authentication authorisation accounting architecture rg · ¥research group name: aaa arch - rg...
TRANSCRIPT
![Page 1: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/1.jpg)
IRTF - AAAARCH - RG
Authentication Authorisation
Accounting ARCHitecture RG
chairs:
C. de Laat and J. Vollbrecht
www.phys.uu.nl/~wwwfi/aaaarch
RFC 2903, 2904, 2905, 2906
![Page 2: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/2.jpg)
Contents of this talk
• This space is intentionally left blank
2 of 14
![Page 3: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/3.jpg)
History & Charter
• Authorization subgroup of AAA-WG
• Commonality in authorization space
• Tie in policy from all WG's
• IRTF-RG chartered in Dec 1999
• This RG will work to define a next generation
AAA architecture that incorporates a set of
interconnected "generic" AAA servers and an
application interface that allows Application
Specific Modules access to AAA functions.
3 of 14
![Page 4: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/4.jpg)
From charter
• The architecture's focus is to support AAA services
that:
• can inter-operate across organizational boundaries
• are extensible yet common across a wide variety of
Internet services
• enables a concept of an AAA transaction spanning
many stakeholders
• provides application independent session
management mechanisms
• contains strong security mechanisms that be tuned
to local policies
• is a scalable to the size of the global Internet
4 of 14
![Page 5: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/5.jpg)
Basic AAA
• Service perspective:– Who is it who wants to use my resource
» Establish security context
– Do I allow him to access my resource
» Create a capability / ticket /authorization
– Can I track the usage of the resource
» Based on type of request (policy) track the usage
• User perspective– Where do I find this or that service
– What am I allowed to do
– What do I need to do to get authorization
– What does it cost
• Intermediaries perspective– Service creation
– Brokerage / portals
• Organizational perspective– What do I allow my people to do
– Contractual relationships (SLA’s)
5 of 14
![Page 6: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/6.jpg)
Applications
• Web access
• Network Access
• Bandwidth Broker, VLL service
• Authorization of usage of combination of
resources living in many administrative domains
• Computing grids, data grids, HEP community
• Budget system
• Library system
• Tele-learning
• E-Commerce
• Micro-payments
6 of 14
![Page 7: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/7.jpg)
Physics-UU to IPP-FZJ => 7 kingdoms
–Netherlands
»Physics dept
»Campus net
»SURFnet
–Europe
»GEANT
–Germany
»WINS/DFN
»Juelich, Campus
»Plasma Physics dept
Multi Kingdom Problems
USA
line
3 ms
• Jülich17 ms
2.5 ms
7 of 14
![Page 8: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/8.jpg)
Roles
GEANT/DANTE
SURFnet DFN SWITCH REDIRISREDIRISREDIRISREDIRIS
USER
USER
USER
USER
UNIUNIUNI
USER
USER
USER
USER
UNIUNIUNI
USER
USER
USER
USER
UNIUNIUNI
8 of 14
![Page 9: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/9.jpg)
The need for AAA
End
userR R R R
Remote
service
management
Kingdom N Kingdom N+1
BB
AAA AAA
BB
management
?
AAA
$$$
9 of 14
![Page 10: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/10.jpg)
ASP
Layer 3/4
Switch
InternetUser
Content
Server
AAA
Content
Server
AAA
Content
Server
AAA
AAA
Bandwidth
Broker
AAA
User-Home
Organisation
AAA
Financial
Organisation
AAA
AAA
ASPISP's
10 of 15
![Page 11: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/11.jpg)
U
S
E
R
UHO
AAA
Provider
AAA
Service
1
4
3
2
5
3
Authorization Models
AGENT
U
S
E
R
UHO
AAA
Provider
AAA
Service 1
4
2
3
5
4
1
PULL
U
S
E
R
UHO
AAA
Provider
AAA
Service
1
4
5
4
2
3
PUSH
11 of 16
![Page 12: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/12.jpg)
Generic AAA serverRule based engine
Application SpecificModule
Policy
Data2
1 1
3
Service
5
Starting point
PDP
PEP
4
AccountingMetering 3
4’
5
Acct Data
API
Policy
Data
3
13 of 16
![Page 13: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/13.jpg)
Multi domain case
12 of 16
![Page 14: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/14.jpg)
