270 likes | 286 Views
Multi-domain provisioning of Lower Layer Network Transports based on Generic AAA TERENA TF-AACE Workshop 21/11/03 Leon Gommans University of Amsterdam. Overview. Low Layer Network Transport (LLNT) Rationale to provide LLNT’s
E N D
Multi-domain provisioning of Lower Layer Network Transports based on Generic AAA TERENA TF-AACE Workshop 21/11/03 Leon Gommans University of Amsterdam
Overview • Low Layer Network Transport (LLNT) • Rationale to provide LLNT’s • Generic Authentication Authorization Accounting (AAA) overview and usage in LLNT’s • Current experiments: DataTAG - SC2003 • Future Research projects: GRANDE / Nextgrid. 21 Nov 2003 TERENA TF-AACE Leon Gommans
Lower Layer Network Transport (LLNT) • Connection oriented network paradigm using some form of switch technology that transports: • Ethernet frames (MPLS VPN, 802.1 Q VLAN,..) • Sonet/SDH frames (ADM) • Light (OXC) Goes by specific names such as: L2 VPN lightpath lambda 21 Nov 2003 TERENA TF-AACE Leon Gommans
Rationale to provide LLNT’s as NRN. • Next to general Internet usage, user will start to ask for high bandwidth connections at low cost. • High demand is now found in scientific Grid applications (HEP, Radio Astronomy, Bio Science, etc.) • Demand is typically between specific locations. • Forwarding large volumes of highly directional traffic is expensive when using routers. • A patch panel cheap in terms of cost per Gbp/s. • NRN’s need flexible and automated ways to provision cheap bandwidth based on application demand by authorizing access to transport infrastructure. 21 Nov 2003 TERENA TF-AACE Leon Gommans
Ergo: Automate operator function 21 Nov 2003 TERENA TF-AACE Leon Gommans
NRN perspective • NRN’s have a number of different ways of transporting traffic using connection-oriented and connection-less forwarding paradigms (Routers, L2 switches, Sonet/SDH links, optical links) • Low per stream volume - many destinations - always on service: routing on top of LLNT infra. • Medium to high volume - fewer destinations - defined contract periods: (G)MPLS with LLNT infra, use of AAA possible. • High volume - specific/static destinations - reserved time slots: Application driven provisioning of “cheap” LLNT’s based on authorizations. Need AAA. • Use various network technologies which need flexible automatic control/provisioning solutions. 21 Nov 2003 TERENA TF-AACE Leon Gommans
Generic AAA. • Concepts were researched within the IRTF AAA Architecture Research Group which resulted in RFC’s 2903 (Generic AAA Architecture) and RFC 2904 (Authorization Sequence Framework). • Advanced Internet Research (AIR) group at UvA helped to form this IRTF research group. • Empirical research into Generic AAA concepts is also done within AIR group. • Research funded as part of participation in EU IST DataTAG project and by SURFnet • External collaboration with EVL at UIC, Starlight/NWU, Alcatel and FZJ Julich. • Work is active input into standards bodies such as GGF and OASIS. 21 Nov 2003 TERENA TF-AACE Leon Gommans
RFC 2904 Authorization sequences that allow users to access a service based on a policy decision taken by a AAA component. AAA AAA AAA 1 1 User User 2 User 4 2 2 3 1 3 3 Service Service Service 4 4 Pull sequence NAS (remote access) RSVP (network QoS) Agent sequence Agents, Brokers, Proxy’s. Push sequence. Tokens, Tickets, AC’s etc. 21 Nov 2003 TERENA TF-AACE Leon Gommans
AuthZ sequence combinations: Roaming using agent & pull sequence AAA User Home Organization 2 3 AAA 1 User Service Providers 6 4 5 Service 21 Nov 2003 TERENA TF-AACE Leon Gommans
Example AuthZ sequence in LLNT’s with Intelligent switches AAA User Home Organization Applic. AAA AAA AAA Resource Netw. I/F Switch Netw. I/F Switch Switch User Domain A Domain B Domain C Resource 21 Nov 2003 TERENA TF-AACE Leon Gommans
Example AuthZ sequences in LLNT’s with dumb switches AAA User Home Domain Applic. AAA AAA AAA Resource Netw. I/F Switch Netw. I/F Switch Switch User Network Domain A Network Domain B Network Domain C Resource 21 Nov 2003 TERENA TF-AACE Leon Gommans
Example AuthZ sequences in LLNT’s with broker Broker AAA Applic. AAA AAA AAA Resource Netw. I/F Switch Netw. I/F Switch Switch User Network Domain A Network Domain B Network Domain C Resource
Base of Generic AAA Architecture - RAP Policy Decision Point Fundamental idea’s inspired by work of the IETF RAP WG that in RFC 2753 describes a framework for Policy-based Admission Control. Foundation for COPS The point where policy decisions are made. Policy Repository Request Decision Policy Enforcement Point The point where the policy decisions are actually enforced. Basic Goal Generic AAA: Allow policy decisions to be made by multiple PDP’s belonging to different administrative domains.
