Multi-Domain Lightpath Authorization Architecture using Tokens By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Yuri Demchenko,

Slides:

Advertisements

Similar presentations

Inter WISP WLAN roaming

Advertisements

Photonic TeraStream and ODIN By Jeremy Weinberger The iCAIR iGRID2002 Demonstration Shows How Global Applications Can Use Intelligent Signaling to Provision.

MPLS and GMPLS Li Yin CS294 presentation.

© 2006 Open Grid Forum Network Services Interface Introduction to NSI Guy Roberts.

Generalized Multiprotocol Label Switching: An Overview of Signaling Enhancements and Recovery Techniques IEEE Communications Magazine July 2001.

Resource Brokering: Your Ticket Into NetherLight Paola Grosso Jeroen van der Ham Cees de Laat UvA - AIR group.

StarPlane & LightHouse Cees de Laat SURFnet EU University of Amsterdam SARA TI TNONCF.

Intelligent workflow resource planning on the Network Service Interface (NSI) Zhiming Zhao, Cosmin Dumitru, Arie Taal, Adianto Wibisono, Paola Grosso,

Electronic Visualization Laboratory University of Illinois at Chicago Photonic Interdomain Negotiator (PIN): Interoperate Heterogeneous Control & Management.

8/10/2001GGF - 3 / Leon Gommans - UvA1 Observations on the CAS architecture made from the Generic AAA perspective. 3rd Global Gridforum Oct. 7-10th 2001.

© 2006 Open Grid Forum Network Service Interface in a Nut Shell GEC 19, Atlanta, GA Presenter: Chin Guok (ESnet) Contributors: Tomohiro Kudoh (AIST), John.

Mutual OATH HOTP Variants 65th IETF - Dallas, TX March 2006.

Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.

Token Based Authorization of GMPLS Networks By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Li Xu University of Amsterdam By:

Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Optical networking research in Amsterdam Paola Grosso UvA - AIR group.

Generic AAA based provisioning Of Network Elements Status update EVL 9/10/03 Leon Gommans University of Amsterdam.

Feb On*Vector Workshop Semantic Web for Hybrid Networks Dr. Paola Grosso SNE group University of Amsterdam The Netherlands.

1 6/14/ :27 CS575Internetworking & Routers1 Rivier College CS575: Advanced LANs Chapter 13: Internetworking & Routers.

Wide Area Networks School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 11, Thursday 3/22/2007)

AAA-ARCH IRTF-RG Authentication Authorisation and Accounting ARCHitecture Research Group chairs: C. de Laat J. Vollbrecht Content of this talk has contributions.

May TNC2007 Network Description Language - Semantic Web for Hybrid Networks Network Description Language: Semantic Web for Hybrid Networks Paola.

May TERENA workshopStarPlane StarPlane: Application Specific Management of Photonic Networks Paola Grosso SNE group - UvA.

Telecommunication and Networks

ESnet On-demand Secure Circuits and Advance Reservation System (OSCARS) Chin Guok Network Engineering Group Thomas Ndousse Visit February Energy.

Trust Framework for Multi-Domain Authorization Internet2 Spring Meeting Arlington April 25 th 2012 Leon Gommans:

JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.

Radio Frequency Identification By Bhagyesh Lodha Vinit Mahedia Vishnu Saran Mitesh Bhawsar.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.

Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.

Chapter 8 Local Area Networks: Internetworking Data Communications and Computer Networks: A Business User’s Approach.

High-quality Internet for higher education and research GigaPort  Overview SURFnet6 Niels den Otter SURFnet EVN-NREN Meeting Amsterdam October 12, 2005.

InterDomain Dynamic Circuit Network Demo Joint Techs - Hawaii Jan 2008 John Vollbrecht, Internet2

Geneva, Switzerland, 11 June 2012 Switching and routing in Future Network John Grant Nine Tiles

A Framework for Internetworking Heterogeneous High-Performance Networks via GMPLS and Web Services Xi Yang, Tom Lehman Information Sciences Institute (ISI)

Hybrid MLN DOE Office of Science DRAGON Hybrid Network Control Plane Interoperation Between Internet2 and ESnet Tom Lehman Information Sciences Institute.

ACM 511 Introduction to Computer Networks. Computer Networks.

Overview of University of Amsterdam progress University of Amsterdam and SARA created joint research lab (Amsterdam Lighthouse) Demonstrated AAA software.

OGF DMNR BoF Dynamic Management of Network Resources Documents available at: Guy Roberts, John Vollbrecht.

Lucy Yong Young Lee IETF CCAMP WG GMPLS Extension for Reservation and Time based Bandwidth Service.

NETWORK HARDWARE CABLES NETWORK INTERFACE CARD (NIC)

ACHIEVING MULTIMEDIA QOS OVER HYBRID IP/PSTN INFRASTRUCTURES QOS Signalling and Media Gateway Control ITU-T SG13/SG16 Workshop on IP Networking and Mediacom.

Lucy Yong Young Lee 67 th IETF San Diego November 2006 GMPLS Extension for Reservation and Time based Bandwidth.

Network Structure Elements of communication message source the channel message destination Network data or information networks capable of carrying many.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—3-1 Implementing a Scalable Multiarea Network OSPF- Based Solution Lab 3-5 Debrief.

