Presentation is loading. Please wait.

Presentation is loading. Please wait.

Multi-domain provisioning of Lower Layer Network Transports based on Generic AAA TERENA TF-AACE Workshop 21/11/03 Leon Gommans University of Amsterdam.

Published byMillicent Lyons Modified over 8 years ago

Similar presentations

Presentation on theme: "Multi-domain provisioning of Lower Layer Network Transports based on Generic AAA TERENA TF-AACE Workshop 21/11/03 Leon Gommans University of Amsterdam."— Presentation transcript:

1 Multi-domain provisioning of Lower Layer Network Transports based on Generic AAA TERENA TF-AACE Workshop 21/11/03 Leon Gommans University of Amsterdam

2  Low Layer Network Transport (LLNT)  Rationale to provide LLNT’s  Generic Authentication Authorization Accounting (AAA) overview and usage in LLNT’s  Current experiments: DataTAG - SC2003  Future Research projects: GRANDE / Nextgrid. 21 Nov 2003TERENA TF-AACE Leon Gommans Overview

3 Connection oriented network paradigm using some form of switch technology that transports:  Ethernet frames (MPLS VPN, 802.1 Q VLAN,..)  Sonet/SDH frames (ADM)  Light (OXC) Goes by specific names such as: L2 VPN lightpath lambda 21 Nov 2003TERENA TF-AACE Leon Gommans Lower Layer Network Transport (LLNT)

4  Next to general Internet usage, user will start to ask for high bandwidth connections at low cost.  High demand is now found in scientific Grid applications (HEP, Radio Astronomy, Bio Science, etc.)  Demand is typically between specific locations.  Forwarding large volumes of highly directional traffic is expensive when using routers.  A patch panel cheap in terms of cost per Gbp/s.  NRN’s need flexible and automated ways to provision cheap bandwidth based on application demand by authorizing access to transport infrastructure. 21 Nov 2003TERENA TF-AACE Leon Gommans Rationale to provide LLNT’s as NRN.

5 21 Nov 2003TERENA TF-AACE Leon Gommans Ergo: Automate operator function

6  NRN’s have a number of different ways of transporting traffic using connection-oriented and connection-less forwarding paradigms (Routers, L2 switches, Sonet/SDH links, optical links)  Low per stream volume - many destinations - always on service: routing on top of LLNT infra.  Medium to high volume - fewer destinations - defined contract periods: (G)MPLS with LLNT infra, use of AAA possible.  High volume - specific/static destinations - reserved time slots: Application driven provisioning of “cheap” LLNT’s based on authorizations. Need AAA.  Use various network technologies which need flexible automatic control/provisioning solutions. NRN perspective 21 Nov 2003TERENA TF-AACE Leon Gommans

7  Concepts were researched within the IRTF AAA Architecture Research Group which resulted in RFC’s 2903 (Generic AAA Architecture) and RFC 2904 (Authorization Sequence Framework).  Advanced Internet Research (AIR) group at UvA helped to form this IRTF research group.  Empirical research into Generic AAA concepts is also done within AIR group.  Research funded as part of participation in EU IST DataTAG project and by SURFnet  External collaboration with EVL at UIC, Starlight/NWU, Alcatel and FZJ Julich.  Work is active input into standards bodies such as GGF and OASIS. Generic AAA. 21 Nov 2003TERENA TF-AACE Leon Gommans

8 RFC 2904 Authorization sequences that allow users to access a service based on a policy decision taken by a AAA component. Service AAA User Service AAA User Service AAA User Pull sequence NAS (remote access) RSVP (network QoS) Agent sequence Agents, Brokers, Proxy’s. Push sequence. Tokens, Tickets, AC’s etc. 1 1 1 22 2 3 33 4 4 4 21 Nov 2003TERENA TF-AACE Leon Gommans

9 AuthZ sequence combinations: Roaming using agent & pull sequence Service AAA User 1 2 5 6 AAA 3 4 User Home Organization Service Providers 21 Nov 2003TERENA TF-AACE Leon Gommans

10 Example AuthZ sequence in LLNT’s with Intelligent switches Switch AAA Applic. AAA User Home Organization Switch AAA Switch AAA Netw. I/F Resource Netw. I/F UserDomain ADomain BDomain CResource 21 Nov 2003TERENA TF-AACE Leon Gommans

11 Example AuthZ sequences in LLNT’s with dumb switches Switch AAA Applic. AAA User Home Domain Switch AAA Switch AAA Netw. I/F Resource Netw. I/F UserNetwork Domain ANetwork Domain BNetwork Domain CResource 21 Nov 2003TERENA TF-AACE Leon Gommans

12 Example AuthZ sequences in LLNT’s with broker Switch AAA Applic. AAA Switch AAA Switch AAA Netw. I/F Resource Netw. I/F UserNetwork Domain ANetwork Domain BNetwork Domain CResource Broker

13 Base of Generic AAA Architecture - RAP Policy Decision Point Policy Enforcement Point Fundamental idea’s inspired by work of the IETF RAP WG that in RFC 2753 describes a framework for Policy-based Admission Control. Foundation for COPS The point where policy decisions are made. The point where the policy decisions are actually enforced. Request Decision Policy Repository Basic Goal Generic AAA: Allow policy decisions to be made by multiple PDP’s belonging to different administrative domains.