Generic AAA Architecture - RFC2903 PDP Rule Based Engine A Driving Policy Orchestrates the Usage of ASM’s Archieve goal by by separating the logical decision process from the application specific parts within the PDP. Policy Repository Application Specific Module Generic AAA Engine Request Decision Policy Enforcement Point 9 Oct 2003 Update meeting EVL Leon Gommans
Generic AAA Architecture PDP PDP Rule Based Engine Policy Repository Rule Based Engine Application Specific Module Policy Repository Application Specific Module User Rights AAA Request Decision Policy Enforcement Point Service Service Request 21 Nov 2003 TERENA TF-AACE Leon Gommans
Example XML request message • <AAARequest version="0.1" type="BoD"><Authorization><credential><credential_type>simple</credential_type><credential_ID>JanJansen</credential_ID><credential_secret>#f034d</credential_secret></credential></Authorization><BodData><Source>192.168.1.5</Source><Destination>192.168.1.6</Destination><Bandwidth>1000</Bandwidth><StartTime>now</StartTime><Duration>20</Duration></BodData></AAARequest> WHY WHAT 21 Nov 2003 TERENA TF-AACE Leon Gommans
Example part of a Driving Policy if ( ( ASM::RM.CheckConnection( Request::BodData.Source, Request::BodData.Destination ) && ( Request::BodData.Bandwidth <= 1000 ) ) ) then ( ASM::RM.RequestConnection( Request::BodData.Source, Request::BodData.Destination, Request::BodData.Bandwidth, Request::BodData.StartTime, Request::BodData.Duration ) ; Reply::Answer.Message = "Request successful" ) else ( Reply::Error.Message = "Request failed" 21 Nov 2003 TERENA TF-AACE Leon Gommans
Single - domain 802.1Q VLAN setup Demo iGrid 2002 Policy Database RBE AAA Request Message (XML/SOAP) ASM ASM SNMP Dot 1Q Bridge MIB SNMP Dot 1Q Bridge MIB 802.1Q VLAN Switch PC PC 802.1Q VLAN Switch PC PC 21 Nov 2003 TERENA TF-AACE Leon Gommans
Single - Domain Calient OXC setup RBE AAA Request Message (XML/SOAP) Policy Database ASM TL-1 Calient DaimondWave Photonic Switch PC PC PC PC 21 Nov 2003 TERENA TF-AACE Leon Gommans
Multi - domain setup Policy Database RBE AAA Request Message (XML/SOAP) ASM ASM ASM RBE Policy Database ASM SNMP Dot 1Q Bridge MIB SNMP Dot 1Q Bridge MIB TL-1 802.1Q VLAN Switch Calient DaimondWave Photonic Switch PC PC 802.1Q VLAN Switch PC PC 21 Nov 2003 TERENA TF-AACE Leon Gommans
Multi - domain setup using Alcatel 1355 BonD Policy Database RBE AAA Request Message (XML/SOAP) ASM ASM ASM 1355 BOND + 1354 SNMP Dot 1Q Bridge MIB SNMP Dot 1Q Bridge MIB 1353 EM 802.1Q VLAN Switch PC PC Alcatel 1670 ADM Alcatel 1670 ADM 802.1Q VLAN Switch PC PC 21 Nov 2003 TERENA TF-AACE Leon Gommans
Collaborative Multi-domain experiment at SC2003 PIN DOES ROUTE DETERMINATION BASED ON SOURCE ROUTING PIN PIN PHOTONIC INTERDOMAIN NEGOTIATOR AuthZ ASM RBE PDC Resource Mgr ASM ASM Policy Database PHOTONIC DOMAIN CONTROLLER PHOTONIC POLICY BASED ACCESS CONTROLLER PIN AND PDC ARE DEVELOPMENTS FROM EVL Calient PXC Calient PXC PC PC PC PC 21 Nov 2003 TERENA TF-AACE Leon Gommans
AAA based Multi-domain experiment at SC2003 OGSI WS I/F AuthZ ASM RBE ASM Resource Mgr ASM ASM Policy Database RBE RBE Policy Database Policy Database ASM ASM OGSI Client I/F PC Calient Calient PC PC PC 21 Nov 2003 TERENA TF-AACE Leon Gommans
Generic AAA server toolkit of UvA Main features • RBE and ASM run within a J2EE EJB container • Send RBE XML based request messages. • Send RBE requests or control devices via Java Connector Architecture (JCA) as part of an ASM via CLI, TL-1, SNMP, Radius, SOAP/XML etc. • J2EE environment gives Web Services features. • Integrated Grid OGSA based interface into RBE • Toolkit will give user RBE, ASM skeletons and a policy language editor / compiler. • Uses MySQL to store compiled policies using a very simple nested if - then - else grammar. • Supports all 3 authorization sequence types. • Library of ASM’s that includes support for GARA, VOMS, Enterasys, Calient, Alcatel NMS. 21 Nov 2003 TERENA TF-AACE Leon Gommans
Future Research. • Research ways to integrate networks into the Grid by using the principles of Generic AAA to authorize on demand usage. • Research ways to use the principles of Generic AAA in future generation grids. • Identify requirements and develop Generic AAA toolkit functions that can be used in both intra- and inter-domain service management scenario’s. • Propose standards and standard ways of operation. 21 Nov 2003 TERENA TF-AACE Leon Gommans
Conclusions • “Cheap” network components can be used to create on demand high-bandwidth network transports between selected locations. • By turning networks transports into objects using ASM’s they become software controllable entities that can be orchestrated using driving policies that run within an RBE. • The AAA toolkit can be used to create flexible provisioning scenario’s with many types and abstractions of network equipment.
Thank you ! Research funded by EU IST DataTAG project and SURFnet Leon Gommans lgommans@science.uva.nl