Tf tant policy control
This presentation is the property of its rightful owner.
Sponsored Links
1 / 16

TF-TANT Policy Control PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on
  • Presentation posted in: General

TF-TANT Policy Control. Leon Gommans University of Utrecht/Cabletron EMEA www.phys.uu.nl/~lgommans email: [email protected] Policy Control Workgroup. Participants BE,CH, FR, ES, IT, NL Currently in Research Phase (Q1/Q2 1999). Objectives: Identify position and scope of work

Download Presentation

TF-TANT Policy Control

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Tf tant policy control

TF-TANT Policy Control

Leon Gommans

University of Utrecht/Cabletron EMEA

www.phys.uu.nl/~lgommans

email: [email protected]


Policy control workgroup

Policy Control Workgroup

  • Participants BE,CH, FR, ES, IT, NL

  • Currently in Research Phase (Q1/Q2 1999).

  • Objectives:

    • Identify position and scope of work

    • Increase knowledge working area

    • Relationship with other area’s

  • Identify goals and requirements for tests


Positioning of work

Positioning of work

  • Establish & Refine Service Access model

    • Assume a high level model and verify/detail it.

    • Position related standard(-efforts) and principles

      • COPS, DIAMETER, PFDL, Policy Schema’s, DEN

      • Policy definition, management, distribution, association, relationship to AAA, security aspects etc.

    • Identify research work already done/in progress

      • Internet2/Qbone, Merit BB and AAA server

      • Globus Distributed Compute Clusters


Policy control scope

Policy Control Scope

  • Establish scope for Policy Control (PC) tests

    • Main drive: relation PC with QoS networking (diffserv)

    • PC perceived useful with services such as VPN, E-commerce, Content Services, Roaming, NAS, etc.

    • Authorization part of IETF-AAA work has strong relationship.

    • PC involves policy aggregation and management.

    • Should we look at QoS (Bandwidth Brokerage) only or ?


Generic service access model

Generic Service Access Model

Management

UsageEntity

Authentication

Service Entity

Point

Authorization

Trust

Authorities

Identity

Challenge

Policy Engine

Admission

Logging

Environment

Attributes

Integrity

knowledge

Authorization

Attributes

SLA=>

Rules =>

Actions

Integrity

knowledge

Configuration,

Statistics,

Accounting,

Audit

Request

Trust relationship

Service Interaction

High level model - 4th iteration

Leon Gommans / Betty de Bruijn

1999-03-02


Multi domain model

Management

Trust

Authorities

Authentication

Point

Authorization

Service Entity

Multi-domain Model

Management

Management

Trust

Authorities

Trust

Authorities

Authentication

Authentication

UsageEntity

Environment

Point

Authorization

Point

Authorization

Identity

Authorization

Service Entity

Service Entity

Request


Ietf policy framework

IETF Policy Framework

Device Management

Policy Management

PEP

Policy Engine

Admission

Logging

COPS, SNMP

Telnet/CLI

Rules =>

Actions

PDP

Request

Configuration

Statistics,

Accounting,

Audit

Policy Framework

LDAP Directory

Definition of PolicyRules

and actions: PFDL


Den relationship

DEN Relationship

Device Management

Policy Management

PEP

Policy Engine

Admission

Logging

COPS, SNMP

Telnet/CLI

Rules =>

Actions

PDP

Request

Statistics,

Accounting,

Audit

Policy Framework Schema

is based on DMTF CIM work

and would allow links to

DEN LDAP directory

Configu-

ration


Policy conditions and actions

Policy Conditions and Actions

PolicyGroup

PolicyRule

PolicyCondition

PolicyTime

PeriodCondition

PolicyAction


Policyrule example

PolicyRule Example

Example.

IF SecurityPolicyRule is satisfied THEN

IF DHCPLeasePolicy is satisfied THEN

Execute QoSPolicies

Execute AuditingPolicies

ENDIF

ENDIF

PolicyConditions and PolicyActions may call functions

such as Authentication functions and Service type

functions such as a Bandwidth Brokers or Auditing.

PolicyRules have notion of order


Example in access model

Example in Access Model

Management

Usage Entity

Authentication

Point

Authorization

Service Entity

Trust

Authorities

Identity

Challenge

Policy Engine

Admission

Logging

Environment

Attributes

Integrity

knowledge

Authorization

Attributes

if secure then

if DHCP then

BB; Audit;

endif; endif;

Integrity

knowledge

Configuration,

Statistics,

Accounting,

Audit

Request

Trust relationship

Service Interaction

High level model - 4th iteration

Leon Gommans / Betty de Bruijn

1999-03-27


Workitems at u of u

Workitems at U of U

  • Refine PC model and elaborate model in various application area’s.

  • Establish PC/Authorization requirements for various types of applications. (Current workitem of IETF AAA workgroup)

  • Establish a Discrete Event Simulation Model where sets of PolicyRules control a simulated resource world (eg Diffserv network) and investigate operational behavior.


Short term workitems at u of u

Short term Workitems at U of U

  • Establish LDAP infrastructure

  • Look at Directory Enabled switches and routers (IBM/Cabletron) and its (policy-) management.

  • Experiment with router ACL’s policies (permit/deny users or user-groups) and allow conflict resolution and scheduling of policies.

  • “User” may be SIA, Source Port etc. “Group” is a list of SIA’s, ports etc.

  • Start Chip-card project for user authentication.


Long term

Long Term

  • Consider a network as an ‘E-commerce resource’ eg ‘pay’ for economic network resources based on complex policies.

  • Will it solve the U of U ‘7 kingdom’ problem for remote collaboration (DYNACORE project) ?

  • Does a PC system allow a Policy Round Trip time which is application driven (anywhere from seconds to months) ?


Workgroup request

Workgroup Request

  • Think about requirements for PC/Authorization in terms of:

    • ‘policy round trip time’ (seconds .. months)

    • Who should determine level of service: receiver, source, both ?

    • Should there be (re-)negotiation ?

    • Should anyone pay (be accounted for) ?

    • Is authentication necessary ?

    • Example: www.phys.uu.nl/~delaat/usercases.html

  • Suggestions of work area’s


Acknowledgements

Acknowledgements

  • This work is supported by

    • SURFnet bv

    • Cabletron Systems EMEA

    • European Commission, DG XIII

      • Telematics Applications Programme Telematics for Research

        • RE 1008 REMOT

        • RE 4005 Dynacore

The following persons made significant contributions to this project:

Betty de Bruijn, Phil Chimento, Victor Reijs, Sue Hares, John Vollbrecht, Kurt Dobbins and the Computational Physics group at the UU


  • Login