1 / 13

AAAARCH Research Group

This document provides a grammar for creating policies in a generic AAA environment. It covers object references, message types, policy evaluation, and driving policies using examples in various languages such as JavaScript and Perl. The document also discusses authentication, policy references, function calls, and exception handling.

sswope
Download Presentation

AAAARCH Research Group

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AAAARCH Research Group A grammar for Policies in a generic AAA Environment <draft-ietf-aaaarch-generic-policy-01.txt> A. Taal G. Sliepen A.E. Hemel C.T.A.M. de Laat

  2. Changes • References: AVPs --> Objects • AAA Message Types • No type checking

  3. Object references • Request • Identity • PassW if ( Query = getPassword( userid = Request.Identity.UserID ) && Request.Identity.PassW == Query.PassW ) then( … ) else( … )

  4. Request Service Reply • Answer • ServiceData // Action list A1 = getSwitchSettings( ) ; A2 = getConnectionList( ) ; A1. Connections = A2.Connections ; Reply.ServiceData.Settings = A1

  5. A D B E Q S R A D B E P A Object trees Q D S B E R C leaf: int | float | string A.B = P A.B = K.L.M

  6. AAA Message Types Authentication • Identity • AuthenticationData • Answer RequestReply ! One-to-one mapping Requests < ---> Driving Policies PolicyRef (remote AAA server): Reply = Authentication@ 146.50.0.23( Identity = Request.Identity, AuthenticationData = Request.AuthenticationData )

  7. AAA Message Types Policy Evaluation RequestReply • PolicyReference • …….. • Answer • ServiceData A1 = PolicyEvaluation@ 146.50.0.23( PolicyReference = “policy_23” ) A2 = PolicyEvaluation@ 146.50.0.23( PolicyReference = “policy_117” ) ! A1.ServiceData A2.ServiceData

  8. Local policy reference: PolicyRef versus FunctionCall PolicyRef: policy_71@ 127. 0.0.1( data1 = “Yes”, data2=12 ) policy_71@ localhost( data1 = “Yes”, data2=12 ) FunctionCall: evaluate( ref = “policy_71” , data1 = “Yes”, data2=12 )

  9. No type checking ComputedBoolean: ( INT Request.Data.Bandwidth / INT Data.Fraction < 20 ) JavaScript: var a, b, c; a = 3; b = “yeah”; c = a / b; alert( “c=“+c); ==> c=NaN Perl: $a; $b; $c; $a = 3; $b = “yeah”; $c = $a / $b; ==> Illegal division …

  10. Example Driving Policy KERBEROS Authentication: if ( if( exists Request.AuthenticationData.Protocol.Name ) then( ) else ( Reply.Answer.Type = MISSING_DATA ; Reply.Answer.Message = "Missing Protocol.Name" ) && if( Request.AuthenticationData.Protocol.Name == "Kerberos" ) then( ) else ( Reply = Authentication@146.50.0.23( Identity = Request.Identity, AuthenticationData = Request.AuthenticationData ) ) ) then ( // Next slide )

  11. Example Driving Policy then ( // Action if ( exists Request.Identity.UserName && … ) then ( KRBReply = authenticate( username = Request.Identity.UserName, servername = … ) ; HE/SHE IS KNOWN!!!! Reply.Answer.AuthenticationData.SessionKey = KRBReply.SessionKey ; … ) else ( Reply.Answer.Type = MISSING_DATA ; Reply.Answer.Message = "AuthenticationData incomplete” ) ; ... ) else ( ... )

  12. To do • AAA message types • Definition of top level objects • generic AAA functions • return trees • generic ASMs • return trees • pushed / pulled policy treatment

  13. To do or to do not • Exception handling • Parallelism ( Actions, remote references )

More Related