Multi-domain provisioning of Lower Layer Network Transports based on Generic AAA TERENA TF-AACE Workshop 21/11/03 Leon Gommans University of Amsterdam
Low Layer Network Transport (LLNT) Rationale to provide LLNT’s Generic Authentication Authorization Accounting (AAA) overview and usage in LLNT’s Current experiments: DataTAG - SC2003 Future Research projects: GRANDE / Nextgrid. 21 Nov 2003TERENA TF-AACE Leon Gommans Overview
Connection oriented network paradigm using some form of switch technology that transports: Ethernet frames (MPLS VPN, Q VLAN,..) Sonet/SDH frames (ADM) Light (OXC) Goes by specific names such as: L2 VPN lightpath lambda 21 Nov 2003TERENA TF-AACE Leon Gommans Lower Layer Network Transport (LLNT)
Next to general Internet usage, user will start to ask for high bandwidth connections at low cost. High demand is now found in scientific Grid applications (HEP, Radio Astronomy, Bio Science, etc.) Demand is typically between specific locations. Forwarding large volumes of highly directional traffic is expensive when using routers. A patch panel cheap in terms of cost per Gbp/s. NRN’s need flexible and automated ways to provision cheap bandwidth based on application demand by authorizing access to transport infrastructure. 21 Nov 2003TERENA TF-AACE Leon Gommans Rationale to provide LLNT’s as NRN.
21 Nov 2003TERENA TF-AACE Leon Gommans Ergo: Automate operator function
NRN’s have a number of different ways of transporting traffic using connection-oriented and connection-less forwarding paradigms (Routers, L2 switches, Sonet/SDH links, optical links) Low per stream volume - many destinations - always on service: routing on top of LLNT infra. Medium to high volume - fewer destinations - defined contract periods: (G)MPLS with LLNT infra, use of AAA possible. High volume - specific/static destinations - reserved time slots: Application driven provisioning of “cheap” LLNT’s based on authorizations. Need AAA. Use various network technologies which need flexible automatic control/provisioning solutions. NRN perspective 21 Nov 2003TERENA TF-AACE Leon Gommans
Concepts were researched within the IRTF AAA Architecture Research Group which resulted in RFC’s 2903 (Generic AAA Architecture) and RFC 2904 (Authorization Sequence Framework). Advanced Internet Research (AIR) group at UvA helped to form this IRTF research group. Empirical research into Generic AAA concepts is also done within AIR group. Research funded as part of participation in EU IST DataTAG project and by SURFnet External collaboration with EVL at UIC, Starlight/NWU, Alcatel and FZJ Julich. Work is active input into standards bodies such as GGF and OASIS. Generic AAA. 21 Nov 2003TERENA TF-AACE Leon Gommans
RFC 2904 Authorization sequences that allow users to access a service based on a policy decision taken by a AAA component. Service AAA User Service AAA User Service AAA User Pull sequence NAS (remote access) RSVP (network QoS) Agent sequence Agents, Brokers, Proxy’s. Push sequence. Tokens, Tickets, AC’s etc Nov 2003TERENA TF-AACE Leon Gommans
AuthZ sequence combinations: Roaming using agent & pull sequence Service AAA User AAA 3 4 User Home Organization Service Providers 21 Nov 2003TERENA TF-AACE Leon Gommans
Example AuthZ sequence in LLNT’s with Intelligent switches Switch AAA Applic. AAA User Home Organization Switch AAA Switch AAA Netw. I/F Resource Netw. I/F UserDomain ADomain BDomain CResource 21 Nov 2003TERENA TF-AACE Leon Gommans
Example AuthZ sequences in LLNT’s with dumb switches Switch AAA Applic. AAA User Home Domain Switch AAA Switch AAA Netw. I/F Resource Netw. I/F UserNetwork Domain ANetwork Domain BNetwork Domain CResource 21 Nov 2003TERENA TF-AACE Leon Gommans
Example AuthZ sequences in LLNT’s with broker Switch AAA Applic. AAA Switch AAA Switch AAA Netw. I/F Resource Netw. I/F UserNetwork Domain ANetwork Domain BNetwork Domain CResource Broker
Base of Generic AAA Architecture - RAP Policy Decision Point Policy Enforcement Point Fundamental idea’s inspired by work of the IETF RAP WG that in RFC 2753 describes a framework for Policy-based Admission Control. Foundation for COPS The point where policy decisions are made. The point where the policy decisions are actually enforced. Request Decision Policy Repository Basic Goal Generic AAA: Allow policy decisions to be made by multiple PDP’s belonging to different administrative domains.
