Download presentation
Presentation is loading. Please wait.
1
Token Based Authorization of GMPLS Networks By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Li Xu University of Amsterdam By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Li Xu University of Amsterdam
2
-Enables fast link access at network ingress - Deals with complex authorization process separately and in advance. - Can be linked to reservations. - Allows multi-domain support: Network egress generates token for next domain. - Tokens support both billing and pre-paid models. T T T T T T T T T T T T T T T T Why are tokens a useful concept to implement with GMPLS networks?.
3
Main rationale: Time consuming service authorization process can be separate from fast service access. Service HRM Network Service Network Service Provider A Service Provider A User Home Org User Home Org Finance Work Group Work Group Service Provider B Service Provider B Network Service Network Service T T T T T
4
Functional overview Policy Manager Policy Manager Generic AAA Server Generic AAA Server SCU Elastic Scheduler SCU Elastic Scheduler Policy Enforcement Point Policy Enforcement Point Active Schedule Active Schedule Application Client Application Client Policy Repository Host A Host A 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch Host B Host B Planned Schedule Planned Schedule DRAGON VLSR DRAGON VLSR DRAGON VLSR DRAGON VLSR Client VLSR Client VLSR Client VLSR Client
5
Application sends reservation request link Policy Manager Policy Manager Generic AAA Server Generic AAA Server SCU Elastic Scheduler SCU Elastic Scheduler Policy Enforcement Point Policy Enforcement Point Active Schedule Active Schedule Application Client Application Client Policy Repository Host A Host A 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch Host B Host B Planned Schedule Planned Schedule DRAGON VLSR DRAGON VLSR DRAGON VLSR DRAGON VLSR Client VLSR Client VLSR Client VLSR Client
6
Generic AAA server fetches and executes policy Policy Manager Policy Manager Generic AAA Server Generic AAA Server SCU Elastic Scheduler SCU Elastic Scheduler Policy Enforcement Point Policy Enforcement Point Active Schedule Active Schedule Application Client Application Client Policy Repository Host A Host A 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch Host B Host B Planned Schedule Planned Schedule DRAGON VLSR DRAGON VLSR DRAGON VLSR DRAGON VLSR Client VLSR Client VLSR Client VLSR Client
7
Generic AAA server calls Elastic Scheduler as part of policy Policy Manager Policy Manager Generic AAA Server Generic AAA Server SCU Elastic Scheduler SCU Elastic Scheduler Policy Enforcement Point Policy Enforcement Point Active Schedule Active Schedule Application Client Application Client Policy Repository Host A Host A 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch Host B Host B Planned Schedule Planned Schedule DRAGON VLSR DRAGON VLSR DRAGON VLSR DRAGON VLSR Client VLSR Client VLSR Client VLSR Client
8
Elastic Scheduler merges request in planned schedule Policy Manager Policy Manager Generic AAA Server Generic AAA Server SCU Elastic Scheduler SCU Elastic Scheduler Policy Enforcement Point Policy Enforcement Point Active Schedule Active Schedule Application Client Application Client Policy Repository Host A Host A 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch Host B Host B Planned Schedule Planned Schedule DRAGON VLSR DRAGON VLSR DRAGON VLSR DRAGON VLSR Client VLSR Client VLSR Client VLSR Client
9
Elastic Scheduler replies Request ID Policy Manager Policy Manager Generic AAA Server Generic AAA Server SCU Elastic Scheduler SCU Elastic Scheduler Policy Enforcement Point Policy Enforcement Point Active Schedule Active Schedule Application Client Application Client Policy Repository Host A Host A 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch Host B Host B Planned Schedule Planned Schedule DRAGON VLSR DRAGON VLSR DRAGON VLSR DRAGON VLSR Client VLSR Client VLSR Client VLSR Client
10
Generic AAA Server generates Token Key which is placed into planned schedule using the Request ID. Policy Manager Policy Manager Generic AAA Server Generic AAA Server SCU Elastic Scheduler SCU Elastic Scheduler Policy Enforcement Point Policy Enforcement Point Active Schedule Active Schedule Application Client Application Client Policy Repository Host A Host A 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch Host B Host B Planned Schedule Planned Schedule DRAGON VLSR DRAGON VLSR DRAGON VLSR DRAGON VLSR Client VLSR Client VLSR Client VLSR Client
11
Generic AAA Server sends Token Key with Request ID to Application Client. Policy Manager Policy Manager Generic AAA Server Generic AAA Server SCU Elastic Scheduler SCU Elastic Scheduler Policy Enforcement Point Policy Enforcement Point Active Schedule Active Schedule Application Client Application Client Policy Repository Host A Host A 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch Host B Host B Planned Schedule Planned Schedule DRAGON VLSR DRAGON VLSR DRAGON VLSR DRAGON VLSR Client VLSR Client VLSR Client VLSR Client
