Multi-domain provisioning of

1
Multi-domain provisioning of Lower Layer Network
Transports based on Generic AAA TERENA TF-AACE
Workshop 21/11/03 Leon Gommans University of
Amsterdam
2
Overview

• Low Layer Network Transport (LLNT)
• Rationale to provide LLNTs
• Generic Authentication Authorization Accounting
  (AAA) overview and usage in LLNTs
• Current experiments DataTAG - SC2003
• Future Research projects GRANDE / Nextgrid.

21 Nov 2003 TERENA TF-AACE
Leon Gommans
3
Lower Layer Network Transport (LLNT)

• Connection oriented network paradigm using some
  form of switch technology that transports
• Ethernet frames (MPLS VPN, 802.1 Q VLAN,..)
• Sonet/SDH frames (ADM)
• Light (OXC)
• Goes by specific names such as
• L2 VPN
• lightpath
• lambda

21 Nov 2003 TERENA TF-AACE
Leon Gommans
4
Rationale to provide LLNTs as NRN.

• Next to general Internet usage, user will start
  to ask for high bandwidth connections at low
  cost.
• High demand is now found in scientific Grid
  applications (HEP, Radio Astronomy, Bio Science,
  etc.)
• Demand is typically between specific locations.
• Forwarding large volumes of highly directional
  traffic is expensive when using routers.
• A patch panel cheap in terms of cost per Gbp/s.
• NRNs need flexible and automated ways to
  provision cheap bandwidth based on application
  demand by authorizing access to transport
  infrastructure.

21 Nov 2003 TERENA TF-AACE
Leon Gommans
5
Ergo Automate operator function
21 Nov 2003 TERENA TF-AACE
Leon Gommans
6
NRN perspective

• NRNs have a number of different ways of
  transporting traffic using connection-oriented
  and connection-less forwarding paradigms
  (Routers, L2 switches, Sonet/SDH links, optical
  links)
• Low per stream volume - many destinations -
  always on service routing on top of LLNT infra.
• Medium to high volume - fewer destinations -
  defined contract periods (G)MPLS with LLNT
  infra, use of AAA possible.
• High volume - specific/static destinations -
  reserved time slots Application driven
  provisioning of cheap LLNTs based on
  authorizations. Need AAA.
• Use various network technologies which need
  flexible automatic control/provisioning
  solutions.

21 Nov 2003 TERENA TF-AACE
Leon Gommans
7
Generic AAA.

• Concepts were researched within the IRTF AAA
  Architecture Research Group which resulted in
  RFCs 2903 (Generic AAA Architecture) and RFC
  2904 (Authorization Sequence Framework).
• Advanced Internet Research (AIR) group at UvA
  helped to form this IRTF research group.
• Empirical research into Generic AAA concepts is
  also done within AIR group.
• Research funded as part of participation in EU
  IST DataTAG project and by SURFnet
• External collaboration with EVL at UIC,
  Starlight/NWU, Alcatel and FZJ Julich.
• Work is active input into standards bodies such
  as GGF and OASIS.

21 Nov 2003 TERENA TF-AACE
Leon Gommans
8
RFC 2904 Authorization sequences that allow users
to access a service based on a policy decision
taken by a AAA component.
AAA
AAA
AAA
1
1
User
User
2
User
4
2
2
3
1
3
3
Service
Service
Service
4
4
Pull sequence NAS (remote access) RSVP (network
QoS)
Agent sequence Agents, Brokers, Proxys.
Push sequence. Tokens, Tickets, ACs etc.

