Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Open Grid Forum Network Services Interface Policy-based routing enforcement John MacAuley, ESnet 4 th February 2015.

Published byVincent Bryant Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2006 Open Grid Forum Network Services Interface Policy-based routing enforcement John MacAuley, ESnet 4 th February 2015."— Presentation transcript:

1 © 2006 Open Grid Forum Network Services Interface Policy-based routing enforcement John MacAuley, ESnet 4 th February 2015

2 © 2006 Open Grid Forum About Over the last year concerns have been voiced over the inability of a uPA to enforce routing policies on NSI Connection Service requests in a similar fashion as is done today in the network with IP traffic. This slide package proposes a mechanism that utilizes the inherent control plane trust between NSA along with a formalized definition of connection (path) trace to achieve the goal of uPA enforcement of routing policy. 2

3 © 2006 Open Grid Forum Assumptions A solution using the existing NSI protocol and behaviors is most desirable (if possible) to reduce protocol churn and allow for solution inclusion in existing protocol framework. In TREE mode full inter-network path resolution can be performed at the root aggregator. In CHAIN mode both source or hop-by-hop routing can be performed. Although not required for the solution to work, network routing policy information should be made available to path finders for more effective route resolution. The control plane is trusted and we accept that NSA will behave correctly in the context of the NSI protocol. The act of holding resources associated with a reservation can be done without approval, but the committing of a reservation should not occur without all uPA path segments confirmed (as per NSI standard). 3

4 © 2006 Open Grid Forum TREE Solution: Source Routing (1) uRA creates the initial reserve message and sends it an aggregator NSA that will act as the root for this reservation. Root aggregator resolves full path for the reservation using available policy information. Reserve request messages are created for individual path segments with the fully resolved path stored in the NSI header along with the root aggregator’s NSA identifier (informational in this proposal). Root aggregator then routes these individual reservation messages to their next hop NSA on the control plane. Any aggregator NSA receiving a reservation segment sees that the full path is already present in the header, will perform no further path finding (unless it is a special NSA hiding networks behind it), and will pass equivalent reserve message to the next hop NSA down the TREE. 4

5 © 2006 Open Grid Forum TREE Solution: Source Routing (2) uPA receives reserve request and uses full path information from header to determine if request meets policy requirements. If the proposed path violates any policy a reserveFailed message is retuned with appropriate serviceException information. If the proposed path passes all policies, and the reservation criteria can be met, resources are held and a reserveConfirmed message is returned. The reserveConfirmed and/or reserveFailed message proceed up the tree to the root aggregator as per the existing protocol specification. If a policy was violated the root aggregator will inform the uRA of the reservation failure due to policy error, and the uRA can abort the reservation as per the standard. OR The root aggregator can take corrective action itself, aborting the existing path segments, and using the learned policy information to compute an alternative path. 5

6 © 2006 Open Grid Forum TREE Solution: Source Routing (3) 6 AG uPA AG uPA Reserve(full path) Validate policies Secure resources ReserveConfirmed as path approval

7 © 2006 Open Grid Forum CHAIN Solution hop-by-hop (1) The CHAIN solution functions similar to the TREE solution except source routing is not required if hop-by-hop is desired. As the reserve request propagates from source network to destination network Hop-by-hop routing (distance vectors, etc) is used to determine the outgoing SDP in each network. Resources associated with the reservation are held in the local network by the uPA (if available). The proposed local path segment is added to the NSI header and the reserve is propagated to the next peer NSA in the chain. Early fail can occur if the computed path up to this point violates any policies with a reserveFailed message returned to the adjacent peer. 7

8 © 2006 Open Grid Forum CHAIN Solution hop-by-hop (2) When the destination network is reached The uPA resolves the local path segment and hold associated resources (if available). Adds the local path segment to the existing path in header to complete the full path. Evaluates local policies against the full computed path, and if valid from its perspective, adds the full path to NSI header and returns a reserverConfirmed to the next peer in the return path. If the proposed path violates any policy a reserveFailed message is retuned with appropriate serviceException information. 8

9 © 2006 Open Grid Forum CHAIN Solution hop-by-hop (3) As the reserveConfirmed messages propagate back from destination to source each NSA performs policy evaluation against the full path within the NSI header before issuing a reserveConfirmed to the next peer. At any point if an NSA fails policy evaluation a reserveFailed is generated thereby failing the reservation as per standard protocol behaviors. Once the source NSA approves the full computed path the reserveConfirmed can be returned to the originating uRA. 9 Network A Network B Network D A1 A2B1 B2C1 C2 Network C D1 D2 Reserve Build path ReserveConfirmed Approve path

10 © 2006 Open Grid Forum Alternative TREE mechanism (1) We can relax the TREE requirement for source routing if we can live with the final path approval occurring during the reserveCommit phase. We use the reserveConfirmed to collect all the reserved path segments from the uPA uPA determine if resources are available and if their local path segment is valid, holding the resources if it is. uPA populate their path segment in the reserveConfirm response header, with aggregators aggregating these path segments into more complete lists as the response moves up the tree. The root aggregator will end up with a complete end-to-end path which it stores against the reservation. 10