12
Generic AAA Server pushes Planned Schedule to Active Schedule via Policy Enforcement Point. Policy Manager Policy Manager Generic AAA Server Generic AAA Server SCU Elastic Scheduler SCU Elastic Scheduler Policy Enforcement Point Policy Enforcement Point Active Schedule Active Schedule Application Client Application Client Policy Repository Host A Host A 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch Host B Host B Planned Schedule Planned Schedule DRAGON VLSR DRAGON VLSR DRAGON VLSR DRAGON VLSR Client VLSR Client VLSR Client VLSR Client
13
The Application Client Generates Token with Key and hands Token to the VLSR Client. Policy Manager Policy Manager Generic AAA Server Generic AAA Server SCU Elastic Scheduler SCU Elastic Scheduler Policy Enforcement Point Policy Enforcement Point Active Schedule Active Schedule Application Client Application Client Policy Repository Host A Host A 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch Host B Host B Planned Schedule Planned Schedule DRAGON VLSR DRAGON VLSR DRAGON VLSR DRAGON VLSR Client VLSR Client VLSR Client VLSR Client
14
Token Key Token Key Token generation at VLSR Client - detailed RSVP TE RSVP TE Source Address Destination Address Request ID Request ID HMAC-SHA1
15
The VLSR client sends a RSVP-TE PATH request. VLSR sends part of PATH request to the Policy Enforcement Point Policy Manager Policy Manager Generic AAA Server Generic AAA Server SCU Elastic Scheduler SCU Elastic Scheduler Policy Enforcement Point Policy Enforcement Point Active Schedule Active Schedule Application Client Application Client Policy Repository Host A Host A 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch Host B Host B Planned Schedule Planned Schedule DRAGON VLSR DRAGON VLSR DRAGON VLSR DRAGON VLSR Client VLSR Client VLSR Client VLSR Client
16
Token validation at Policy Enforcement Point - detailed RSVP TE RSVP TE Request ID Source Address Destination Address Active Schedule Table Active Schedule Table Token verify Time slot verify HMAC-SHA1
17
Policy Enforcement Point signals go-ahead to VLSR. Policy Manager Policy Manager Generic AAA Server Generic AAA Server SCU Elastic Scheduler SCU Elastic Scheduler Policy Enforcement Point Policy Enforcement Point Active Schedule Active Schedule Application Client Application Client Policy Repository Host A Host A 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch Host B Host B Planned Schedule Planned Schedule DRAGON VLSR DRAGON VLSR DRAGON VLSR DRAGON VLSR Client VLSR Client VLSR Client VLSR Client
18
VLSR sends RSVP-TE PATH on to next VLSR Policy Manager Policy Manager Generic AAA Server Generic AAA Server SCU Elastic Scheduler SCU Elastic Scheduler Policy Enforcement Point Policy Enforcement Point Active Schedule Active Schedule Application Client Application Client Policy Repository Host A Host A 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch Host B Host B Planned Schedule Planned Schedule DRAGON VLSR DRAGON VLSR DRAGON VLSR DRAGON VLSR Client VLSR Client VLSR Client VLSR Client
19
VLSR sends PATH on to VLSR Client of Host B. Policy Manager Policy Manager Generic AAA Server Generic AAA Server SCU Elastic Scheduler SCU Elastic Scheduler Policy Enforcment Point Policy Enforcment Point Active Schedule Active Schedule Application Client Application Client Policy Repository Host A Host A 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch Host B Host B Planned Schedule Planned Schedule DRAGON VLSR DRAGON VLSR DRAGON VLSR DRAGON VLSR Client VLSR Client VLSR Client VLSR Client
20
VLSR Client B returns RESV to VLSR Client of Host A provisioning the VLAN switches along the way. Policy Manager Policy Manager Generic AAA Server Generic AAA Server SCU Elastic Scheduler SCU Elastic Scheduler Policy Enforcment Point Policy Enforcment Point Active Schedule Active Schedule Application Client Application Client Policy Repository Host A Host A 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch Host B Host B Planned Schedule Planned Schedule DRAGON VLSR DRAGON VLSR DRAGON VLSR DRAGON VLSR Client VLSR Client VLSR Client VLSR Client
21
Host A and B can now communicate. Policy Manager Policy Manager Generic AAA Server Generic AAA Server SCU Elastic Scheduler SCU Elastic Scheduler Policy Enforcment Point Policy Enforcment Point Active Schedule Active Schedule Application Client Application Client Policy Repository Host A Host A 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch 802.1Q VLAN Switch Host B Host B Planned Schedule Planned Schedule DRAGON VLSR DRAGON VLSR DRAGON VLSR DRAGON VLSR Client VLSR Client VLSR Client VLSR Client
22
Santa Clara University: Elastic Scheduler Sumit Naiksatam, Cameron Boehmer, Silvia Figueira Internet2: Conceptual Input regarding authorization models John Vollbrecht DRAGON Project: GMPLS control plane Chris Tracey SARA: Network Testbed Ronald van der Pol. Acknowledgement..
23
Thank you for watching
Similar presentations
