Presentation is loading. Please wait.

Presentation is loading. Please wait.

Framework for Binding Access Control to COPS Provisioning

Published bySofie van den Pol Modified over 6 years ago

Similar presentations

Presentation on theme: "Framework for Binding Access Control to COPS Provisioning"— Presentation transcript:

1 Framework for Binding Access Control to COPS Provisioning
Walter Weiss John Vollbrecht Dave Spence Dave Rago Amol Kulkarni Ravi Sahita Leon Gommans Cees de Laat Freek Dijkstra Kwok Ho Chan draft-ietf-rap-access-bind-00.txt January 16, 2019

2 PIB Requirements Minimize configuration overhead
Integrate with DiffServ informal model Make criteria for creating Access Requests (authorizations) extremely flexible Organize the data structures to minimize attribute misinterpretation and maximize reuse Provide means for static and dynamic policy bindings Provide means for configuring the set of information the PEP needs to supply to resolve the Access Requests January 16, 2019

3 Components of the model
time U S E R P E P D Access trigger Access Request Access Response Access decision USER = Requester of the services PEP = Policy Enforcement Point (a NAD, Network Access Device, in AAA-terminology) PDP = Policy Decision Point (a AAA-Server or proxy for a AAA-Server) January 16, 2019

4 DiffServ Informal Model
PEP Ingress Ports (Data Path Start) Queue MPLS Tunnel to Address Y Tunnel Encapsulation Scheduler Classifier Subnet A Premium Default Queue In Profile Out of Profile Meter Dropper Queue January 16, 2019

5 Possible Authorization Points
PEP Ingress Ports (Data Path Start) Queue MPLS Tunnel to Address Y Tunnel Encapsulation Scheduler Classifier Queue In Profile Out of Profile Meter Subnet A Premium Default Dropper Queue For all Tunneled Traffic For Out- of-Profile Traffic For all Traffic January 16, 2019

6 New Data Path Component: The Accessor
Classifier Scheduler Meter Queue PEP Accessor Access Mgr PDP Dropper Default data path Premium In Profile Out of Profile Session 1 (Bob’s phone call) Session 2 (Nick’s video call) January 16, 2019

7 Provisioning the Accessor
InstanceId ReferenceId to Accessor Element Default Datapath PRID of NextElement RequestAuthentication (Boolean) TagReference to AuthProtocol TagReference to ContextData Accessor Table creates and removes session table entries. Data structures associated with the Accessor include the Accessor Element (via ReferenceId), the list of allowed authentication protocols (AuthProtocols via TagReference), and the list of header and interface data that should be included with the PEP Access Request (ContextData via TagReference. The NextElement attribute points the the next datapath element for all non-matching traffic is sent (match criteria discussed more in session scope). January 16, 2019

8 Provisioning the Accessor
Accessor Auth Protocol InstanceId TagId (for list of Authentication protocols) Authentication mechanism (Enum: PAP, CHAP, EAP, etc.) Each entry of the Accessor Auth Protocol Table describes one protocol that may be used for user authentication. The list of allowable authentication mechanisms available to a given Accessor is determined by a shared TagId. January 16, 2019

9 Provisioning the Accessor
Context Data InstanceId TagId (for list of context data elements) RefId to session table PrcId of Interface or Header Data Table Encapsulation Layer (0=all, -1=innermost, 1=outermost) The Context Data class allows the PDP to specify what user-specific information to include with the PEP Access Request. Each instance of this class references a specific header or interface data table that must be included with the PEP Access Request. The list is identified by a unique TagId. For Header data it is possible for a single message to have multiple headers of the same type (tunneling). The Encapsulation Layer attribute allows the PDP to specify which instance of a header (inner or outer) should be returned. The RefId to the session table is only used in conjunction with Accessors and is not used when the TagID is used. January 16, 2019

10 Provisioning the Accessor
Accessor Element InstanceId TagReference to AccessorSessionScope table Interim forwarding behavior (Drop, Forward, Queue) PRID to default Session Data Path The Accessor Element class contains the configuration semantics for the Accessor. Since many configuration semantics are common, an instance of the Accessor Element can be reused (shared) by multiple instances of the Accessor. The Interim forwarding behavior indicates what should happen to session traffic between the time the session is established and the time the session is authorized (with a PDP Access Response message). If this attribute is assigned the value of Forward, all initial session traffic will be passed to the next data path element specified by the PRID to the default Session Data Path attribute. The TagReference to the AccessorSessionScope table points to a list of instances defining the criteria for creating new sessions. January 16, 2019

