1 / 23

Multi-Domain Lightpath Authorization Architecture using Tokens

Multi-Domain Lightpath Authorization Architecture using Tokens. By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Yuri Demchenko, Li Xu, Ralph Koning, University of Amsterdam. Tokens are a proven concept:.

yama
Download Presentation

Multi-Domain Lightpath Authorization Architecture using Tokens

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multi-Domain Lightpath Authorization Architecture using Tokens By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Yuri Demchenko, Li Xu, Ralph Koning, University of Amsterdam

  2. Tokens are a proven concept: 1 To enable fast passage at a checkpoint 2 To allow checking at any place in the service network3 To separate authorized use from unauthorized use4 To authorize in advance 5 To separate authorization complexity from usage6 That can be linked to advance reservations7 To support both pay-before (pre-pay) or pay-later (billing) T T T T T T T T .

  3. Main rationale: Time consuming service authorization process can be separate from fast service access. HRM SLOW Finance User Home Org T T T Service Provider A Service Provider B User Work Group T T Network Service Network Service Service Fast

  4. Testbed shows data- & control plane and involved domains.

  5. Application sends reservation request to IDC Inter Domain Controller Inter Domain Controller Inter Domain Controller Reservation Application Token Validation Service Token Validation Service Policy Enforcement Point Policy Enforcement Point DRAGON DRAGON DRAGON DomainB DomainC Domain A

  6. A Global Resource Identifier (GRI) is created as reference Inter Domain Controller Inter Domain Controller Inter Domain Controller Reservation Application GRI Token Validation Service Token Validation Service Policy Enforcement Point Policy Enforcement Point DRAGON DRAGON DRAGON DomainB DomainC Domain A

  7. GRI is passed as part of IDC protocol to last domain Inter Domain Controller Inter Domain Controller Inter Domain Controller Reservation Application Token Validation Service Token Validation Service Policy Enforcement Point Policy Enforcement Point DRAGON DRAGON DRAGON DomainB DomainC Domain A

  8. GRI is handed to the Token Validation Service Inter Domain Controller Inter Domain Controller Inter Domain Controller Reservation Application GRI Token Validation Service Token Validation Service Policy Enforcement Point Policy Enforcement Point DRAGON DRAGON DRAGON DomainB DomainC Domain A

  9. The GRI is “stamped” using an HMAC algorithm into a token. Token = GRI + few bytes of secure hash result GRI T HMAC-SHA1 based algoritm Token Key

  10. Token is send to PEP and IDC and stored along with GRI Inter Domain Controller Inter Domain Controller Inter Domain Controller Reservation Application T Token Validation Service Token Validation Service Policy Enforcement Point Policy Enforcement Point T DRAGON DRAGON DRAGON DomainB DomainC Domain A

  11. Token is returned to upstream domain and kept for future enforcement Inter Domain Controller Inter Domain Controller Inter Domain Controller Reservation Application T T Token Validation Service Token Validation Service Policy Enforcement Point Policy Enforcement Point DRAGON DRAGON DRAGON DomainB DomainC Domain A

  12. Token is handed to reservation application via IDC reply Inter Domain Controller Inter Domain Controller Inter Domain Controller Reservation Application T Token Validation Service Token Validation Service Policy Enforcement Point Policy Enforcement Point DRAGON DRAGON DRAGON DomainB DomainC Domain A

  13. Token is copied onto USB memory stick Inter Domain Controller Inter Domain Controller Inter Domain Controller Reservation Application T Token Validation Service Token Validation Service T Policy Enforcement Point Policy Enforcement Point DRAGON DRAGON DRAGON DomainB DomainC Domain A

  14. Take USB memory stick with token to HD display station Inter Domain Controller Inter Domain Controller Inter Domain Controller Reservation Application Token Validation Service Token Validation Service Policy Enforcement Point Policy Enforcement Point DRAGON DRAGON DRAGON DomainB DomainC Domain A

  15. HD display station requests to open connection to IDC including the token in the request message. Inter Domain Controller Inter Domain Controller Inter Domain Controller Reservation Application T Token Validation Service Token Validation Service Policy Enforcement Point Policy Enforcement Point DRAGON DRAGON DRAGON DomainB DomainC Domain A

  16. The IDC may decide not check the validity of the token and provisions the path in its domain. Inter Domain Controller Inter Domain Controller Inter Domain Controller Reservation Application Token Validation Service Token Validation Service Policy Enforcement Point Policy Enforcement Point DRAGON DRAGON DRAGON DomainB DomainC Domain A

  17. The token is passed to the next IDC. The TVS checks the validity of the token - or alternatively .. Inter Domain Controller Inter Domain Controller Inter Domain Controller Reservation Application Token Validation Service Token Validation Service T Policy Enforcement Point Policy Enforcement Point DRAGON DRAGON DRAGON DomainB DomainC Domain A

  18. .. the token is passed to the GMPLS signaling layer via a gateway such that the token becomes part of RSVP-TE Inter Domain Controller Inter Domain Controller Inter Domain Controller Reservation Application Token Validation Service Token Validation Service RSVP Gateway Policy Enforcement Point Policy Enforcement Point T DRAGON DRAGON DRAGON DomainB DomainC Domain A

  19. The last domain checks the token and provisions its circuit Inter Domain Controller Inter Domain Controller Inter Domain Controller Reservation Application Token Validation Service Token Validation Service T Policy Enforcement Point Policy Enforcement Point DRAGON DRAGON DRAGON DomainB Domain A DomainC

  20. The demo shows: 1 Tokens are a simple, fast and flexible way to authorize lightpaths2 Tokens can be recognized by multiple domains3 Tokens are authentic symbols where an identifier points to a meaning.4 Tokens symbolize a commit of advance reservations by each domain5 Tokens can be used at different layers in the network 6 Domains may or may not choose to enforce tokens (be transparent)7 The Token Validation Service supporting different Control Plane types T T T T T T T T .

  21. Talk to us to understand our research: Yuri Demchenko: Token Validation Service - Phosphorus ProjectFred Wan: Signaling model interfaces - Tree v.s. Chain - NextGrid ProjectMarten Hoekstra: Signaling and IDC deployment - GigaPort ProjectLi Xu: Token Enforcement at GMPLS layer - StarPlane projectRalph Koning: HD video content - CineGrid ProjectLeon Gommans: Authorization Architecture - GigaPort Project.Cees de Laat: Scientific group leader T T T T T T T T .

  22. Acknowledgement. Internet2 ESNET SURFnet NL GigaPort RoN project EU Phosphorus Project EU NextGrid Project Electronic Visualisation Lab CineGrid project GLIF .

  23. Thank you for watching

More Related