Docstoc

apan_cdl

Document Sample
apan_cdl Powered By Docstoc
					                      AAA-ARCH                                  1 of 14


                           IRTF-RG
   Authentication Authorisation and
Accounting ARCHitecture Research Group
                           chairs:
                         C. de Laat
                        J. Vollbrecht

Content of this talk has contributions from many persons including:
     B. de Bruijn, C&K Dobbins, S. Farrell, G. Gross,
  L. Gommans, D. Spence, E. Verharen, T. Verschuren,
                        T. Zseby
               Applications               2 of 14

• Applications
  –Network Access
  –Bandwidth Broker
  –Authorization of resources living in
   many administrative domains
  –Budget system
  –Library system
  –Computer based education system
  –E-Commerce
  –Micro-payments
  –Car Rental
  –Daily life
                  Multi Kingdom Problem                  3 of 14
Physics-UU to IPP-FZJ => 7 kingdoms
–Netherlands
  »Physics dept
  »Campus net                USA
                             line
  »SURFnet
–Europe
                                             3 ms
  »TEN 155
–Germany
  »WINS/DFN
  »Juelich, Campus
  »Plasma Physics dept              2.5 ms
                                                     17 ms
                                                    Jülich
           The need for AAA                 4 of 14



                     AAA


                     $$$



                        ?
           AAA                  AAA

                       ?
           BB                    BB

       management            management

End                                       Remote
user
       R         R          R         R   service


       Kingdom N            Kingdom N+1
 Roaming “Agent” Authorization Model                                               5 of 14




                                   User Home Organization
                        Request
                    1
                     Approved               AAA Server
                                     4

                                                 2
                          Conditional Approval                Commit Approval

        User                                              3
                                                     AAA
                                                                3
                                                     Server
                        use                  Service
                    5 service
                                            Equipment
                                         Service Provider
Example application: bandwidth brokerage at Enterprise/Service Provider boundary
  Roaming “Pull” Authorization Model                                                  6 of 14



                         User Home Organization

                                    AAA Server

                                              3
             Conditional Approval                 Commit Approval
                                     2
User                                     AAA
                                         Server
                                                    4
             Request
         1                          1
          Approved
                                     Service
                           4
             use                    Equipment
         5 service
                               Service Provider
  Example applications: Mobile IP, PPP dial-in to NAS
                                                                          QuickTime™ and a
                                                                         Video decompressor
                                                                    are needed to see this picture.
          Roaming “Push” Authorization Model                                                     7 of 14




                                             User Home Organization
                                  Request
                              1
                             Conditional
                                                       AAA Server
                                                2
                              Approval
                                with
                               ticket

                User           Request
                              3 with                       AAA
                                ticket                                   4
                               Approved
                                                4          Server
                                  use                   Service
                              5 service
                                                       Equipment
                                                    Service Provider
Example application: Internet printing, where file and print servers are in different admin domains
                       AAA Server building block                            8 of 14

                       Rule example: Auth_A = (B>9) .or. C .and. D



                   1                                           1
                                Generic AAA server
                                Rule based engine

                          API
                                        2                 3    Auth rules

                                Application Specific               Events
                                     Module

Types of communication:
1: “The” AAA protocol


2: interface (API) to app specific module (addressing!)
3: interface (API or connection) to repositories (e.g. LDAP)
              Pushing the buttons                          9 of 14


  1                                           1
             Generic AAA server
             Rule based engine


                     2                3           Policy

             Application Specific                 Events
                  Module


                     5


                   Service


Types of communication:
5: Towards service (f.e. COPS, CLI, SNMPv3)
              Legacy protocols                           10 of 14




1                                           1
            Generic AAA server
            Rule based engine


                     2                3         Policy

4            Application specific               Events
                  Module



    Types of communication:
    4: Legacy protocols (Radius, Diameter, …)
                                                   Gateway                             11 of 14