Basic principles
Principles of Generic AAA
1. Three building blocks:1. RBE
2. ASM
3. Service Equipment
2. There is a global address space between the RBE andthe ASM.
3. There is only generic stuff in the RBE and all theapplication specific stuff is in the ASMs.
4. The relationship between AAA servers is symmetric.
5. Different servers may have different capabilities.
14 of 16
![Page 15: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/15.jpg)
Message types
• Service request/reply
• Authorization request/reply
• Solicit Service Offer request/reply
• Authentication request/reply
• Authentication Challenge request/reply
• Policy request/reply
• Policy Evaluation request/reply
• Data request/reply
• Event Log indication/confirmation
• Accounting indication/confirmation
• Service (session) Configuration indication/confirmation
• Service (session) Management indication/confirmation
• Capability request/reply (supports resource discovery)
15a of 16
![Page 16: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/16.jpg)
Top Level Objects
• Identity
• Authentication Data
• Authentication Challenge
• Service Data
• Service Offer
• Answer
• Error
• Policy– [service specification policy, authorization policy,
provisioning policy, configuration policy, accountingpolicy, metering policy]
• Policy Reference
• Policy Data
• Configuration Data
• Service Management
• Accounting
• Event
15b of 16
![Page 17: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/17.jpg)
Status authorization framework
• Authorization model– <draft-taal-aaaarch-generic-pol-00.txt>
• Policy definition– <draft-salowey-aaaarch-xxxxxxx.txt>
• Primitives model for authorization requests
• Data model for authorization
• Context of AAA usage– <www.phys.uu.nl/~wwwfi/aaaarch/doc06/aaa_context.doc>
• Authentication model– <www.phys.uu.nl/~wwwfi/aaaarch/doc12/kaushik-radius-sec-ext-04.txt>
• session-id
• policy based accounting– <draft-irtf-aaaarch-pol-acct-01.txt>
15c of 16
![Page 18: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/18.jpg)
Status-2
• relation to other groups:–AAA --> DATA model
–Policy Framework
–SLS BOF
–GAAAPI (Generic Authorization and Access control API)
–GSSAPI (Generic Security Services API)
–RAP (BB)
–SIP <session initiation protocol>
–Computing/data grids < www.gridforum.org/>
–Middleware
15d of 16
![Page 19: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/19.jpg)
Future work
• develop audibility framework specification that allows the AAA
system functions to be checked in a multi-organization
environment
• develop a model that supports management of a "mesh" of
interconnected AAA Servers
• implement a simulation model that allows experimentation with
the proposed architectural models (UU)
• describe inter-domain issues using generic model
• Future issues:
– AAA-WG-actions
– unresolved topics
– (protocol) work for WG's
– future AAAARCH work
• complete the work in Q1 - 2001 (ambitious)
15e of 16
![Page 20: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/20.jpg)
Research Group - info
• Research Group Name: AAAARCH - RG
• Chair(s)– John Vollbrecht -- [email protected]
– Cees de Laat -- [email protected]
• Web page– www.irtf.org
– www.phys.uu.nl/~wwwfi/aaaarch
• Mailing list(s)– [email protected]
– For subscription to the mailing list, send e-mail to
[email protected] with content of message
subscribe aaaarch
end
– will be archived, retrieval with frames and in plain ascii:
» http://www.fokus.gmd.de/glone/research/aaaarch/
» http://www.fokus.gmd.de/glone/research/mail-archive/aaaarch-current
» ftp://ftp.fokus.gmd.de/pub/glone/mail-archive/aaaarch-current
16a of 16
![Page 21: Authentication Authorisation Accounting ARCHitecture RG · ¥Research Group Name: AAA ARCH - RG ¥Chair(s) ÐJohn Vollbrecht -- jrv@interlinknetworks .com ÐCees de Laat -- delaat@phys](https://reader034.vdocuments.net/reader034/viewer/2022050407/5f84a74a68372434b251b9e1/html5/thumbnails/21.jpg)
16b of 16