AAA
advertisement
AAA-ARCH 1 of 14 IRTF-RG Authentication Authorisation and Accounting ARCHitecture Research Group chairs: C. de Laat J. Vollbrecht Content of this talk has contributions from many persons including: B. de Bruijn, C&K Dobbins, S. Farrell, G. Gross, L. Gommans, D. Spence, E. Verharen, T. Verschuren, T. Zseby Applications • Applications –Network Access –Bandwidth Broker –Authorization of resources living in many administrative domains –Budget system –Library system –Computer based education system –E-Commerce –Micro-payments –Car Rental –Daily life 2 of 14 Multi Kingdom Problem 3 of 14 Physics-UU to IPP-FZJ => 7 kingdoms –Netherlands »Physics dept »Campus net »SURFnet USA line –Europe 3 ms »TEN 155 –Germany »WINS/DFN »Juelich, Campus »Plasma Physics dept 2.5 ms 17 ms Jülich The need for AAA 4 of 14 AAA $$$ ? AAA ? BB management End user R AAA R Kingdom N BB management R R Kingdom N+1 Remote service Roaming “Agent” Authorization Model 1 Request Approved User Home Organization 4 AAA Server 2 Commit Approval Conditional Approval User 3 AAA Server use 5 service 3 Service Equipment Service Provider Example application: bandwidth brokerage at Enterprise/Service Provider boundary 5 of 14 Roaming “Pull” Authorization Model 6 of 14 User Home Organization AAA Server 3 Conditional Approval Commit Approval 2 User AAA Server Request 1 1 Approved use 5 service 4 4 Service Equipment Service Provider Example applications: Mobile IP, PPP dial-in to NAS QuickTime™ and a Video decompressor are needed to see this picture. Roaming “Push” Authorization Model 1 Request Conditional Approval with ticket User Request 3 with ticket Approved use 5 service 7 of 14 User Home Organization 2 4 AAA Server AAA Server 4 Service Equipment Service Provider Example application: Internet printing, where file and print servers are in different admin domains AAA Server building block 8 of 14 Rule example: Auth_A = (B>9) .or. C .and. D 1 1 Generic AAA server Rule based engine API 2 3 Application Specific Module Types of communication: 1: “The” AAA protocol 2: interface (API) to app specific module (addressing!) 3: interface (API or connection) to repositories (e.g. LDAP) Auth rules Events Pushing the buttons 1 1 Generic AAA server Rule based engine 2 9 of 14 3 Application Specific Module 5 Service Types of communication: 5: Towards service (f.e. COPS, CLI, SNMPv3) Policy Events Legacy protocols 1 4 1 Generic AAA server Rule based engine 2 10 of 14 3 Application specific Module Types of communication: 4: Legacy protocols (Radius, Diameter, …) Policy Events Gateway 1 11 of 14 1 Generic AAA server Rule based engine 1 2 4 QuickTime™ and a Cinepak decompressor are needed to see this picture. GW 2 Application specific Module 3 Policy Events AAA Server with Accounting as Separate Service 1 1 Generic AAA server Rule based engine 2 2 Application Specific Module 5 Service Policy 3 Events Accounting Module 6 Metering 3 Acct Data 12 of 15 AAA Server with Accounting as Part of the Service 1 1 Generic AAA server Rule based engine Policy 3 2 Events Application specific Module 5 Service 5 Accounting/ Metering 3 Acct Data 13 of 16 Example: Interaction with Authorization User Visited ISP Home ISP Bill 8 ARs AAA Server 5 2 1 ARs 3 4 (optional online charging) 6 14 of 16 AAA Server Service parameters including Accounting Policy 7 Accounting Records (ARs) Service Equipment configuration Charging & Billing Charging Policies Collectors Meters Generic AAA Agent Model 15a of 16 QuickTime™ and a Cinepak decompressor are needed to see this picture. AAA server AAA server QuickTime™ and a Cinepak decompressor are needed to see this picture. AAA server Future AAA Application (ASP) User-Home Organ. AAA Bandwidth Broker Financial Organ. AAA AAA Content Server AAA Layer 3/4 Switch User AAA 15b of 16 Internet Content Server AAA AAA Service Profiles ISP's Content Server AAA ASP RG-Goals-1 15c of 16 Specific goals of the RG are: • develop generic AAA model by specifically including Authentication and Accounting • develop auditability framework specification that allows the AAA system functions to be checked in a multiorganization environment • develop a model that supports management of a "mesh" of interconnected AAA Servers • define distributed policy framework, coordinate with policy framework WG and others • develop an accounting model that allows authorization to define the type of accounting processing required for each session RG-Goals-2 15d of 16 Specific goals of the RG are: • implement a simulation model that allows experimentation with the the proposed architectural models (also work on an emulation) • describe interdomain issues using generic model • work with AAA WG to align short term AAA protocol requirements with long term requirements as much as possible • complete the work in Q4 - 2000 (ambitious) QuickTime™ and a Cinepak decompressor are needed to see this picture. Research Group - info 16 of 16 • Research Group Name: AAAARCH - RG • Chair(s) – John Vollbrecht – Cees de Laat --- jrv@merit.edu delaat@phys.uu.nl • Web page – www.irtf.org – www.phys.uu.nl/~wwwfi/aaaarch • Mailing list(s) – aaaarch@fokus.gmd.de – For subscription to the mailing list, send e-mail to majordomo@fokus.gmd.de with content of message subscribe aaaarch end – will be archived, retrieval with frames and in plain ascii: » http://www.fokus.gmd.de/glone/research/aaaarch/ » http://www.fokus.gmd.de/glone/research/mail-archive/aaaarch-current » ftp://ftp.fokus.gmd.de/pub/glone/mail-archive/aaaarch-current
