Download
inter domain policy architecture n.
Skip this Video
Loading SlideShow in 5 Seconds..
Inter-Domain Policy Architecture PowerPoint Presentation
Download Presentation
Inter-Domain Policy Architecture

Inter-Domain Policy Architecture

0 Views Download Presentation
Download Presentation

Inter-Domain Policy Architecture

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Inter-Domain Policy Architecture Shai Herzog IETF-47 AAA Arch

  2. Goal • Describe a model for • Policy based • Network authorization system • Inter-Domain negotiations • Scalable and Tractable • Simple and Practical approach • Used in IPHighway’s OPS policy system

  3. Base Assumptions • Need E-2-E “service” • Involving any number of intermediate domains • Explicit rather than Implicit service requests • N-Way negotiations ruled out • N-Way negotiations (all domains along data path) • Is non-scalable exponentially! • Cannot be effectively enforced. • Stay within the bilateral agreement model

  4. Why not N-Way? A C B … May continue forever…

  5. Bilateral Negotiations Policy Server Policy Server COPS? Diameter? B A RSVP?

  6. Bilateral Interface • Request/Response transactions • Grantor and Grantee • With contractual relationship • Persistent connection • Grantee describes desired service • Grantor approves, modifies, rejects or revokes service • Grantor assumes responsibility for the service • Cascading bilateral transactions achieve E-2-E

  7. Stock Brokerage Analogy • Analogous Market tools: • Futures market • Margin trading • Options, short, call, put, etc. • …Selling stocks you don’t have (yet ;-) • Service is (almost) always possible • Long term adjustments are always possible • The issue is the price (diverting to other service providers). • Service must be revocable

  8. Conclusions • Model is simple and scalable • Easily enforced • Grantor assumes full responsibility • In N-Way negotiations no one assumes responsibility! (End user deals with multiple domains) • E-2-E guarantee is probable not absolute • Policy Translation between domain may be lossy