14 9 Oct 2003Update meeting EVL Leon Gommans Generic AAA Architecture - RFC2903 Application Specific Module Policy Enforcement Point Archieve goal by by separating the logical decision process from the application specific parts within the PDP. Request Decision Rule Based Engine Policy Repository PDP Generic AAA Engine A Driving Policy Orchestrates the Usage of ASM’s

15 Generic AAA Architecture Application Specific Module Policy Enforcement Point AAA Request Decision Rule Based Engine Policy Repository PDP Application Specific Module Rule Based Engine Policy Repository PDP User Rights Service Service Request 21 Nov 2003TERENA TF-AACE Leon Gommans

16  simple JanJansen #f034d 192.168.1.5 192.168.1.6 1000 now 20 Example XML request message 21 Nov 2003TERENA TF-AACE Leon Gommans WHY WHAT

17 if ( ASM::RM.CheckConnection( Request::BodData.Source, Request::BodData.Destination ) && ( Request::BodData.Bandwidth <= 1000 ) ) then ( ASM::RM.RequestConnection( Request::BodData.Source, Request::BodData.Destination, Request::BodData.Bandwidth, Request::BodData.StartTime, Request::BodData.Duration ) ; Reply::Answer.Message = "Request successful" ) else ( Reply::Error.Message = "Request failed" Example part of a Driving Policy 21 Nov 2003TERENA TF-AACE Leon Gommans

18 802.1Q VLAN Switch PC RBE 802.1Q VLAN Switch Single - domain 802.1Q VLAN setup Demo iGrid 2002 SNMP Dot 1Q Bridge MIB SNMP Dot 1Q Bridge MIB AAA Request Message (XML/SOAP) ASM Policy Database 21 Nov 2003TERENA TF-AACE Leon Gommans

19 PC RBE Single - Domain Calient OXC setup Calient DaimondWave Photonic Switch TL-1 AAA Request Message (XML/SOAP) ASM Policy Database 21 Nov 2003TERENA TF-AACE Leon Gommans

20 802.1Q VLAN Switch PC RBE 802.1Q VLAN Switch Multi - domain setup Calient DaimondWave Photonic Switch AAA Request Message (XML/SOAP) TL-1 SNMP Dot 1Q Bridge MIB SNMP Dot 1Q Bridge MIB ASM Policy Database 21 Nov 2003TERENA TF-AACE Leon Gommans ASM Policy Database

21 802.1Q VLAN Switch PC RBE 802.1Q VLAN Switch Multi - domain setup using Alcatel 1355 BonD AAA Request Message (XML/SOAP) SNMP Dot 1Q Bridge MIB SNMP Dot 1Q Bridge MIB ASM Alcatel 1670 ADM 1355 BOND + 1354 1353 EM Alcatel 1670 ADM 21 Nov 2003TERENA TF-AACE Leon Gommans ASM Policy Database ASM

22 PC RBE Collaborative Multi-domain experiment at SC2003 Calient PXC PIN PC Calient PXC PIN PC PDC Policy Database ASM AuthZ Resource Mgr 21 Nov 2003TERENA TF-AACE Leon Gommans PHOTONIC INTERDOMAIN NEGOTIATOR PHOTONIC DOMAIN CONTROLLER PIN AND PDC ARE DEVELOPMENTS FROM EVL PHOTONIC POLICY BASED ACCESS CONTROLLER PIN DOES ROUTE DETERMINATION BASED ON SOURCE ROUTING

23 PC RBE AAA based Multi-domain experiment at SC2003 Calient PC Calient PC Policy Database ASM OGSI WS I/F ASM OGSI Client I/F Policy Database ASM AuthZ Resource Mgr RBE 21 Nov 2003TERENA TF-AACE Leon Gommans Policy Database ASM RBE

24  RBE and ASM run within a J2EE EJB container  Send RBE XML based request messages.  Send RBE requests or control devices via Java Connector Architecture (JCA) as part of an ASM via CLI, TL-1, SNMP, Radius, SOAP/XML etc.  J2EE environment gives Web Services features.  Integrated Grid OGSA based interface into RBE  Toolkit will give user RBE, ASM skeletons and a policy language editor / compiler.  Uses MySQL to store compiled policies using a very simple nested if - then - else grammar.  Supports all 3 authorization sequence types.  Library of ASM’s that includes support for GARA, VOMS, Enterasys, Calient, Alcatel NMS. Generic AAA server toolkit of UvA Main features 21 Nov 2003TERENA TF-AACE Leon Gommans

25  Research ways to integrate networks into the Grid by using the principles of Generic AAA to authorize on demand usage.  Research ways to use the principles of Generic AAA in future generation grids.  Identify requirements and develop Generic AAA toolkit functions that can be used in both intra- and inter-domain service management scenario’s.  Propose standards and standard ways of operation. Future Research. 21 Nov 2003TERENA TF-AACE Leon Gommans

26  “Cheap” network components can be used to create on demand high-bandwidth network transports between selected locations.  By turning networks transports into objects using ASM’s they become software controllable entities that can be orchestrated using driving policies that run within an RBE.  The AAA toolkit can be used to create flexible provisioning scenario’s with many types and abstractions of network equipment. Conclusions

27 Thank you ! Research funded by EU IST DataTAG project and SURFnet Leon Gommans lgommans@science.uva.nl

Download ppt "Multi-domain provisioning of Lower Layer Network Transports based on Generic AAA TERENA TF-AACE Workshop 21/11/03 Leon Gommans University of Amsterdam."

