RSVP Policy Control using XACML

1
RSVP Policy Control using XACML

• Pontifícia Universidade Católica do Paraná
  PUC-PR, Brazil
• Presented by Emir Toktar
• toktar_at_ppgia.pucpr.br

Emir Toktar Edgard Jamhour Carlos Maziero
2
Summary

• Motivation
• Proposal
• RSVP Policy Control
• XACML Framework
• XACML Extensions
• Example
• Conclusions
• Future Works

3
Motivation

• Many IETF publications for QoS management is
  based on PCIM extensions.
• PCIM is an information model
• PCIM deployment can be complex
• XACML offers an alternative for defining policies
  in XML.
• A model suited for business level policies
• Easy to understand and deploy

IETF Internet Engineering Task Force OASIS
Organization for the Advancement of Structured
Information Standards PCIM Policy Core
Information Model XACML eXtensible Access
Control Markup Language
4
Motivation

• RSVP Policy Control is an Access Control
  problem suited to be addressed by XACML.
• However
• For properly addressing the RSVP issue,
  additional RSVP information must be returned with
  access control decision e.g. Tspec
• It requires XACML extensions

Policy Control is Not Admission Control
5
Proposal

• Define XACML extensions for addressing the RSVP
  Policy Control issue.
• Compare the XACML-based framework with IETF
  PCIM-based framework with respect to
• policy definition and
• framework implementation.

6
RSVP Policy Control RFC 2753

• manage the use of network resources and services
  based on policies derived from criteria such as
• to identify users and applications,
• traffic/bandwidth requirements,
• security considerations and
• time-of-day/week.
• Business Level Policies ?
• i.e. can be addressed by XACML

7
RSVP Admission Control

• Only takes into account the
• requesters resource reservation request
• available capacity
• The available capacity is a stateful information
  available in the routers, and it is not addressed
  in our proposal.

8
XACML
Policy Language Model
9
XACML Example
Multimedia
Deny-Overrides
login
ana_at_xacml.org
VideoServer
Permit
UsersRegs
gt08h00 and lt17h00
the user ana_at_xacml.org can login on a Video
Server in the period between 0800AM and 0500PM
10
XACML Framework adapted to RSVP

• PEP element is a component of the Server
  Application
• PEP is responsible for all integration with RSVP
  daemon
• The Applicaton is releasing from any task of QoS
  negotiation
• This approach can be implemented in any system
  that supports RSPV APIs.
• XACML doesnt define any Policy Transaction
  Protocol between PDP and PEP.

11
XACML Problems

• Resource and User Information is supposed to be
  defined in the policy document.
• The reuse of resource and user information
  requires creating references to external
  information.
• The issue of addressing external information was
  not well-developed in XACML 1.1.

12
Proposal

• Use XPointer language to create policies with
  reusable User and Resource Information.

13
Proposal

• The strategy adopted for describing a RSVP policy

lt?xml version"1.0" encoding"UTF-8" ?gt
ltPolicySet PolicySetId"RSVP_Aware_server_Applicat
ion"gt ltTargetgt lt!-- Defines the Services
(RESOURCES) to which the policy applies --gt
ltPolicy PolicyId"Service Level 1"gt lt!-- Policy 1
- e.g. SERVICE GOLD --gt ltRulegt
ltTargetgt lt!-- Subjects to Which the policy
applies --gt lt/Targetgt ltConditiongt lt!--
Time and clients IP address restrictions--gt
lt/Conditiongt lt/Rulegt ltObligationsgt lt!--
Tspec specifications for Service Level 1 --gt
lt/Obligationsgt lt/Policygt ltPolicy
PolicyId"Service Level 2"gt lt!-- Policy 2 - e.g.
SERVICE SILVER --gt ltPolicy PolicyId"Service
Level 3"gt lt!-- Policy 3 - e.g. SERVICE BRONZE
--gt ltPolicy PolicyId"Default Policy"gt lt!--
Policy 4 - usually Deny All --gt lt/PolicySetgt
14
Proposal

• QoS information is returned by the Obligations
• Single service can offer different service levels
• A XML schema for RSVP parameters
• for building the PATH msg
• Tspec r,b,p,m,M
• type of service (GS / CL)
• reservation style
• described in the RFC 2210 and RFC 2215

15
Example

• a) Registered students have permission to access
  any server in the campus offering a
  TutorialVideoStreaming service without time
  restrictions.
• If a student connects to a server using a client
  host from inside the campus, he will receive a
  GOLD or SILVER service level.
• Otherwise, it will receive a BRONZE service
  level.

