AAAARCH
This presentation is the property of its rightful owner.
Sponsored Links
1 / 12

IRTF - AAAARCH - RG A uthentication A uthorisation A ccounting ARCH itecture RG chairs: PowerPoint PPT Presentation


  • 33 Views
  • Uploaded on
  • Presentation posted in: General

AAAARCH. IRTF - AAAARCH - RG A uthentication A uthorisation A ccounting ARCH itecture RG chairs: C. de Laat and J. Vollbrecht www.phys.uu.nl/~wwwfi/aaaarch RFC 2903, 2904, 2905, 2906. Basic AAA. Service perspective: Who is it who wants to use my resource Establish security context

Download Presentation

IRTF - AAAARCH - RG A uthentication A uthorisation A ccounting ARCH itecture RG chairs:

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Irtf aaaarch rg a uthentication a uthorisation a ccounting arch itecture rg chairs

AAAARCH

IRTF - AAAARCH - RG

Authentication Authorisation

Accounting ARCHitecture RG

chairs:

C. de Laat and J. Vollbrecht

www.phys.uu.nl/~wwwfi/aaaarch

RFC 2903, 2904, 2905, 2906


Basic aaa

Basic AAA

  • Service perspective:

    • Who is it who wants to use my resource

      • Establish security context

    • Do I allow him to access my resource

      • Create a capability / ticket /authorization

    • Can I track the usage of the resource

      • Based on type of request (policy) track the usage

  • User perspective

    • Where do I find this or that service

    • What am I allowed to do

    • What do I need to do to get authorization

    • What does it cost

  • Intermediaries perspective

    • Service creation

    • Brokerage / portals

  • Organizational perspective

    • What do I allow my people to do

    • Contractual relationships (SLA’s)


Roles

Roles

U

S

E

R

U

S

E

R

U

S

E

R

U

S

E

R

U

S

E

R

U

S

E

R

U

S

E

R

U

S

E

R

U

S

E

R

U

S

E

R

U

S

E

R

U

S

E

R

UNI

UNI

UNI

UNI

UNI

UNI

UNI

UNI

UNI

SURFnet

DFN

REDIRIS

SWITCH

REDIRIS

REDIRIS

REDIRIS

GEANT/DANTE


Authorization models

U

S

E

R

UHO

U

S

E

R

U

S

E

R

UHO

UHO

AAA

1

AAA

1

AAA

4

2

3

2

2

Provider

AAA

Provider

Provider

3

4

Service

1

AAA

3

AAA

1

3

4

4

4

5

Service

Service

5

5

Authorization Models

AGENT

PULL

PUSH


Starting point

Starting point

1

1

Generic AAA server

Rule based engine

Policy

API

PDP

3

2

Data

Application Specific

Module

4

Policy

3

Data

5

5

Service

Accounting

Metering

PEP

4’

Acct Data

3


Multi domain case

Multi domain case


Basic principles

Basic principles

Principles of Generic AAA

Three building blocks:

RBE

ASM

Service Equipment

There is a global address space between the RBE and the ASM.

There is only generic stuff in the RBE and all the application specific stuff is in the ASMs.

The relationship between AAA servers is symmetric.

Different servers may have different capabilities.


Message types

Message types

  • Service request/reply

  • Authorization request/reply

  • Solicit Service Offer request/reply

  • Authentication request/reply

  • Authentication Challenge request/reply

  • Policy request/reply

  • Policy Evaluation request/reply

  • Data request/reply

  • Event Log indication/confirmation

  • Accounting indication/confirmation

  • Service (session) Configuration indication/confirmation

  • Service (session) Management indication/confirmation

  • Capability request/reply (supports resource discovery)


Top level objects

Top Level Objects

  • Identity

  • Authentication Data

  • Authentication Challenge

  • Service Data

  • Service Offer

  • Answer

  • Error

  • Policy

    • [service specification policy, authorization policy, provisioning policy, configuration policy, accounting policy, metering policy]

  • Policy Reference

  • Policy Data

  • Configuration Data

  • Service Management

  • Accounting

  • Event


Issues

Issues

  • Relationships in pictural model

  • Type 1 - 7 communication

  • Internal structure in model

  • Global addressing space

  • Refine layered model

  • Scalable aaa server model


Research group info

Research Group - info

  • Research Group Name: AAAARCH - RG

  • Chair(s)

    • John Vollbrecht -- [email protected]

    • Cees de Laat -- [email protected]

  • Web page

    • www.irtf.org

    • www.phys.uu.nl/~wwwfi/aaaarch

  • Mailing list(s)

    • [email protected]

    • For subscription to the mailing list, send e-mail to

      [email protected] content of message

      subscribe aaaarch

      end

    • will be archived, retrieval with frames and in plain ascii:

      • http://www.fokus.gmd.de/glone/research/aaaarch/

      • http://www.fokus.gmd.de/glone/research/mail-archive/aaaarch-current

      • ftp://ftp.fokus.gmd.de/pub/glone/mail-archive/aaaarch-current


Irtf aaaarch rg a uthentication a uthorisation a ccounting arch itecture rg chairs

AAAARCH


  • Login