Download presentation
Presentation is loading. Please wait.
Published byEvan Benson Modified over 8 years ago
1
RSVP Policy Control using XACML Pontifícia Universidade Católica do Paraná PUC-PR, Brazil Presented by: Emir Toktar toktar@ppgia.pucpr.br Emir Toktar Edgard Jamhour Carlos Maziero
2
Emir Toktar - Policy 2004 2 Summary Motivation Proposal RSVP Policy Control XACML Framework XACML Extensions Example Conclusions Future Works
3
Emir Toktar - Policy 2004 3 Motivation Many IETF publications for QoS management is based on PCIM extensions. PCIM is an information model PCIM deployment can be complex XACML offers an alternative for defining policies in XML. A model suited for business level policies Easy to understand and deploy IETF: Internet Engineering Task Force OASIS: Organization for the Advancement of Structured Information Standards PCIM: Policy Core Information Model XACML: eXtensible Access Control Markup Language
4
Emir Toktar - Policy 2004 4 Motivation RSVP Policy Control is an “Access Control” problem suited to be addressed by XACML. However: For properly addressing the RSVP issue, additional RSVP information must be returned with access control decision: e.g. Tspec It requires XACML extensions Policy Control is Not Admission Control
5
Emir Toktar - Policy 2004 5 Proposal Define XACML extensions for addressing the RSVP Policy Control issue. Compare the XACML-based framework with IETF PCIM-based framework with respect to: policy definition and framework implementation.
6
Emir Toktar - Policy 2004 6 RSVP Policy Control [RFC 2753] manage the use of network resources and services based on policies derived from criteria such as: to identify users and applications, traffic/bandwidth requirements, security considerations and time-of-day/week. Business Level Policies i.e. can be addressed by XACML
7
Emir Toktar - Policy 2004 7 RSVP Admission Control Only takes into account the requester’s resource reservation request available capacity The available capacity is a stateful information available in the routers, and it is not addressed in our proposal.
8
Emir Toktar - Policy 2004 8 XACML Policy Language Model
9
Emir Toktar - Policy 2004 9 XACML Example =ana@xacml.org =VideoServer =login = Permit = >08h00 and <17h00 = UsersRegs =Deny-Overrides =Multimedia “the user ana@xacml.org can login on a Video Server in the period between 08:00AM and 05:00PM”
10
Emir Toktar - Policy 2004 10 XACML Framework adapted to RSVP PEP element is a component of the Server Application PEP is responsible for all integration with RSVP daemon The Applicaton is releasing from any task of QoS negotiation This approach can be implemented in any system that supports RSPV APIs. XACML doesn´t define any Policy Transaction Protocol between PDP and PEP.
11
Emir Toktar - Policy 2004 11 XACML Problems Resource and User Information is supposed to be defined in the policy document. The reuse of resource and user information requires creating references to external information. The issue of addressing external information was not well-developed in XACML 1.1.
12
Emir Toktar - Policy 2004 12 Proposal Use XPointer language to create policies with reusable User and Resource Information.
13
Emir Toktar - Policy 2004 13 Proposal – + – – + The strategy adopted for describing a RSVP policy
14
Emir Toktar - Policy 2004 14 Proposal QoS information is returned by the Obligations Single service can offer different service levels A XML schema for RSVP parameters for building the PATH msg Tspec {r,b,p,m,M} type of service (GS / CL) reservation style described in the RFC 2210 and RFC 2215
15
Emir Toktar - Policy 2004 15 Example a) Registered students have permission to access any server in the campus offering a “TutorialVideoStreaming” service without time restrictions. If a student connects to a server using a client host from inside the campus, he will receive a “GOLD” or “SILVER” service level. Otherwise, it will receive a “BRONZE” service level.
16
Emir Toktar - Policy 2004 16 Example b) Unregistered students can have access to the “TutorialVideoStreaming” service only from the internal network and not in business- time. They can receive only the “BRONZE” service level.
