Presentation is loading. Please wait.

Presentation is loading. Please wait.

AAA-ARCH IRTF-RG Authentication Authorisation and Accounting ARCHitecture chairs: C. de Laat J. Vollbrecht 1 of 16.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "AAA-ARCH IRTF-RG Authentication Authorisation and Accounting ARCHitecture chairs: C. de Laat J. Vollbrecht 1 of 16."— Presentation transcript:

1 AAA-ARCH IRTF-RG Authentication Authorisation and Accounting ARCHitecture chairs: C. de Laat J. Vollbrecht 1 of 16

2 Applications –Network Access –Bandwidth Broker –Authorization of resources living in many administrative domains –Budget system –Library system –Computer based education system –E-Commerce –Micro-payments –Car Rental –Daily life 2 of 16

3 Physics-UU to IPP-FZJ => 7 kingdoms –Physics dept –Campus network –SURFnet –TEN 155 –WINS/DFN –Juelich, Campus –Plasma Physics Multi Kingdom Problem 3 of 16 USA line 3 ms Jülich 17 ms 2.5 ms

4 The need for AAA End user RRRR Remote service management 4 of 16 Kingdom NKingdom N+1 BB AAA BB management ? ? AAA $$$

5 Starting point Applications –PPP Dialin with Roaming (Network Access) –Mobile-IP –Bandwidth Broker –Internet Printing –Electronic Commerce –Computer Based Education and Distance Learning Requirements –Take high level requirements from the different applications as notified in the AAA drafts –Separate common from application specific functionality –Authorization of resources living in many administrative domains 5 of 16

6 Generic AAA server Rule based engine Application Specific Module Auth rules Events API 2 11 3 AAA Server building block Types of communication: 1: “The” AAA protocol 2: interface (API) to app specific module (addressing!) 3: interface (API or connection) to repositories (e.g. LDAP) 6 of 17 Rule example: Auth_A = (B>9).or. C.and. D

7 Generic AAA server Rule based engine Application Specific Module Policy Events 2 11 3 Service 5 Types of communication: 5: Towards service (f.e. COPS, CLI, SNMPv3) Pushing the buttons 7 of 18

8 Generic AAA server Rule based engine Application specific Module Policy Events 2 11 3 4 Types of communication: 4: Legacy protocols (Radius, Diameter, …) 8 of 18 Legacy protocols

9 Generic AAA server Rule based engine Application specific Module Policy Events 2 11 3 4 GW 1 2 Gateway 9 of 18

10 AAA server Generic AAA Agent Model AAA server 10 of 18

11 MacsBug 6.5.4a6, Copyright Apple Computer, Inc. 1981-98 NMI (user entered MacsBug on purpose) 17-Jun-1999 11:51:26 PM (since boot = 28 minutes) Current application is “Microsoft PowerPoint” Machine = 312 (PowerBookG3Series), System $0860, sysu = $01008000 ROM version $077D, $41F6, $0002 (ROMBase $FFC00000) VM is on; paging is currently safe NIL^ = $FFC10000 Stack space used = -8018882 Address FFC0693A is in the ROM at _PutIcon+0378C 68020 Registers D0 = 00000000 A0 = FEE00000 USP = 0B25F3D8 D1 = 0000003C A1 = 0028B9A4 MSP = 00000000 D2 = 008D49B0 A2 = 00019570 ISP = 0BA055E4 D3 = 0B25FAF0 A3 = 00000000 VBR = 0016D494 D4 = 746FFF00 A4 = 0B25F754 CACR = 00000001 SFC = 0 D5 = 0000FFFE A5 = 0B9F3790 CAAR = 00000000 DFC = 0 D6 = 6C204301 A6 = 0B25F42C PC = FFC0693A D7 = 00010000 A7 = 0BA055E4 SR = SmxnzvC Int = 0 Calling chain using A6/R1 links Back chain ISA Caller 0B25F8FF PPC 002FD83C EmToNatEndMoveParams+00014 0B25F880 PPC 1B5C67F8 0B25F848 PPC 1B5C68A8 0B25F7D8 PPC 1B249B30 0B25F780 PPC 1B2905DC 0B25F710 PPC 1B28F3FC 0B25F6A0 PPC 1AE7BE98 AfxWaitNextEvent+00050 Just kidding Next section We will now examine the generic AAA problem from the perspective of a layered protocol model This contribution is mostly done by George Gross 11 of 19