11 Provisioning the Accessor
AccessorSessionScope InstanceId TagId (List of Session Scope instances) PRID to FilterEntry (Framework PIB) Precedence AccessorSessionScope table determines the criteria for generating a new unique session. FilterEntries as defined in the framework PIB allow for the specification of header fields. The semantics of the FilterEntry when used by the AccessorSessionScope table is that each unique combination of field values specified in one or more FilterEntries with the same Precedence constitutes a unique session. For example, with SRC IP Address ( ) and SRC IP Mask (FF.FF.0.0), each unique IP address within the range and will receive a unique session entry. All traffic outside this range will be passed to the data path element specified in Accessor class’ NextElement attribute. January 16, 2019

12 Message Sequences after the Accessor is provisioned
time U S E R P E P D PEP notices user traffic/access request PEP Access Request to PDP Retrieve PEP knowledge about the session Authentication negotiation (optional) Provision PEP with policies PDP Access Response (Approval or Denial) Access Notification to user (optional) Usage of service January 16, 2019

13 Connection names P D E PEP Access Request Context Data Request
Context Data Response Opaque Decision (Authentication) Opaque Report (Authentication) Provision Decision Provision Report PDP Access Response P D E January 16, 2019

14 Session-related Data Structures
InstanceId SessionStatus Username Realm PRID of Policy (DS data path) ReferenceId (to previous data path session) ReferenceId of Accessor Table An instance of this class is created by the PEP and sent to the PDP. If the Accessor specifies authentication, the Username and Realm are learned from the authentication protocol and included in the Session class. The PRID of the next data path element is assigned from the AccessorElement’s default session datapath attribute. A reference to the Accessor generating the session is also included. The PDP completes the authorization by filling in the SessionStatus and PRID pointing to the data path processing that follows the session. The modified session instance is sent back in a PDP Access Response message. January 16, 2019

15 Session-related Data Structures
PEP QoS Accessor Access Mgr Scheduler Queue AF2 Tunnel Accessor Classifier DST Addr X Default Default Data Path Tunnel BE Session 4 Session 17 Prev (4) Session InstanceId SessionStatus Username Realm PRID of Policy (DS data path) ReferenceId (to previous data path session) ReferenceId of Accessor Table If an Accessor was placed in the data path after an existing Session, all new session instances generated by the Accessor will point to the most immediate upstream session instance. January 16, 2019

16 Session-related Data Structures
AuthExtensions InstanceId ReferenceId of Session AuthPAPExt (PEP PDP) authPapExtPwd AuthCHAPExt (PEP PDP) authChapExtId authChapExtChal authChapExtResp AuthEAPReq (PEP PDP) authEapReqExtSpecific AuthEAPResp (PEP PDP) authEapRespExtSpecific This is a ‘transient’ class. Its instances are temporary and are deleted by the PEP (PDP) after a certain time/event. Thus these class MUST NOT be referred to by the PDP (PEP). Also, since instances are deleted, InstanceIds may be reused. January 16, 2019

17 MD5 Authentication time U S E R P E P D Connect EAP_Req{ID}
EAP_Rsp{Identity} PEP Access Request containing EAP_Rsp{Identity} EAP_Req{Challenge} Opaque Decision containing EAP_Req{Challenge} EAP_Rsp{MD5(Response)} Opaque Report containing EAP_Rsp{MD5(Response)} EAP_Success PDP Access Response containing Provisioning Decisions for PEP Provisioning _Report January 16, 2019

18 Session-related Data Structures
ContextData InstanceId TagId (for list of context data elements) ReferenceId to session table PrcId of Interface Data Table Encapsulation Layer (0=all, -1=innermost, 1=outermost) The Context Data class can also be used by the PDP to get header or interface data information about a session after it receives a PEP Access Request. It is even possible to retrieve session information after the session is authorized. When used in this way, usage of the TagID is inappropriate. The ReferenceIf of the session for which the context data is being requested must be included in the ContextData class. January 16, 2019