16
Example

• b) Unregistered students can have access to the
  TutorialVideoStreaming service only from the
  internal network and not in business-time.
• They can receive only the BRONZE service level.

17
Scenario example ? XACML Request context
TutorialVideo
192.168.200.10
192.168.0.1
getResourceQos
ltSubjectgt lt"...subject-id"gt etoktar
lt/Attributegt lt"...ip-addressreceiver"gt
192.168.0.1 lt/Attributegt lt/Subjectgt ltResourcegt
lt"...resource-id"gt TutorialVideo
lt/Attributegt lt"...ip-addresssender"gt
192.168.200.10 lt/Attributegt lt/Resourcegt ltActiongt
lt"...action-idServerAction"gt getResourceQoS
lt/Attributegt lt/Actiongt
Receiver
Sender
18
Example of Service Document
19
Example of User Document
lt?xml version"1.0" encoding"UTF-8"?gt ltsubjectsgt
ltusergt ltcngtEmir Toktarlt/cngt ltsngtToktarlt/sn
gt ltuidgtetoktarlt/uidgt ltmailgttoktar_at_ppgia.pucpr.
brlt/mailgt ltbusinessCategorygtRegisteredStudentlt/b
usinessCategorygt lt/usergt ltusergt ltcngtLuiz
Cesarlt/cngt ltsngtCezarlt/sngt ltuidgtlcezarlt/uidgt
ltmailgtluiz.c_at_ppgia.pucpr.brlt/mailgt ltbusinessCate
gorygtRegisteredStudentlt/businessCategorygt lt/usergt
ltusergt ltusergt ltcngtGuestlt/cngt ltuidgtgues
tlt/uidgt ltbusinessCategorygtUnregisteredStudentlt/b
usinessCategorygt lt/usergt ltusergt ltusergt
ltusergt lt/subjectsgt
20
Example of Policy Document
lt?xml version"1.0" encoding"UTF-8" ?gt
ltPolicySet PolicySetId"TutorialVideo" xmlns"...
" xmlnsxsi"..." xsischemaLocation"..."
PolicyCombiningAlgId"...policy-combining-algor
ithmfirst-applicable"gt ltTargetgt lt!-- Policy
1 --gt ltPolicy PolicyId"...policyTutorialRe
gStudentsInternal" RuleCombiningAlgId"...rule
-combining-algorithmfirst-applicable"gt lt!--
Policy 02 --gt ltPolicy PolicyId"...policyTu
torialRegStudentsExternal" RuleCombiningAlgId"
...rule-combining-algorithmfirst-applicable"gt lt
!-- Policy 03 --gt ltPolicy
PolicyId"...policyTutorialRegStudentsGuest"
RuleCombiningAlgId"...rule-combining-algorith
mfirst-applicable"gt lt!-- Policy 04 - Deny for
All --gt ltPolicy PolicyId"...policyTutorial
DenyForOthers" RuleCombiningAlgId"...rule-com
bining-algorithmfirst-applicable"gt
lt/PolicySetgt
21
Example of Policy PolicySet Target
ltTargetgt ltSubjectsgt ltResourcesgt
ltResourcegt ltResourceMatch
MatchId"...functionstring-equal"gt
ltValuegtTutorialVideolt/gt ltDesignator
"...resource-id" /gt lt/ResourceMatchgt
ltResourceMatch MatchId"...functionxpath-node-ma
tch"gt ltValuegthttp//pdp/resources.xmlxpoint
er(//service_at_serviceId "TutorialVideoStre
aming"/sap/inetaddress/text()) lt/gt
ltDesignator "...ip-addresssender"/gt
lt/ResourceMatchgt lt/Resourcegt
lt/Resourcesgt ltActionsgtlt/Targetgt
22
Example of Policy 1
ltPolicy PolicyId"...TutorialRegStudentsInternal"
RuleCombiningAlgId"..."gt ltTargetgt ltRule
RuleId".Reg_Studens_Internal_Get_Gold_Silver"
Effect"Permit"gt ltTargetgt lt!-- it was
supressed other elements --gt ltSubjectMatch
MatchId"...functionxpath-node-match"gt ltVa
luegthttp//pdp/subjects.xmlxpointer(//subjects
/userbusinessCategory'RegisteredStudent'
/uid/text()) lt/gt ltDesignator
"...subject-id/gt lt/SubjectMatchgt
ltActionMatch MatchId"...functionstring-equal"gt
ltValue gtgetResourceQoSlt/gt ltDesignato
r "...action-idServerAction"/gt lt/ActionMatc
hgt lt/Targetgt