11 © 2006 Open Grid Forum Alternative TREE mechanism (2) When the uRA issues the reserveCommit, the root aggregator will add the complete path into the NSI header which then gets propagated to each uPA. uPA then apply policy to the path If path violates any policy a reserveCommitFailed is issued with an appropriately populated serviceException. If the path does not violate any policy then the reservation is committed and a reserveCommitConfirmed is issued. If the path is approved we will end up with a committed reservation, otherwise we will have failed segments that will result in a terminate of the schedule by either the uRA or root aggregator. 11

12 © 2006 Open Grid Forum Alternative TREE mechanism (3) 12 AG uPA AG uPA Reserve build path Validate policies Commit reservation ReserveConfirmed secure resources and complete path ReserveCommit get approvals ReserveCommitConfirmed as path approvals

13 © 2006 Open Grid Forum Conclusions If the previous assumptions are indeed valid, all of the policy use cases can be enforced with this solution, while requiring no modifications to the existing NSI CS protocol. The tricky Exchange use case is also solved as both adjacent networks have to approve the path before the reserveCommit can be sent down from the uRA as per NSI CS protocol specification. In this solution we trust all NSA involved in the reservation request are trusted and well behaving within rules of the NSI CS protocol specification. 13

14 © 2006 Open Grid Forum THE END 14

Download ppt "© 2006 Open Grid Forum Network Services Interface Policy-based routing enforcement John MacAuley, ESnet 4 th February 2015."

Similar presentations

© 2006 Open Grid Forum Network Service Interface in a Nut Shell GEC 19, Atlanta, GA Presenter: Chin Guok (ESnet) Contributors: Tomohiro Kudoh (AIST), John.

© 2006 Open Grid Forum Network Service Interface in a Nut Shell GEC 19, Atlanta, GA Presenter: Chin Guok (ESnet) Contributors: Tomohiro Kudoh (AIST), John.
Resilience Issues in Information Centric Networks Ning Wang University of Surrey.

Resilience Issues in Information Centric Networks Ning Wang University of Surrey.
Chapter 4 Distributed Bellman-Ford Routing

Chapter 4 Distributed Bellman-Ford Routing
OSI Model OSI LAYER / MODEL.

OSI Model OSI LAYER / MODEL.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—2-1 Label Assignment and Distribution Introducing Typical Label Distribution in Frame-Mode MPLS.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—2-1 Label Assignment and Distribution Introducing Typical Label Distribution in Frame-Mode MPLS.
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
Internetworking Different networks –Different bit rates –Frame lengths –Protocols.

Internetworking Different networks –Different bit rates –Frame lengths –Protocols.
Mesh Networks A.k.a “ad-hoc”. Definition A local area network that employs either a full mesh topology or partial mesh topology Full mesh topology- each.

Mesh Networks A.k.a “ad-hoc”. Definition A local area network that employs either a full mesh topology or partial mesh topology Full mesh topology- each.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
Slide Set 15: IP Multicast. In this set What is multicasting ? Issues related to IP Multicast Section 4.4.

Slide Set 15: IP Multicast. In this set What is multicasting ? Issues related to IP Multicast Section 4.4.
Slide -1- February, 2006 Interdomain Routing Gordon Wilfong Distinguished Member of Technical Staff Algorithms Research Department Mathematical and Algorithmic.

Slide -1- February, 2006 Interdomain Routing Gordon Wilfong Distinguished Member of Technical Staff Algorithms Research Department Mathematical and Algorithmic.
CS335 Networking & Network Administration Tuesday, May 11, 2010.

CS335 Networking & Network Administration Tuesday, May 11, 2010.
IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.

IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.
1 Web Proxies Dr. Rocky K. C. Chang 6 November 2005.

1 Web Proxies Dr. Rocky K. C. Chang 6 November 2005.
CS541 Advanced Networking 1 Mobile Ad Hoc Networks (MANETs) Neil Tang 02/02/2009.

CS541 Advanced Networking 1 Mobile Ad Hoc Networks (MANETs) Neil Tang 02/02/2009.
Routing Going from one network to the next. Where is routing handled? IP serves the functions of –routing –universal naming Identification is easiest.

Routing Going from one network to the next. Where is routing handled? IP serves the functions of –routing –universal naming Identification is easiest.
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.
Chapter 2 TCP/ IP PROTOCOL STACK. TCP/IP Protocol Suite Describes a set of general design guidelines and implementations of specific networking protocols.

Chapter 2 TCP/ IP PROTOCOL STACK. TCP/IP Protocol Suite Describes a set of general design guidelines and implementations of specific networking protocols.
Othman Othman M.M., Koji Okamura Kyushu University Proceedings of the 33 nd Asia-Pacific Advanced Network Meeting Thailand, Chiang Mai, 2012/2/15 1.

Othman Othman M.M., Koji Okamura Kyushu University Proceedings of the 33 nd Asia-Pacific Advanced Network Meeting Thailand, Chiang Mai, 2012/2/15 1.

Similar presentations

Ads by Google