1. Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam oudenaar@science.uva.nl EU IST-2001-32459

2. Content ● Introduction ● Concepts of Generic Authorization, Authentication & Accounting (AAA) ● Authorization / Control models ● Authorized path discovery ● AAA server authorization interaction ● Test bed / Bandwidth on Demand Server ● Conclusions

3. Introduction: ● Users require guaranteed high bandwidth connections ● Project: middleware solution for authorization of Quality of Service (QoS) path ● As network resources need to be managed with different security systems and policies, this project identifies the major problems and tries to find inter-Grid level mechanisms capable to interoperate with the administrative domain specific authentication, authorization and management rules and procedures ● Protoytpe:Bandwidth on Demand server based on Generic AAA

4. Generic AAA: ● AAA Server: may be involved in: Authorization, Authentication, Accounting ● AAA request Driving Policy ● Behavior of the generic part is determined by the combination of Driving policies, ASM's and AAA requests

5. ...Continue, Generic AAA ● Group has been participating on defining concepts for Generic AAA since march 1999 when AAA WG was formed at IETF-44. ● Work became IRTF subject later on (AAAARCH RG). ● RFC’s 2903 – 2906 describes framework, architecture, example applications and requirements. ● Optical Networking within grid environment is a research application for Generic AAA.

6. Generic AAA Architecture – RFC2903 Policy Decision Point Policy Enforcement Point Fundamental idea’s inspired by work of the IETF RAP WG that in RFC 2753 describes a framework for Policy-based Admission Control. Foundation for COPS The point where policy decisions are made. The point where the policy decisions are actually enforced. Request Decision Policy Repository Basic Goal Generic AAA: Allow policy decisions to be made by multiple PDP’s belonging to different administrative domains.

7. Generic AAA Architecture – RFC2903 Application Specific Module Policy Enforcement Point Achieve goal by separating the logical decision process from the application specific parts within the PDP. Request Decision Rule Based Engine Policy Repository PDP

8. Generic AAA Architecture – RFC2903 Application Specific Module Policy Enforcement Point - allow RBE’s to talk to each other and exchange messages that can only have "boolean answers". - Policies are hidden from original requestor. Request Decision Rule Based Engine Policy Repository Application Specific Module Rule Based Engine Policy Repository Users Application Specific Module Rule Based Engine Policy Repository Budgets HR Dept.Finance Dept. Service Provider User A AAA Server AAA Server AAA Server Institute / Enterprise

9. Generic AAA Framework – RFC2904 3 fundamentally different user initiated authorization sequences. Service AAA User Service AAA User Service AAA User Pull sequence NAS, RSVP Agent sequence Brokers, agents. Push sequence. Token Based Access Kerberos Tickets 1 1 1 2 2 2 3 3 3 4 4 4

10. Generic AAA Framework – RFC2904 Separating the User Awareness from the Service yield Roaming Models: Example roaming pull model. Service AAA User 1 2 5 6 AAA 3 4 User Home Organization Service Provider

11. Authorization / Control models ● Network nodes & network links; where the relevant parameters are under the control of an AAA Server ● Parameters are governed by a set of policies ● Consider; Simple unidirectional QoS path between two nodes: Individual Control model Partial Control model Full Control model

12. Individual Control model N0N0 AAA N1N1

13. Partial Control model N0N0 AAA N1N1

14. Full Control model N0N0 AAA N1N1

15. Authorized path discovery N0N0 AAA 0 NnNn ĩ QoS path through multiple administrative domains AAA servers > Mechanism for advertising the connections they can establish Start with simplest QoS path > Full Control model Logical network link ĩ iso physical network link Decision tree for authorization of QoS elements

16. Example of AAA server authorization interactions AAA 1,2 AAA 1 AAA 2 N1N1 N2N2 ĩ D0D0 AAA 0 N0N0 NnNn l 2,n l 0,1 D1D1 D0D0

17. Test bed / Bandwidth on Demand Focus on optical networks; layer 1, 2 technologies 802.1Q VLAN switches Construct a private network

18. Cabletron SS 6000 802.1Q VLAN Switch AAA client Control Port Grid Domain A Optical N/W Provider FE Network Ports FE Network Ports Cabletron SS 6000 802.1Q VLAN Switch SNMP Control Port Lightpath 1GB Grid Domain B Generic AAA BoD: Agent sequence; Full Control model authorizing QoS path access via VLAN’s “Internet” Globus AAA client Globus AAA clientAAA ServerAAA client Globus XML/ SOAP XML/ SOAP

19. Grid Domain A Optical N/W Provider Proxy GB Network Ports GB Network Ports CLI or XML Grid Domain B Replace fiber for GMPLS / or DWDM technology “Internet” GMPLS AAA client Globus AAA client Globus AAA clientAAA ServerAAA client Globus Optimized TCP/IP

20. Example BoD request - person1 1#fdjkj9#esn34k 100.10.20.30 110.1.2.3 2500 now 3600

21. Example of BoD driving Policy if ( ASM::Authorizer.authorize( Request::AuthorizationData.Credential.ID, Request::AuthorizationData.Credential.Key ) then ( ASM::RM.BoD( Request::ServiceData.SwitchData.Source, Request::ServiceData.SwitchData.Destination, Request::ServiceData.SwitchData.Bandwidth, Request::ServiceData.SwitchData.StartTime, Request::ServiceData.SwitchData.Duration ) ; Reply::Answer.Message = "Request successful" ) else ( Reply::Error.Message = "Request failed" )

22. Summary / Conclusions ● AAA server behavior > ASMs, policies, AAA msg ● RBE only takes logical decisions ( multi domain ) ● Implement ASMs for difficult tasks to support RBE ● Multi domain challenge > policies, AAA msg ● ASM template supporting services, switching technologies ● Building complex decision network <> scalability, stability and performance

23. Thank you !