160 likes | 295 Vues
TF-TANT Policy Control. Leon Gommans University of Utrecht/Cabletron EMEA www.phys.uu.nl/~lgommans email: l.h.m.gommans@phys.uu.nl. Policy Control Workgroup. Participants BE,CH, FR, ES, IT, NL Currently in Research Phase (Q1/Q2 1999). Objectives: Identify position and scope of work
E N D
TF-TANT Policy Control Leon Gommans University of Utrecht/Cabletron EMEA www.phys.uu.nl/~lgommans email: l.h.m.gommans@phys.uu.nl
Policy Control Workgroup • Participants BE,CH, FR, ES, IT, NL • Currently in Research Phase (Q1/Q2 1999). • Objectives: • Identify position and scope of work • Increase knowledge working area • Relationship with other area’s • Identify goals and requirements for tests
Positioning of work • Establish & Refine Service Access model • Assume a high level model and verify/detail it. • Position related standard(-efforts) and principles • COPS, DIAMETER, PFDL, Policy Schema’s, DEN • Policy definition, management, distribution, association, relationship to AAA, security aspects etc. • Identify research work already done/in progress • Internet2/Qbone, Merit BB and AAA server • Globus Distributed Compute Clusters
Policy Control Scope • Establish scope for Policy Control (PC) tests • Main drive: relation PC with QoS networking (diffserv) • PC perceived useful with services such as VPN, E-commerce, Content Services, Roaming, NAS, etc. • Authorization part of IETF-AAA work has strong relationship. • PC involves policy aggregation and management. • Should we look at QoS (Bandwidth Brokerage) only or ?
Generic Service Access Model Management UsageEntity Authentication Service Entity Point Authorization Trust Authorities Identity Challenge Policy Engine Admission Logging Environment Attributes Integrity knowledge Authorization Attributes SLA=> Rules => Actions Integrity knowledge Configuration, Statistics, Accounting, Audit Request Trust relationship Service Interaction High level model - 4th iteration Leon Gommans / Betty de Bruijn 1999-03-02
Management Trust Authorities Authentication Point Authorization Service Entity Multi-domain Model Management Management Trust Authorities Trust Authorities Authentication Authentication UsageEntity Environment Point Authorization Point Authorization Identity Authorization Service Entity Service Entity Request
IETF Policy Framework Device Management Policy Management PEP Policy Engine Admission Logging COPS, SNMP Telnet/CLI Rules => Actions PDP Request Configuration Statistics, Accounting, Audit Policy Framework LDAP Directory Definition of PolicyRules and actions: PFDL
DEN Relationship Device Management Policy Management PEP Policy Engine Admission Logging COPS, SNMP Telnet/CLI Rules => Actions PDP Request Statistics, Accounting, Audit Policy Framework Schema is based on DMTF CIM work and would allow links to DEN LDAP directory Configu- ration
Policy Conditions and Actions PolicyGroup PolicyRule PolicyCondition PolicyTime PeriodCondition PolicyAction
PolicyRule Example Example. IF SecurityPolicyRule is satisfied THEN IF DHCPLeasePolicy is satisfied THEN Execute QoSPolicies Execute AuditingPolicies ENDIF ENDIF PolicyConditions and PolicyActions may call functions such as Authentication functions and Service type functions such as a Bandwidth Brokers or Auditing. PolicyRules have notion of order
Example in Access Model Management Usage Entity Authentication Point Authorization Service Entity Trust Authorities Identity Challenge Policy Engine Admission Logging Environment Attributes Integrity knowledge Authorization Attributes if secure then if DHCP then BB; Audit; endif; endif; Integrity knowledge Configuration, Statistics, Accounting, Audit Request Trust relationship Service Interaction High level model - 4th iteration Leon Gommans / Betty de Bruijn 1999-03-27
Workitems at U of U • Refine PC model and elaborate model in various application area’s. • Establish PC/Authorization requirements for various types of applications. (Current workitem of IETF AAA workgroup) • Establish a Discrete Event Simulation Model where sets of PolicyRules control a simulated resource world (eg Diffserv network) and investigate operational behavior.
Short term Workitems at U of U • Establish LDAP infrastructure • Look at Directory Enabled switches and routers (IBM/Cabletron) and its (policy-) management. • Experiment with router ACL’s policies (permit/deny users or user-groups) and allow conflict resolution and scheduling of policies. • “User” may be SIA, Source Port etc. “Group” is a list of SIA’s, ports etc. • Start Chip-card project for user authentication.
Long Term • Consider a network as an ‘E-commerce resource’ eg ‘pay’ for economic network resources based on complex policies. • Will it solve the U of U ‘7 kingdom’ problem for remote collaboration (DYNACORE project) ? • Does a PC system allow a Policy Round Trip time which is application driven (anywhere from seconds to months) ?
Workgroup Request • Think about requirements for PC/Authorization in terms of: • ‘policy round trip time’ (seconds .. months) • Who should determine level of service: receiver, source, both ? • Should there be (re-)negotiation ? • Should anyone pay (be accounted for) ? • Is authentication necessary ? • Example: www.phys.uu.nl/~delaat/usercases.html • Suggestions of work area’s
Acknowledgements • This work is supported by • SURFnet bv • Cabletron Systems EMEA • European Commission, DG XIII • Telematics Applications Programme Telematics for Research • RE 1008 REMOT • RE 4005 Dynacore The following persons made significant contributions to this project: Betty de Bruijn, Phil Chimento, Victor Reijs, Sue Hares, John Vollbrecht, Kurt Dobbins and the Computational Physics group at the UU