9 Oct 2003Update meeting EVL Leon Gommans Generic AAA Architecture - RFC2903 Application Specific Module Policy Enforcement Point Archieve goal by by separating the logical decision process from the application specific parts within the PDP. Request Decision Rule Based Engine Policy Repository PDP Generic AAA Engine A Driving Policy Orchestrates the Usage of ASM’s
Generic AAA Architecture Application Specific Module Policy Enforcement Point AAA Request Decision Rule Based Engine Policy Repository PDP Application Specific Module Rule Based Engine Policy Repository PDP User Rights Service Service Request 21 Nov 2003TERENA TF-AACE Leon Gommans
simple JanJansen #f034d now 20 Example XML request message 21 Nov 2003TERENA TF-AACE Leon Gommans WHY WHAT
if ( ASM::RM.CheckConnection( Request::BodData.Source, Request::BodData.Destination ) && ( Request::BodData.Bandwidth <= 1000 ) ) then ( ASM::RM.RequestConnection( Request::BodData.Source, Request::BodData.Destination, Request::BodData.Bandwidth, Request::BodData.StartTime, Request::BodData.Duration ) ; Reply::Answer.Message = "Request successful" ) else ( Reply::Error.Message = "Request failed" Example part of a Driving Policy 21 Nov 2003TERENA TF-AACE Leon Gommans
802.1Q VLAN Switch PC RBE 802.1Q VLAN Switch Single - domain 802.1Q VLAN setup Demo iGrid 2002 SNMP Dot 1Q Bridge MIB SNMP Dot 1Q Bridge MIB AAA Request Message (XML/SOAP) ASM Policy Database 21 Nov 2003TERENA TF-AACE Leon Gommans
PC RBE Single - Domain Calient OXC setup Calient DaimondWave Photonic Switch TL-1 AAA Request Message (XML/SOAP) ASM Policy Database 21 Nov 2003TERENA TF-AACE Leon Gommans
802.1Q VLAN Switch PC RBE 802.1Q VLAN Switch Multi - domain setup Calient DaimondWave Photonic Switch AAA Request Message (XML/SOAP) TL-1 SNMP Dot 1Q Bridge MIB SNMP Dot 1Q Bridge MIB ASM Policy Database 21 Nov 2003TERENA TF-AACE Leon Gommans ASM Policy Database
802.1Q VLAN Switch PC RBE 802.1Q VLAN Switch Multi - domain setup using Alcatel 1355 BonD AAA Request Message (XML/SOAP) SNMP Dot 1Q Bridge MIB SNMP Dot 1Q Bridge MIB ASM Alcatel 1670 ADM 1355 BOND EM Alcatel 1670 ADM 21 Nov 2003TERENA TF-AACE Leon Gommans ASM Policy Database ASM
PC RBE Collaborative Multi-domain experiment at SC2003 Calient PXC PIN PC Calient PXC PIN PC PDC Policy Database ASM AuthZ Resource Mgr 21 Nov 2003TERENA TF-AACE Leon Gommans PHOTONIC INTERDOMAIN NEGOTIATOR PHOTONIC DOMAIN CONTROLLER PIN AND PDC ARE DEVELOPMENTS FROM EVL PHOTONIC POLICY BASED ACCESS CONTROLLER PIN DOES ROUTE DETERMINATION BASED ON SOURCE ROUTING
PC RBE AAA based Multi-domain experiment at SC2003 Calient PC Calient PC Policy Database ASM OGSI WS I/F ASM OGSI Client I/F Policy Database ASM AuthZ Resource Mgr RBE 21 Nov 2003TERENA TF-AACE Leon Gommans Policy Database ASM RBE
RBE and ASM run within a J2EE EJB container Send RBE XML based request messages. Send RBE requests or control devices via Java Connector Architecture (JCA) as part of an ASM via CLI, TL-1, SNMP, Radius, SOAP/XML etc. J2EE environment gives Web Services features. Integrated Grid OGSA based interface into RBE Toolkit will give user RBE, ASM skeletons and a policy language editor / compiler. Uses MySQL to store compiled policies using a very simple nested if - then - else grammar. Supports all 3 authorization sequence types. Library of ASM’s that includes support for GARA, VOMS, Enterasys, Calient, Alcatel NMS. Generic AAA server toolkit of UvA Main features 21 Nov 2003TERENA TF-AACE Leon Gommans
Research ways to integrate networks into the Grid by using the principles of Generic AAA to authorize on demand usage. Research ways to use the principles of Generic AAA in future generation grids. Identify requirements and develop Generic AAA toolkit functions that can be used in both intra- and inter-domain service management scenario’s. Propose standards and standard ways of operation. Future Research. 21 Nov 2003TERENA TF-AACE Leon Gommans
“Cheap” network components can be used to create on demand high-bandwidth network transports between selected locations. By turning networks transports into objects using ASM’s they become software controllable entities that can be orchestrated using driving policies that run within an RBE. The AAA toolkit can be used to create flexible provisioning scenario’s with many types and abstractions of network equipment. Conclusions
Thank you ! Research funded by EU IST DataTAG project and SURFnet Leon Gommans