19 Session-related Data Structures
Header Data 802.1 Header InstanceId Source MAC Address Destination MAC Address Protocol Priority VLAN Encapsulation Layer L3 Header InstanceId Source IP Address Destination IP Address Protocol Source Port Destination Port TOS/DS ECN Capable IP Options Encapsulation Layer Some example Header Data elements that can be bound to the Accessors or session-specific context data requests. January 16, 2019

20 Session-related Data Structures
Interface Data Dialup Interface InstanceId CalledStationId NASPort CallingStationId NASPortId ConnectInfo NASPortType Dialup Interface Login Service InstanceId IpHost Dialup Interface Login LAT Service Service Node Group Port Dialup Interface Framed Protocol InstanceId PortLimit Prot IpAddress MTU IpNetmask Compression Some example Interface Data elements that can be bound to the Accessors or session-specific context data requests. January 16, 2019

21 Allowable Combination of Messages
PEP Access Request containing Authentication and Context Data P E P D PDP Access Response containing Provisioning Decisions Decision Report January 16, 2019

22 Additional Applications
RSVP Bandwidth Brokers MidCom Provisioning access to network content January 16, 2019

Download ppt "Framework for Binding Access Control to COPS Provisioning"

Similar presentations

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
December 11, 20011 Framework for Binding Access Control to COPS Provisioning Walter Weiss John Vollbrecht Dave Spence Dave Rago Amol Kulkarni Ravi Sahita.

December 11, Framework for Binding Access Control to COPS Provisioning Walter Weiss John Vollbrecht Dave Spence Dave Rago Amol Kulkarni Ravi Sahita.
IRTF - AAAARCH - RG Authentication Authorisation Accounting ARCHitecture RG chairs: J. Vollbrecht and C. de Laat www.aaaarch.org RFC 2903, 2904, 2905,

IRTF - AAAARCH - RG Authentication Authorisation Accounting ARCHitecture RG chairs: J. Vollbrecht and C. de Laat RFC 2903, 2904, 2905,
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Session-Independent Policies draft-ietf-sipping-session-indep-policy-01 Volker Hilt Gonzalo Camarillo

Session-Independent Policies draft-ietf-sipping-session-indep-policy-01 Volker Hilt Gonzalo Camarillo
ACN: IntServ and DiffServ1 Integrated Service (IntServ) versus Differentiated Service (Diffserv) Information taken from Kurose and Ross textbook “ Computer.

ACN: IntServ and DiffServ1 Integrated Service (IntServ) versus Differentiated Service (Diffserv) Information taken from Kurose and Ross textbook “ Computer.
Semester 4 - Chapter 4 – PPP WAN connections are controlled by protocols In a LAN environment, in order to move data between any two nodes or routers two.

Semester 4 - Chapter 4 – PPP WAN connections are controlled by protocols In a LAN environment, in order to move data between any two nodes or routers two.
Accessor Issues in the Access Bind PIB Freek Dijkstra Utrecht University, the Netherlands.

Accessor Issues in the Access Bind PIB Freek Dijkstra Utrecht University, the Netherlands.
PPP (Point to Point protocol).  On WAN connection, the protocol depends on the WAN technology and communicating equipment:  Examples:  HDLC –  The.

PPP (Point to Point protocol).  On WAN connection, the protocol depends on the WAN technology and communicating equipment:  Examples:  HDLC –  The.
An Architecture for Differentiated Services

An Architecture for Differentiated Services
Chapter 9 Classification And Forwarding. Outline.

Chapter 9 Classification And Forwarding. Outline.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.

Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.
Configuring Routing and Remote Access(RRAS) and Wireless Networking

Configuring Routing and Remote Access(RRAS) and Wireless Networking
1 COPS-RSVP and COPS-PR Interactions David Durham Intel.

1 COPS-RSVP and COPS-PR Interactions David Durham Intel.
Cisco – Chapter 11 Routers All You Ever Wanted To Know But Were Afraid to Ask.

Cisco – Chapter 11 Routers All You Ever Wanted To Know But Were Afraid to Ask.
Router and Routing Basics

Router and Routing Basics

Similar presentations

Ads by Google