The concepts of Generic AAA are described in RFC2903 [1] (Generice AAA Architecture) and RFC2904 [2] (Authorization Framework). Several.

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

Data Communications & Computer Networks, Second Edition1 Chapter 8 Local Area Networks: Internetworking.

Policy based co-allocation of connection oriented network resources using the principles of Generic AAA ON*VECTOR 3rd Annual Photonics Workshop San Diego.

1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.

Internet2 Dynamic Circuit Services and Tools Andrew Lake, Internet2 July 15, 2007 JointTechs, Batavia, IL.

Multi-domain provisioning of Lower Layer Network Transports based on Generic AAA TERENA TF-AACE Workshop 21/11/03 Leon Gommans University of Amsterdam.

OGF 43, Washington 26 March FELIX background information Authorization NSI Proposed solution Summary.

Firewall Issues Research Group GGF-15 Oct Boston, Ma Leon Gommans - University of Amsterdam Inder Monga - Nortel Networks.

InterDomain Dynamic Circuit Network Demo

StarPlane: Application Specific Management of Photonic Networks

Grid Network Services: Lessons from SC04 draft-ggf-bas-sc04demo-0.doc

Integration of Network Services Interface version 2 with the JUNOS Space SDK

Network Services Interface

University of Technology

Firewalls and GMPLS Networks: A token based approach

AutoGOLE Dashboard presented by Cees de Laat

1 Multi-Protocol Label Switching (MPLS). 2 MPLS Overview A forwarding scheme designed to speed up IP packet forwarding (RFC 3031) Idea: use a fixed length.

Interdomain Dynamic Circuits

Chapter 5 멀티스레드 u-Network Design Lab 4.

OSCARS Roadmap Chin Guok

Presentation transcript:

Multi-Domain Lightpath Authorization Architecture using Tokens By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Yuri Demchenko, Li Xu, Ralph Koning, University of Amsterdam By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Yuri Demchenko, Li Xu, Ralph Koning, University of Amsterdam

1 To enable fast passage at a checkpoint 2 To allow checking at any place in the service network 3 To separate authorized use from unauthorized use 4 To authorize in advance 5 To separate authorization complexity from usage 6 That can be linked to advance reservations 7 To support both pay-before (pre-pay) or pay-later (billing) T T T T T T T T T T T T T T T T Tokens are a proven concept:.

Main rationale: Time consuming service authorization process can be separate from fast service access. Service HRM Network Service Network Service Provider A Service Provider A User Home Org User Home Org Finance Work Group Work Group Service Provider B Service Provider B Network Service Network Service T T T T T

Testbed shows data- & control plane and involved domains.

Application sends reservation request to IDC Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service

A Global Resource Identifier (GRI) is created as reference Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service GRI

GRI is passed as part of IDC protocol to last domain Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service

GRI is handed to the Token Validation Service Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service GRI

Token Key Token Key The GRI is “stamped” using an HMAC algorithm into a token. Token = GRI + few bytes of secure hash result HMAC-SHA1 based algoritm HMAC-SHA1 based algoritm GRI T

Token is send to PEP and IDC and stored along with GRI Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service T T

Token is returned to upstream domain and kept for future enforcement Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service TT

Token is handed to reservation application via IDC reply Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service T

Token is copied onto USB memory stick Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service T T

Take USB memory stick with token to HD display station Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service

HD display station requests to open connection to IDC including the token in the request message. Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service T

The IDC may decide not check the validity of the token and provisions the path in its domain. Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service

The token is passed to the next IDC. The TVS checks the validity of the token - or alternatively.. Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service T

.. the token is passed to the GMPLS signaling layer via a gateway such that the token becomes part of RSVP-TE Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service T RSVP Gateway

The last domain checks the token and provisions its circuit Inter Domain Controller Inter Domain Controller Reservation Application Reservation Application Domain A DRAGON Inter Domain Controller Inter Domain Controller DomainB DRAGON Policy Enforcement Point Policy Enforcement Point Inter Domain Controller Inter Domain Controller DomainC DRAGON Token Validation Service Policy Enforcement Point Policy Enforcement Point Token Validation Service T

1 Tokens are a simple, fast and flexible way to authorize lightpaths 2 Tokens can be recognized by multiple domains 3 Tokens are authentic symbols where an identifier points to a meaning. 4 Tokens symbolize a commit of advance reservations by each domain 5 Tokens can be used at different layers in the network 6 Domains may or may not choose to enforce tokens (be transparent) 7 The Token Validation Service supporting different Control Plane types T T T T T T T T T T T T T T T T The demo shows:.

Yuri Demchenko: Token Validation Service - Phosphorus Project Fred Wan: Signaling model interfaces - Tree v.s. Chain - NextGrid Project Marten Hoekstra: Signaling and IDC deployment - GigaPort Project Li Xu: Token Enforcement at GMPLS layer - StarPlane project Ralph Koning: HD video content - CineGrid Project Leon Gommans: Authorization Architecture - GigaPort Project. Cees de Laat: Scientific group leader T T T T T T T T T T T T T T T T Talk to us to understand our research:.

Internet2 ESNET SURFnet NL GigaPort RoN project EU Phosphorus Project EU NextGrid Project Electronic Visualisation Lab CineGrid project GLIF Acknowledgement..

Thank you for watching