TF-NGN AAA research

Cees de Laat

1 of 10

Utrecht University

Contents of this talkContents of this talk

• This space is intentionally left blank

2 of 10

Physics-UU to IPP-FZJ => 7 kingdoms

–Netherlands

»Physics dept

»Campus net

»SURFnet

–Europe

»TEN 155

–Germany

»WINS/DFN

»Juelich, Campus

»Plasma Physics dept

Multi Kingdom ProblemsMulti Kingdom Problems3 of 10

USAline

USAline

3 ms

• Jülich17 ms

2.5 ms

The need for AAAThe need for AAA

Enduser

R R R RRemoteservice

management

4 of 10

Kingdom N Kingdom N+1

BB

AAA AAA

BB

management

?

?

AAA

$$$

See IRTFAAA-ARCH

Research group

Policy based networking examplePolicy based networking example5 of 10

QuickTime™ and aCinepak decompressor

are needed to see this picture.

Experiment

Camera

Pc

Macintosh

Policybased

networkingswitchwith

> layer 4AAA

functionality

AAA

ASPASP

Layer 3/4Switch

InternetUser

ContentServer

AAA

ContentServer

AAA

ContentServer

AAA

AAA

BandwidthBroker

AAA

User-HomeOrganisation

AAA

FinancialOrganisation

AAA

ServiceProfiles

AAA

ASPISP's

6 of 11

RolesRoles7 of 12

SURFnet

PortalsBrokers

Content

Customers

University

NOB

Library

Hogeschool

QuickTime™ and aCinepak decompressor

are needed to see this picture.

RolesRoles

GEANT/DANTE

SURFnet DFN SWITCH REDIRISREDIRISREDIRISREDIRIS

USER

USER

USER

USER

UNIUNIUNI

USER

USER

USER

USER

UNIUNIUNI

USER

USER

USER

USER

UNIUNIUNI

8 of 13

Generic AAA serverRule based engine

Application SpecificModule

Auth rules

Events

API2

1 1

3

AAA Server building blockAAA Server building block

Types of communication:

1: “The” AAA protocol

2: interface (API) to app specific module (addressing!)

3: interface (API or connection) to repositories (e.g. LDAP)

9 of 13

Rule example: Auth_A = (B>9) .or. C .and. D

Generic AAA serverRule based engine

Application SpecificModule

Policy

Events

2

1 1

3

Service

5

Types of communication:

5: Towards service (f.e. COPS, CLI, SNMPv3)

Pushing the buttonsPushing the buttons10 of 13

Generic AAA serverRule based engine

Application specificModule

Policy

Events2

1 1

3

Accounting/Metering Service

5

Acct Data3

5

AAA Server with Accounting as Part of the ServiceAAA Server with Accounting as Part of the Service11 of 13

AAA Server with Accounting as Separate ServiceAAA Server with Accounting as Separate Service

Generic AAA serverRule based engine

Application SpecificModule

Policy

Events2

1 1

3

AccountingModule

Service

5

Metering

6

Acct Data3

2

12 of 13

QuestionsQuestions

• Resource discovery <-> AAA discovery

• Is AAA high or low in middleware?

• All A's together or not?

• Should AAA be visible in the app or only stay in middleware and this way solve its user interface problem

Transport TCP/UDP/IP

Applications

AAA

R1 R2

CORBA

LDAP

BB ...MiddlewareGUI

12b of 13

Stretching the OSI modelStretching the OSI model

Netwerk

Diensten

bandwidthcomplexity

t

au

au

au

t

t

Netwerk

Applications

Middleware

12b' of 13

RG-Goals-1RG-Goals-1

Specific goals of the RG are:

• develop generic AAA model by specifically including Authentication and Accounting

• develop audibility framework specification that allows the AAA system functions to be checked in a multi-organization environment

• develop a model that supports management of a "mesh" of interconnected AAA Servers

• define distributed policy framework, coordinate with policy framework WG and others

• develop an accounting model that allows authorization to define the type of accounting processing required for each session

12c of 13

RG-Goals-2RG-Goals-2

Specific goals of the RG are:

• implement a simulation model that allows experimentation with the the proposed architectural models (also work on an emulation)

• describe interdomain issues using generic model

• work with AAA WG to align short term AAA protocol requirements with long term requirements as much as possible

• complete the work in Q4 - 2000 (ambitious)

• RFC 2903 - 2907 !!!!

QuickTime™ and aCinepak decompressor

are needed to see this picture.

12d of 13

Research Group - info 12e of 13

• Research Group Name: AAAARCH - RG

• Chair(s)– John Vollbrecht -- jrv@merit.edu

– Cees de Laat -- delaat@phys.uu.nl

• Web page– www.irtf.org

– www.phys.uu.nl/~wwwfi/aaaarch

• Mailing list(s)– aaaarch@fokus.gmd.de

– For subscription to the mailing list, send e-mail to

majordomo@fokus.gmd.de with content of message

subscribe aaaarch

end

– will be archived, retrieval with frames and in plain ascii:

» http://www.fokus.gmd.de/glone/research/aaaarch/

» http://www.fokus.gmd.de/glone/research/mail-archive/aaaarch-current

» ftp://ftp.fokus.gmd.de/pub/glone/mail-archive/aaaarch-current

Research TF-NGNResearch TF-NGN

• Use European research net as testbed for AAA

• VLL type of service

• Top-down– Application

– Middleware - AAA

– BB

– Policy push

– Diffserv

• Focus on techniques and products

• Concentrate on

• Authentication, aggregation

• Authorisation

• SLA - policy - metering - verification

• Simulation/emulation

13 of 13