21 Nov 2003 TERENA TF-AACE
Leon Gommans
9
AuthZ sequence combinations Roaming using agent
pull sequence
AAA
User Home Organization
2
3
AAA
1
User
Service Providers
6
4
5
Service
21 Nov 2003 TERENA TF-AACE
Leon Gommans
10
Example AuthZ sequence in LLNTs with Intelligent
switches
AAA
User Home Organization
AAA
Applic.
AAA
AAA
Resource
Switch
Netw. I/F
Netw. I/F
Switch
Switch
User
Domain A
Domain B
Domain C
Resource
21 Nov 2003 TERENA TF-AACE
Leon Gommans
11
Example AuthZ sequences in LLNTs with dumb
switches
AAA
User Home Domain
AAA
Applic.
AAA
AAA
Resource
Switch
Netw. I/F
Netw. I/F
Switch
Switch
User
Network Domain A
Network Domain B
Network Domain C
Resource
21 Nov 2003 TERENA TF-AACE
Leon Gommans
12
Example AuthZ sequences in LLNTs with broker
Broker
AAA
Applic.
AAA
AAA
AAA
Resource
Switch
Netw. I/F
Netw. I/F
Switch
Switch
User
Network Domain A
Network Domain B
Network Domain C
Resource
13
Base of Generic AAA Architecture - RAP

Policy Decision Point
Fundamental ideas inspired by work of the IETF
RAP WG that in RFC 2753 describes a framework
for Policy-based Admission Control. Foundation
for COPS
The point where policy decisions are made.
Policy Repository
Request
Decision
Policy Enforcement Point
The point where the policy decisions are actually
enforced.
Basic Goal Generic AAA Allow policy decisions to
be made by multiple PDPs belonging to different
administrative domains.
14
Generic AAA Architecture - RFC2903
PDP
Rule Based Engine
A Driving Policy Orchestrates the Usage of ASMs
Archieve goal by by separating the logical
decision process from the application specific
parts within the PDP.
Policy Repository
Application Specific Module
Generic AAA Engine
Request
Decision
Policy Enforcement Point
9 Oct 2003 Update meeting EVL
Leon Gommans
15
Generic AAA Architecture
PDP
PDP
Rule Based Engine
Policy Repository
Rule Based Engine
Application Specific Module
Policy Repository
Application Specific Module
User Rights
AAA Request
Decision
Policy Enforcement Point
Service
Service Request
21 Nov 2003 TERENA TF-AACE
Leon Gommans
16
Example XML request message

• ltAAARequest version"0.1" type"BoD" gt 
  ltAuthorizationgt      ltcredentialgt        
  ltcredential_typegtsimplelt/credential_typegt        
  ltcredential_IDgtJanJansenlt/credential_IDgt        
  ltcredential_secretgtf034dlt/credential_secretgt   
     lt/credentialgt  lt/Authorizationgt 
  ltBodDatagt      ltSourcegt192.168.1.5lt/Sourcegt     
  ltDestinationgt192.168.1.6lt/Destinationgt     
  ltBandwidthgt1000lt/Bandwidthgt     
  ltStartTimegtnowlt/StartTimegt     
  ltDurationgt20lt/Durationgt  lt/BodDatagtlt/AAARequestgt