23
Example of Policy Document 1
lt!-- Continue of Rule --gt ltCondition
FunctionId"...functionor"gt lt!--IP IntraNet
Range--gt ltApply FunctionId"...functionany-
of"gt ltFunction FunctionId"...functionregex
p-string-match" /gt ltValue
gt192.168.0.lt/gt ltDesignator
"ip-addressreceiver"/gt
lt/Applygt lt/Conditiongt lt/Rulegt
ltObligationsgt ltObligation ObligationId"...Gol
dSilverStudentsInternal" FulfillOn"Permit"gt
ltAttributeAssignment AttributeId"...qosG711"
gt http//pdp/resources.xmlxpointer(//servic
e/serviceLevel _at_serviceId'Gold'/ResourceRsv
p/)lt/AttributeAssignmentgt ltAttributeAssignme
nt AttributeId"...qosH261Q gt http//pdp/r
esources.xmlxpointer(//service/serviceLevel
_at_serviceId'Silver'/ResourceRsvp/)lt/AttributeAss
ignmentgt lt/Obligationgt lt/Obligationsgtlt/Poli
cygt
24
Example of Policy Document 4
lt!-- Policy 04 - Deny for All --gt ltPolicy
PolicyId"...TutorialDenyForOthers"
RuleCombiningAlgId"..."gt ltTargetgt ltSubjectsgt
ltAnySubject/gt lt/Subjectsgt ltResourcesgt ltAn
yResource/gt lt/Resourcesgt ltActionsgt ltAnyActi
on/gt lt/Actionsgt lt/Targetgt ltRule
RuleId"...Tutorial_Deny_Rule_For_Others"
Effect"Deny"/gt lt/Policygt
25
Example of Response
lt?xml version"1.0" encoding"UTF-8"?gt ltResponse
xmlns"...context" xmlnsxsi"..."
xsischemaLocation"... cs-xacml-schema-context-01
.xsd"gt ltResultgt ltDecisiongtPermitlt/Decisiongt
ltStatusgt ltObligations xmlns"...policy"gt ltOb
ligation ObligationId"...qosGoldSilverStudentsI
nternal" FulfillOn"Permit"gt ltAttributeAssignm
ent AttributeId"RsvpClass1" DataType"...string
"gtG711lt/AttributeAssignmentgt ltAttributeAssignm
ent AttributeId"TokenBucketRate_r1"
DataType"...double"gt9250.0lt/AttributeAssignmentgt
ltAttributeAssignment AttributeId"TokenBucket
Size_b1" DataType"...double"gt680.0lt/AttributeAs
signmentgt ltAttributeAssignment
AttributeId"PeakRate_p1" DataType"...double"gt1
3875.0lt/AttributeAssignmentgt ltAttributeAssignm
ent AttributeId"MinimumPoliceUnit_m1"
DataType"...integer"gt13875lt/AttributeAssignmentgt
ltAttributeAssignment AttributeId"MaximumPack
etSize_M1" DataType"...integer"gt13875lt/Attribut
eAssignmentgt ltAttributeAssignment
AttributeId"RsvpService1" DataType"...string"gt
Guaranteedlt/AttributeAssignmentgt ltAttributeAss
ignment AttributeId"ServiceQoS1"
DataType"...string"gtFFlt/AttributeAssignmentgt
ltAttributeAssignment AttributeId"RsvpClass2"
DataType"...string"gtH261QCIFlt/AttributeAssignmen
tgt ltAttributeAssignment AttributeId"TokenBuck
etRate_r2" DataType"...double"gt12000.0lt/Attribu
teAssignmentgt ltAttributeAssignment
AttributeId"TokenBucketSize_b2"
DataType"...double"gt6000.0lt/AttributeAssignmentgt
ltAttributeAssignment AttributeId"PeakRate_p
2" DataType"...double"gt12000.0lt/AttributeAssignm
entgt ltAttributeAssignment AttributeId"Minimum
PoliceUnit_m2" DataType"...integer"gt80lt/Attribu
teAssignmentgt ltAttributeAssignment
AttributeId"MaximumPacketSize_M2"
DataType"...integer"gt2500lt/AttributeAssignmentgt
ltAttributeAssignment AttributeId"RsvpService
2" DataType"...string"gtControlled-loadlt/Attribut
eAssignmentgt ltAttributeAssignment
AttributeId"ServiceQoS2" DataType"...string"gtS
Elt/AttributeAssignmentgt lt/Obligationgt lt/Oblig
ationsgt lt/Resultgt lt/Responsegt
26
Framework Implementation