17
Emir Toktar - Policy 2004 17 Scenario example… XACML Request context etoktar 192.168.0.1 TutorialVideo 192.168.200.10 getResourceQoS Receiver Sender etoktar 192.168.0.1 192.168.200.10 TutorialVideo getResourceQos
18
Emir Toktar - Policy 2004 18 Example of Service Document tutorial videos in the university campus + + + +
19
Emir Toktar - Policy 2004 19 Example of User Document – Emir Toktar Toktar etoktar toktar@ppgia.pucpr.br RegisteredStudent – Luiz Cesar Cezar lcezar luiz.c@ppgia.pucpr.br RegisteredStudent + – Guest guest UnregisteredStudent +
20
Emir Toktar - Policy 2004 20 – + + <Policy PolicyId="...:policy:TutorialRegStudentsInternal" RuleCombiningAlgId="...:rule-combining-algorithm:first-applicable"> + <Policy PolicyId="...:policy:TutorialRegStudentsExternal" RuleCombiningAlgId="...:rule-combining-algorithm:first-applicable"> + <Policy PolicyId="...:policy:TutorialRegStudentsGuest" RuleCombiningAlgId="...:rule-combining-algorithm:first-applicable"> + <Policy PolicyId="...:policy:TutorialDenyForOthers" RuleCombiningAlgId="...:rule-combining-algorithm:first-applicable"> Example of Policy Document
21
Emir Toktar - Policy 2004 21 + – – – TutorialVideo – http://pdp/resources.xml#xpointer(//service[@serviceId ="TutorialVideoStreaming"]/sap/inetaddress/text()) + Example of Policy – PolicySet Target Request context
22
Emir Toktar - Policy 2004 22 + – – http://pdp/subjects.xml#xpointer(//subjects /user[businessCategory='RegisteredStudent']/uid/text()) – getResourceQoS Example of Policy # 1 Request context
23
Emir Toktar - Policy 2004 23 – – 192.168.0.* – – http://pdp/resources.xml#xpointer(//service/serviceLevel [@serviceId='Gold']/ResourceRsvp/*) http://pdp/resources.xml#xpointer(//service/serviceLevel [@serviceId='Silver']/ResourceRsvp/*) Example of Policy Document # 1 Request context
24
Emir Toktar - Policy 2004 24 Example of Policy Document # 4
25
Emir Toktar - Policy 2004 25 Example of Response Permit + G711 9250.0 680.0 13875.0 13875 Guaranteed FF H261QCIF 12000.0 6000.0 12000.0 80 2500 Controlled-load SE
26
Emir Toktar - Policy 2004 26 Framework Implementation Sun Package for XACML at (URL): http://sourceforge.net/projects/sunxacml/ SUN ONE Studio 4 update1 Java™ 2 SDK, Standard Edition 1.4.2 XACML XPath functions are optional they are not implemented
27
Emir Toktar - Policy 2004 27 Framework Modifications for supporting the Proposal Used JAXEN to support XPath statements Stand-alone XPath implementation Works with DOM, JDOM and EletricXML RSVP XML schema definition RSVP parameters (Tspec) to support definitions of Resources XMLSpy® v.5.0, release 4 Function xpath-node-match developed Syntax type of expressions: “full XPointers” uri-reference#scheme(expression) scheme(expression)… scheme name: xpointer(xptr-expr)
28
Emir Toktar - Policy 2004 28 Conclusions XACML is suited for business level policies The available framework is easy to use and extend PCIM has not addressed the business level issue, it is focused on device configuration. XACML requires additional specification for creating policies that refer to external documents The obligation structure must be extended to support a more flexible strategy for returning parameters. XACML is an open standard that enables the setting of new tools for controlling the managing of policies.
29
Emir Toktar - Policy 2004 29 Thank you! Questions ? address to toktar@ppgia.pucpr.br
30
Emir Toktar - Policy 2004 30 Example of Service Document - SAP tutorial videos in the university campus – 192.168.200.10 192.168.200.25 192.168.5.3 TCP 8976 + + +
31
Emir Toktar - Policy 2004 31 Example of Service Document - RSVP tutorial videos in the university campus + – 9250 680 13875 340 Guaranteed FF + +
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.