1 / 13

Generic Policy Grammar for AAA Environments

Explore the draft on developing a grammar for policies in a generic AAA environment. Understand object trees, service replies, policy evaluation, and more. Examples showcase policy driving in authentication using Perl and JavaScript. Find insights on action lists and return trees.

ezra
Download Presentation

Generic Policy Grammar for AAA Environments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AAAARCH Research Group A grammar for Policies in a generic AAA Environment <draft-ietf-aaaarch-generic-policy-01.txt> A. Taal G. Sliepen A.E. Hemel C.T.A.M. de Laat

  2. Changes • References: AVPs --> Objects • AAA Message Types • No type checking

  3. Object references • Request • Identity • PassW if ( Query = getPassword( userid = Request.Identity.UserID ) && Request.Identity.PassW == Query.PassW ) then( … ) else( … )

  4. Request Service Reply • Answer • ServiceData // Action list A1 = getSwitchSettings( ) ; A2 = getConnectionList( ) ; A1. Connections = A2.Connections ; Reply.ServiceData.Settings = A1

  5. A D B E Q S R A D B E P A Object trees Q D S B E R C leaf: int | float | string A.B = P A.B = K.L.M

  6. AAA Message Types Authentication • Identity • AuthenticationData • Answer RequestReply ! One-to-one mapping Requests < ---> Driving Policies PolicyRef (remote AAA server): Reply = Authentication@ 146.50.0.23( Identity = Request.Identity, AuthenticationData = Request.AuthenticationData )

  7. AAA Message Types Policy Evaluation RequestReply • PolicyReference • …….. • Answer • ServiceData A1 = PolicyEvaluation@ 146.50.0.23( PolicyReference = “policy_23” ) A2 = PolicyEvaluation@ 146.50.0.23( PolicyReference = “policy_117” ) ! A1.ServiceData A2.ServiceData

  8. Local policy reference: PolicyRef versus FunctionCall PolicyRef: policy_71@ 127. 0.0.1( data1 = “Yes”, data2=12 ) policy_71@ localhost( data1 = “Yes”, data2=12 ) FunctionCall: evaluate( ref = “policy_71” , data1 = “Yes”, data2=12 )

  9. No type checking ComputedBoolean: ( INT Request.Data.Bandwidth / INT Data.Fraction < 20 ) JavaScript: var a, b, c; a = 3; b = “yeah”; c = a / b; alert( “c=“+c); ==> c=NaN Perl: $a; $b; $c; $a = 3; $b = “yeah”; $c = $a / $b; ==> Illegal division …

  10. Example Driving Policy KERBEROS Authentication: if ( if( exists Request.AuthenticationData.Protocol.Name ) then( ) else ( Reply.Answer.Type = MISSING_DATA ; Reply.Answer.Message = "Missing Protocol.Name" ) && if( Request.AuthenticationData.Protocol.Name == "Kerberos" ) then( ) else ( Reply = Authentication@146.50.0.23( Identity = Request.Identity, AuthenticationData = Request.AuthenticationData ) ) ) then ( // Next slide )

  11. Example Driving Policy then ( // Action if ( exists Request.Identity.UserName && … ) then ( KRBReply = authenticate( username = Request.Identity.UserName, servername = … ) ; HE/SHE IS KNOWN!!!! Reply.Answer.AuthenticationData.SessionKey = KRBReply.SessionKey ; … ) else ( Reply.Answer.Type = MISSING_DATA ; Reply.Answer.Message = "AuthenticationData incomplete” ) ; ... ) else ( ... )

  12. To do • AAA message types • Definition of top level objects • generic AAA functions • return trees • generic ASMs • return trees • pushed / pulled policy treatment

  13. To do or to do not • Exception handling • Parallelism ( Actions, remote references )

More Related