Similar presentations

Authentication Authorization Accounting and Auditing

Authentication Authorization Accounting and Auditing
Electronic Visualization Laboratory University of Illinois at Chicago EVL Optical Networking Research Oliver Yu Electronic Visualization Laboratory University.

Electronic Visualization Laboratory University of Illinois at Chicago EVL Optical Networking Research Oliver Yu Electronic Visualization Laboratory University.
Generic AAA* based Bandwidth on Demand EVL at UIC meeting Leon Gommans

Generic AAA* based Bandwidth on Demand EVL at UIC meeting Leon Gommans
All rights reserved © 2005, Alcatel Grid services over IP Multimedia Subsystem  Antoine Pichot, Olivier Audouin, Alcatel  GridNets ’06.

All rights reserved © 2005, Alcatel Grid services over IP Multimedia Subsystem  Antoine Pichot, Olivier Audouin, Alcatel  GridNets ’06.
Application-Based Network Operations (ABNO) IETF 88 – SDN RG

Application-Based Network Operations (ABNO) IETF 88 – SDN RG
Electronic Visualization Laboratory University of Illinois at Chicago Photonic Interdomain Negotiator (PIN): Interoperate Heterogeneous Control & Management.

Electronic Visualization Laboratory University of Illinois at Chicago Photonic Interdomain Negotiator (PIN): Interoperate Heterogeneous Control & Management.
Research on Networks Report on session on Grids & access Klaas Wierenga SURFnet Middleware Services Utrecht, 29 April 2004.

Research on Networks Report on session on Grids & access Klaas Wierenga SURFnet Middleware Services Utrecht, 29 April 2004.
8/10/2001GGF - 3 / Leon Gommans - UvA1 Observations on the CAS architecture made from the Generic AAA perspective. 3rd Global Gridforum Oct. 7-10th 2001.

8/10/2001GGF - 3 / Leon Gommans - UvA1 Observations on the CAS architecture made from the Generic AAA perspective. 3rd Global Gridforum Oct. 7-10th 2001.
Multi-Domain Lightpath Authorization Architecture using Tokens By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Yuri Demchenko,

Multi-Domain Lightpath Authorization Architecture using Tokens By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Yuri Demchenko,
Token Based Authorization of GMPLS Networks By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Li Xu University of Amsterdam By:

Token Based Authorization of GMPLS Networks By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Li Xu University of Amsterdam By:
Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.

Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.
Tiziana FerrariWP2.3 Advance Reservation Demonstration: Description and set-up 1 WP2.3 Advance Reservation Demonstration: Description and set-up DRAFT,

Tiziana FerrariWP2.3 Advance Reservation Demonstration: Description and set-up 1 WP2.3 Advance Reservation Demonstration: Description and set-up DRAFT,
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.
Tiziana FerrariWP2.3 Advance Reservation Demonstration: Description and set-up 1 WP2.3 Advance Reservation Demonstration: Description and set-up DRAFT,

Tiziana FerrariWP2.3 Advance Reservation Demonstration: Description and set-up 1 WP2.3 Advance Reservation Demonstration: Description and set-up DRAFT,
Optical networking research in Amsterdam Paola Grosso UvA - AIR group.

Optical networking research in Amsterdam Paola Grosso UvA - AIR group.
Generic AAA based provisioning Of Network Elements Status update EVL 9/10/03 Leon Gommans University of Amsterdam.

Generic AAA based provisioning Of Network Elements Status update EVL 9/10/03 Leon Gommans University of Amsterdam.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Policy-based Accounting Draft Sebastian Zander, Tanja Zseby GMD FOKUS - German National Research Institute for Information Technology Competence Center.

Policy-based Accounting Draft Sebastian Zander, Tanja Zseby GMD FOKUS - German National Research Institute for Information Technology Competence Center.
AAA-ARCH IRTF-RG Authentication Authorisation and Accounting ARCHitecture Research Group chairs: C. de Laat J. Vollbrecht Content of this talk has contributions.

AAA-ARCH IRTF-RG Authentication Authorisation and Accounting ARCHitecture Research Group chairs: C. de Laat J. Vollbrecht Content of this talk has contributions.
May. 14 2006 - TERENA workshopStarPlane StarPlane: Application Specific Management of Photonic Networks Paola Grosso SNE group - UvA.

May TERENA workshopStarPlane StarPlane: Application Specific Management of Photonic Networks Paola Grosso SNE group - UvA.

Similar presentations

Ads by Google