• Sun Package for XACML at (URL)
• http//sourceforge.net/projects/sunxacml/
• SUN ONE Studio 4 update1
• Java 2 SDK, Standard Edition 1.4.2
• XACML XPath functions are optional
• they are not implemented

27
Framework Modifications for supporting the
Proposal

• Used JAXEN to support XPath statements
• Stand-alone XPath implementation
• Works with DOM, JDOM and EletricXML
• RSVP XML schema definition
• RSVP parameters (Tspec) to support definitions of
  Resources
• XMLSpy v.5.0, release 4
• Function xpath-node-match developed
• Syntax type of expressions full XPointers
• uri-referencescheme(expression)
  scheme(expression) ? scheme name
  xpointer(xptr-expr)

28
Conclusions

• XACML is suited for business level policies
• The available framework is easy to use and extend
• PCIM has not addressed the business level issue,
  it is focused on device configuration.
• XACML requires additional specification for
  creating policies that refer to external
  documents
• The obligation structure must be extended to
  support a more flexible strategy for returning
  parameters.
• XACML is an open standard that enables the
  setting of new tools for controlling the managing
  of policies.

29

• Thank you!
• Questions ?
• address to toktar_at_ppgia.pucpr.br

30
Example of Service Document - SAP
lt?xml version"1.0" encoding"UTF-8"?gt ltservice
serviceId"TutorialVideoStreaming"gt
ltdescriptiongttutorial videos in the university
campuslt/descriptiongt ltsapgt lt!-- BACK
--gt ltinetaddressgt192.168.200.10lt/inetaddressgt
ltinetaddressgt192.168.200.25lt/inetaddressgt ltineta
ddressgt192.168.5.3lt/inetaddressgt ltprotocolgtTCPlt/
protocolgt ltportgt8976lt/portgt lt/sapgt ltserviceLev
el serviceId"Gold"gt ltResourceRsvp
AttributeId"qosG711" RsvpClass"G711"gt lt/service
Levelgt ltserviceLevel serviceId"Silver"gt
ltResourceRsvp AttributeId"qosH261Q"
RsvpClass"H261QCIF"gt lt/serviceLevelgt ltserviceLe
vel serviceId"Bronze"gt ltResourceRsvp
AttributeId"qosH263C" RsvpClass"H263CIF"gt lt/ser
viceLevelgt lt/servicegt
31
Example of Service Document - RSVP
lt?xml version"1.0" encoding"UTF-8"?gt ltservice
serviceId"TutorialVideoStreaming"gt
ltdescriptiongttutorial videos in the university
campuslt/descriptiongt ltsapgt ltserviceLevel
serviceId"Gold"gt ltResourceRsvp
AttributeId"qosG711" RsvpClass"G711"gt
lt!--BACK--gt ltTspecBucketRate_rgt9250lt/TspecBucke
tRate_rgt ltTspecBucketSize_bgt680lt/TspecBucketSiz
e_bgt ltTspecPeakRate_pgt13875lt/TspecPeakRate_pgt
ltTspecMinPoliceUnit_mgt340lt/TspecMinPoliceUnit_mgt
ltTspecMaxPacketSize_Mgt340lt/TspecMaxPacketSize_
Mgt ltRsvpServicegtGuaranteedlt/RsvpServicegt ltRs
vpStylegtFFlt/RsvpStylegt lt/ResourceRsvpgt lt/servic
eLevelgt ltserviceLevel serviceId"Silver"gt
ltResourceRsvp AttributeId"qosH261Q"
RsvpClass"H261QCIF"gt lt/serviceLevelgt ltserviceLe
vel serviceId"Bronze"gt ltResourceRsvp
AttributeId"qosH263C" RsvpClass"H263CIF"gt lt/ser
viceLevelgt lt/servicegt