Gommans
17
Multi-domain Calient setup SC2003 opt 1
AAA
PIN
AAA Request Message (XML/SOAP)
Request message ?
TL-1
Calient PXC
15454
Calient PXC
1000LX
1000LX
US Domain
9 Oct 2003 Update meeting EVL
Leon Gommans
18
Multi-domain Calient setup SC2003 opt 2
AAA
PIN
AAA Request Message (XML/SOAP)
Request message ?
AAA
TL-1
TL-1
Calient PXC
15454
Calient PXC
1000LX
1000LX
US Domain
9 Oct 2003 Update meeting EVL
Leon Gommans
19
Multi - domain setup future option
AAA
PIN
AAA Request Message (XML/SOAP)
AAA
802.1Q VLAN Switch
802.1Q VLAN Switch
Calient PXC
Calient PXC
15454
1000LX
1000LX
Netherlight
US Domain
9 Oct 2003 Update meeting EVL
Leon Gommans
20
Thank you ! Research funded by EU DataTAG
project and SURFnet Leon Gommans lgommans_at_sci
ence.uva.nl