12 User User Home Organization AAA Server Service Provider AAA Server Service Equipment Request 1 Approved 4 Commit Approval 2 Conditional Approval 3 5 use service 4 Example applications: Mobile IP, PPP dial-in to NAS 1 Roaming “Pull” Authorization Model 12 of 20

13 User User Home Organization AAA Server Service Provider AAA Server Service Equipment Request 1 Approved 4 5 use service 4 Conditional Approval with ticket 2 Request with ticket 3 Example application: Internet printing, where file and print servers are in different admin domains Roaming “Push” Authorization Model 13 of 20

14 User User Home Organization AAA Server Service Provider AAA Server Service Equipment Request 1 Approved 4 Commit Approval 3 Conditional Approval 2 5 use service 3 Example application: bandwidth brokerage at Enterprise/Service Provider boundary Roaming “Agent” Authorization Model 14 of 20

15 Reliable Secure Transport Service Layer AAA Transaction Session Management (AAA-TSM) Service Layer AAA-TSM service layer API Internet Protocol Service Layer Presentation Service Layer AAA Application Specific Service Layer AAA Server Protocol Stack 15 of 20

16 Generic AAA Server Components Authorization Policy Rules Evaluation Engine Authorization history event log Attribute Authority AAA-TSM service API AAA-TSM Protocol Handler Authorized Session Resource Manager Authorization policy rules database Presentation Service Layer Reliable Secure Transport User Authorization Request Services 16 of 20

17 Completed Approval List Member AAA-TSM Request AAA-TSM Request Payload Authorizer’s approval digital signature Authorization Stakeholder Routing List User’s Authorization Request User’s credentials, e.g.attribute certificate User’s identity AAA-TSM Common Header Authorization Completed Approvals List Application-specific response data Authorizer’s decision serial number Generic decision status code Authorizer’s Session Layer Address Timestamp of decision Payload Modification Audit Trail Authorization formula partial results stack 17 of 20

18 AAA Protocol Stack - end to end view User Service Provider Administrative Domain User Home Organization Admin. Domain AAA Gateway This scenario shows the User requesting an authorization transaction that requires getting approval from both of two AAA applications, X and Y Internet Protocol Reliable/Secure Transport Reliable/Secure Transport AAA Transaction Session Management Presentation Service “X” Application “X” Authorization Manager AAA Transact Session Mgmnt. “X” Service Equipment Presentation Service Application Specific Authorization Requestor User Reliable/Secure Transport Internet Protocol Reliable/Secure Transport AAA Transaction Session Management Presentation Service”X” Application “X” Authorization Manager Policy Database AAA Server Presentation Service “Y” Application “Y” Authorization Manager Policy Database Presentation Service “Y” Application “Y” Authorization Manager “Y” Service Equipment AAA-TSM service layer API 18 of 20

19 Architecture's Focus The architecture's focus is to support AAA services that: can inter-operate across organizational boundaries are extensible yet common across a wide variety of Internet services enables a concept of an AAA transaction spanning many stakeholders provides application independent session management mechanisms contains strong security mechanisms that be tuned to local policies is a scalable to the size of the global Internet 19a of 20

20 RG-Goals-1 Specific goals of the RG are: develop generic AAA model by specifically including Authentication and Accounting develop auditability framework specification that allows the AAA system functions to be checked in a multi- organization environment develop a model that supports management of a "mesh" of interconnected AAA Servers define distributed policy framework, coordinate with policy framework WG and others develop an accounting model that allows authorization to define the type of accounting processing required for each session 19b of 20

21 RG-Goals-2 Specific goals of the RG are: implement a simulation model that allows experimentation with the the proposed architectural models (also work on an emulation) describe interdomain issues using generic model work with AAA WG to align short term AAA protocol requirements with long term requirements as much as possible complete the work in Q3 - 2000 (ambitious) 19c of 20

22 RG-info Research Group Name: AAAARCH Chair(s) –John Vollbrecht -- jrv@merit.edu –Cees de Laat -- delaat@phys.uu.nl Mailing list(s) –aaaarch@fokus.gmd.de –For subscription to the mailing list, send e-mail to majordomo@fokus.gmd.de with content of message subscribe aaaarch end –will be archived, retrieval with frames »http://www.fokus.gmd.de/glone/research/aaaarch/ –in plain ascii: »http://www.fokus.gmd.de/glone/research/mail-archive/aaaarch-current »ftp://ftp.fokus.gmd.de/pub/glone/mail-archive/aaaarch-current Web page –Http://www.phys.uu.nl/~wwwfi/aaaarch 20 of 20

Download ppt "AAA-ARCH IRTF-RG Authentication Authorisation and Accounting ARCHitecture chairs: C. de Laat J. Vollbrecht 1 of 16."