WHY
WHAT
21 Nov 2003 TERENA TF-AACE
Leon Gommans
17
Example part of a Driving Policy
if ( ( ASMRM.CheckConnection(
RequestBodData.Source,
RequestBodData.Destination
) (
RequestBodData.Bandwidth lt 1000 )
) ) then ( ASMRM.RequestConnection(
RequestBodData.Source,
RequestBodData.Destination,
RequestBodData.Bandwidth,
RequestBodData.StartTime,
RequestBodData.Duration )
ReplyAnswer.Message "Request
successful" ) else ( ReplyError.Message
"Request failed"
21 Nov 2003 TERENA TF-AACE
Leon Gommans
18
Single - domain 802.1Q VLAN setup Demo iGrid 2002
Policy Database
RBE
AAA Request Message (XML/SOAP)
ASM
ASM
SNMP Dot 1Q Bridge MIB
SNMP Dot 1Q Bridge MIB
802.1Q VLAN Switch
PC
PC
802.1Q VLAN Switch
PC
PC
21 Nov 2003 TERENA TF-AACE
Leon Gommans
19
Single - Domain Calient OXC setup
RBE
AAA Request Message (XML/SOAP)
Policy Database
ASM
TL-1
Calient DaimondWave Photonic Switch
PC
PC
PC
PC
21 Nov 2003 TERENA TF-AACE
Leon Gommans
20
Multi - domain setup
Policy Database
RBE
AAA Request Message (XML/SOAP)
ASM
ASM
ASM
RBE
Policy Database
ASM
SNMP Dot 1Q Bridge MIB
SNMP Dot 1Q Bridge MIB
TL-1
802.1Q VLAN Switch
Calient DaimondWave Photonic Switch
PC
PC
802.1Q VLAN Switch
PC
PC
21 Nov 2003 TERENA TF-AACE
Leon Gommans
21
Multi - domain setup using Alcatel 1355 BonD
Policy Database
RBE
AAA Request Message (XML/SOAP)
ASM
ASM
ASM
1355 BOND 1354
SNMP Dot 1Q Bridge MIB
SNMP Dot 1Q Bridge MIB
1353 EM
802.1Q VLAN Switch
PC
PC
Alcatel 1670 ADM
Alcatel 1670 ADM
802.1Q VLAN Switch
PC
PC
21 Nov 2003 TERENA TF-AACE
Leon Gommans
22
Collaborative Multi-domain experiment at SC2003
PIN DOES ROUTE DETERMINATION BASED ON SOURCE
ROUTING
PIN
PIN
PHOTONIC INTERDOMAIN NEGOTIATOR
RBE
PDC
ASM
AuthZ
ASM
Resource Mgr
Policy Database
ASM
PHOTONIC DOMAIN CONTROLLER
PHOTONIC POLICY BASED ACCESS CONTROLLER
PIN AND PDC ARE DEVELOPMENTS FROM EVL
Calient PXC
Calient PXC
PC
PC
PC
PC
21 Nov 2003 TERENA TF-AACE
Leon Gommans
23
AAA based Multi-domain experiment at SC2003
OGSI WS I/F
RBE
ASM
AuthZ
ASM
ASM
Resource Mgr
Policy Database
ASM
RBE
RBE
Policy Database
Policy Database
ASM
ASM
OGSI Client I/F
PC
Calient
Calient
PC
PC
PC
21 Nov 2003 TERENA TF-AACE
Leon Gommans
24
Generic AAA server toolkit of UvA Main features

• RBE and ASM run within a J2EE EJB container
• Send RBE XML based request messages.
• Send RBE requests or control devices via Java
  Connector Architecture (JCA) as part of an ASM
  via CLI, TL-1, SNMP, Radius, SOAP/XML etc.
• J2EE environment gives Web Services features.
• Integrated Grid OGSA based interface into RBE
• Toolkit will give user RBE, ASM skeletons and a
  policy language editor / compiler.
• Uses MySQL to store compiled policies using a
  very simple nested if - then - else grammar.
• Supports all 3 authorization sequence types.
• Library of ASMs that includes support for GARA,
  VOMS, Enterasys, Calient, Alcatel NMS.

21 Nov 2003 TERENA TF-AACE
Leon Gommans
25
Future Research.

• Research ways to integrate networks into the Grid
  by using the principles of Generic AAA to
  authorize on demand usage.
• Research ways to use the principles of Generic
  AAA in future generation grids.
• Identify requirements and develop Generic AAA
  toolkit functions that can be used in both intra-
  and inter-domain service management scenarios.
• Propose standards and standard ways of operation.

21 Nov 2003 TERENA TF-AACE
Leon Gommans
26
Conclusions

• Cheap network components can be used to create
  on demand high-bandwidth network transports
  between selected locations.
• By turning networks transports into objects using
  ASMs they become software controllable entities
  that can be orchestrated using driving policies
  that run within an RBE.
• The AAA toolkit can be used to create flexible
  provisioning scenarios with many types and
  abstractions of network equipment.

27
Thank you ! Research funded by EU IST DataTAG
project and SURFnet Leon Gommans lgommans_at_sc
ience.uva.nl