                                    1                                     1
                                             Generic AAA server
                                             Rule based engine
                                    1
                                                    2                 3       Policy

               4                         2     Application specific           Events
                                    GW
                                                    Module




       QuickTime™ an d a
     Cinepak decompre ssor
are need ed to see this p icture.
AAA Server with Accounting as Separate Service
                                                                         12 of 15



      1                                     1
                  Generic AAA server
                  Rule based engine
                                                Policy
                                        3
             2                2                 Events

   Application Specific            Accounting                Acct Data
        Module                      Module               3

              5                6

          Service                      Metering
AAA Server with Accounting as Part of the Service
                                                                        13 of 16



      1                                    1
                Generic AAA server
                Rule based engine
                                               Policy
                      2                3
                                               Events

                Application specific
                     Module

            5                 5

                                   Accounting/              Acct Data
      Service                                           3
                                    Metering
              Example: Interaction with Authorization
                                                                                          14 of 16



User            Visited ISP                                            Home ISP
                       Bill                                             Charging &
                                                    8    ARs              Billing
                                                                                  Charging Policies
                 ARs                            3
                                  AAA Server                           AAA Server
                                                    4
(optional online charging)                              Service parameters
                                                        including Accounting Policy
                                     5          7
                              2                  Accounting
                                                 Records (ARs)

       6               Service Equipment
                                              Collectors
   1                          configuration
                                               Meters
             Generic AAA Agent Model
                                                                              15a of 16
                         QuickTime™ and a
                       Cinepak decompressor
                  are neede d to se e this picture.




                                                                 AAA server
AAA server




                                    QuickTime™ an d a
                                  Cinepak decompre ssor
                             are need ed to see this p icture.




                                                                 AAA server
             Future AAA Application (ASP)
                                                             15b of 16


       User-Home   Bandwidth   Financial
         Organ.     Broker      Organ.                       Content
                                                              Server
          AAA        AAA        AAA
                                                              AAA



                                           Layer 3/4         Content
                                            Switch            Server
User
                                             AAA              AAA
AAA
                Internet
                                           Service
                                           Profiles          Content
                                                              Server
                                                              AAA



                     ISP's                             ASP
                       RG-Goals-1                    15c of 16


Specific goals of the RG are:
• develop generic AAA model by specifically including
  Authentication and Accounting
• develop auditability framework specification that allows
  the AAA system functions to be checked in a multi-
  organization environment
• develop a model that supports management of a "mesh"
  of interconnected AAA Servers
• define distributed policy framework, coordinate with
  policy framework WG and others
• develop an accounting model that allows authorization to
  define the type of accounting processing required for
  each session
                    RG-Goals-2                                          15d of 16


Specific goals of the RG are:
• implement a simulation model that allows
  experimentation with the the proposed architectural
  models (also work on an emulation)
• describe interdomain issues using generic model
• work with AAA WG to align short term AAA protocol
  requirements with long term requirements as much
  as possible
• complete the work in Q4 - 2000 (ambitious)


                                                      QuickTime™ an d a
                                                    Cinepak decompre ssor
                                               are need ed to see this p icture.
                      Research Group - info                        16 of 16
• Research Group Name: AAAARCH - RG
• Chair(s)
  – John Vollbrecht    --     jrv@merit.edu
  – Cees de Laat       --     delaat@phys.uu.nl
• Web page
  – www.irtf.org
  – www.phys.uu.nl/~wwwfi/aaaarch
• Mailing list(s)
  – aaaarch@fokus.gmd.de
  – For subscription to the mailing list, send e-mail to
     majordomo@fokus.gmd.de with content of message
     subscribe aaaarch
     end
  – will be archived, retrieval with frames and in plain ascii:
     » http://www.fokus.gmd.de/glone/research/aaaarch/
     » http://www.fokus.gmd.de/glone/research/mail-archive/aaaarch-current
     » ftp://ftp.fokus.gmd.de/pub/glone/mail-archive/aaaarch-current