Similar presentations

Authentication Authorization Accounting and Auditing

Authentication Authorization Accounting and Auditing
SIP and Instant Messaging. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.

SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.
www.dynamicsoft.com VON Europe 2000 -- 06/19/00 SIP and the Future of VON Protocols SIP and the Future of VON Protocols: Presence and IM Jonathan Rosenberg.

VON Europe /19/00 SIP and the Future of VON Protocols SIP and the Future of VON Protocols: Presence and IM Jonathan Rosenberg.
www.dynamicsoft.com Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.
AAA Architecture Use of a AAA Server Application Specification to Support Generic AAA Applications Across a Mesh of Interconnected AAA Servers With Policy.

AAA Architecture Use of a AAA Server Application Specification to Support Generic AAA Applications Across a Mesh of Interconnected AAA Servers With Policy.
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
Computer networks Fundamentals of Information Technology Session 6.

Computer networks Fundamentals of Information Technology Session 6.
TF-NGN AAA research Cees de Laat 1 of 10 Utrecht University.

TF-NGN AAA research Cees de Laat 1 of 10 Utrecht University.
IRTF - AAAARCH - RG Authentication Authorisation Accounting ARCHitecture RG chairs: J. Vollbrecht and C. de Laat www.aaaarch.org RFC 2903, 2904, 2905,

IRTF - AAAARCH - RG Authentication Authorisation Accounting ARCHitecture RG chairs: J. Vollbrecht and C. de Laat RFC 2903, 2904, 2905,
IRTF - AAAARCH - RG Authentication Authorisation Accounting ARCHitecture RG chairs: C. de Laat and J. Vollbrecht www.aaaarch.org RFC 2903, 2904, 2905,

IRTF - AAAARCH - RG Authentication Authorisation Accounting ARCHitecture RG chairs: C. de Laat and J. Vollbrecht RFC 2903, 2904, 2905,
IRTF - AAAARCH - RG Authentication Authorisation Accounting ARCHitecture RG chairs: J. Vollbrecht and C. de Laat www.aaaarch.org RFC 2903, 2904, 2905,

IRTF - AAAARCH - RG Authentication Authorisation Accounting ARCHitecture RG chairs: J. Vollbrecht and C. de Laat RFC 2903, 2904, 2905,
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.

Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.
Generic AAA Architecture draft-delaat-aaa-generic-00 C. de Laat Utrecht University G. Gross Lucent Technologies L. Gommans Cabletron Systems EMEA J. Vollbrecht.

Generic AAA Architecture draft-delaat-aaa-generic-00 C. de Laat Utrecht University G. Gross Lucent Technologies L. Gommans Cabletron Systems EMEA J. Vollbrecht.
SIP roaming solution amongst different WLAN-based service providers Julián F. Gutiérrez 1, Alessandro Ordine 1, Luca Veltri 2 1 DIE, University of Rome.

SIP roaming solution amongst different WLAN-based service providers Julián F. Gutiérrez 1, Alessandro Ordine 1, Luca Veltri 2 1 DIE, University of Rome.
An Architectural Framework for Providing WLAN Roaming D.Vassis G.Kormentzas Dept. of Information and Communication Systems Engineering University of the.

An Architectural Framework for Providing WLAN Roaming D.Vassis G.Kormentzas Dept. of Information and Communication Systems Engineering University of the.
History Since created in 1995, RADIUS has been used to provide authentication, authorization and generate accounting information for dial-in users. However,

History Since created in 1995, RADIUS has been used to provide authentication, authorization and generate accounting information for dial-in users. However,
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
Policy-based Accounting Draft Sebastian Zander, Tanja Zseby GMD FOKUS - German National Research Institute for Information Technology Competence Center.

Policy-based Accounting Draft Sebastian Zander, Tanja Zseby GMD FOKUS - German National Research Institute for Information Technology Competence Center.
AAA-ARCH IRTF-RG Authentication Authorisation and Accounting ARCHitecture Research Group chairs: C. de Laat J. Vollbrecht Content of this talk has contributions.

AAA-ARCH IRTF-RG Authentication Authorisation and Accounting ARCHitecture Research Group chairs: C. de Laat J. Vollbrecht Content of this talk has contributions.

Similar presentations

Ads by Google