1
CHEETAH software OCS/AAA module Routing decision module Signaling module VLSR module
Include TL1 proxy for Cisco 15454 MSPP Router disconnect module High-speed transport protocol module
for end-to-end circuit
2
End-host CHEETAH software
Application
Signaling client
TCP NIC I
NIC II
High speedtransportprotocol
CHEETAH software
Routingdecision
Primary TCP/IP path
End-to-end CHEETAH circuit
OCS/AAAclient
Routerdisconnect
client
3
SONETswitch
CiscoMSPP
Enterprise LAN
Application
Signaling client
TCP NIC I
NIC II
End hostCHEETAH software
Routing decision
FRTP
End host
OCS/AAAserver
Routerdisconnect
serverRouter
disconnect client
OCS/AAA client
VLSR(TL1 proxy)
Enterprise
Internet
SONET circuit-switched network
2
Local testbed configuration
1 3 4
5
4
Proposed applications
End-to-end file transfers Modified FTP/SFTP + FRTP
Video-telephony Web application High-speed optical Dial-Up
Internet access service
5
End-to-end File Transfer
Internet - Packet Switches(IP routers interconnecting
various networks)
Optical circuit-switchednetworks
SONETMSPP
Ethernetswitch/IP router
Kernalspace
Ethernethosts
User space
EthernetInterface
From otherend hosts
NIC 2 NIC 1
Enterprise building
SONETMSPP
Ethernetswitch/IP router
Kernalspace
Ethernethosts
User space
EthernetInterface
From otherend hosts
NIC 2NIC 1
Enterprise building
Primary Internetleased access circuit
CHEETAH circuit forEnd-To-End file transfer
service
Application +CHEETAH
software
OS
Application +RESCUE software
OS
6
Agenda
Router Disconnect OCS AAA
7
Router Disconnect Research on possible router-disconnect
solutions Link Bundling (ingress decision support is
needed). Channelized Card Traffic Shaping
Tried Link-bundling and Distributed Traffic Shaping router configuration.
Work in progress Simulations for a paper on the above. Router disconnect software.
8
Link-bundling - How it works
group multiple point-to-point links together into one logical link. A virtual interface is created for each link bundle
You can dynamically add and delete links to the virtual interface. The virtual interface is treated as a single interface on which you configure an IP address and other software features used by the link bundle, instead of configuring them on individual GE and POS interfaces.
Packets sent to the link bundle are forwarded on one of the links in the bundle. Load balancing is supported on all links in a bundle using per-destination load balancing based on a hash calculated using the source and destination IP addresses in the IP packet. Per-destination load balancing ensures that packets are delivered in order.
9
Channelized OC – How it works
Use Distributed Multilink PPP to bundle the channelized channels during the default mode.
Remove and add certain amount of component links (channelized channels) in the mode transfer.
10
Distributed Traffic Shaping – How it works
Shape the output traffic to the specified bit rate. Excessive packets are stored in a buffer in the traffic shaping queue and transmitted later.
Traffic Shaping does not recognize separate STS channels. DTS does not support channelized cards. Hence, it can not be used for router disconnect.
11
Software Interface Architecture
Singling Protocol
Interface Software
Router
1. Interface software accepts signaling message (Cheetah circuit reserve or release message).
2. Interface software translates the signaling message to the according CLI language to control the router to do link-bundling or undundling.
3. Interface software acknowledges Cheetah host that the router-disconnect is done.
Cheetah Host1 2
3
12
Simulations Use OPNET to simulate router-
disconnect. Interested statistic parameters
Goodthroughput ratio(%)= Throughput before router disconnect / Throughput after router disconnect
Ftp response time ratio(%) = Ftp response time before router disconnect / Ftp response time before router disconnect
Other parameters ?
13
Agenda
Router Disconnect OCS AAA
14
OCS – Working Status OCS server is configured (server address:
134.74.17.77) – using DNS software BIND (Berkeley Internet Name Domain).
TXT type resource record in DNS database is used to store OCS information.
Webpage is created for OCS lookup (No additional software is needed from the client side).
15
Agenda
Router Disconnect OCS AAA
16
AAA – Working Status A proprietary AAA system is established.
(Reference : http://www.stockholmopen.net) Work in progress:
Install the Generic AAA Compare the proprietary AAA and the
Generic AAA Interfacing either of the two AAAs for
Cheetah system
17
Our proprietary AAA system
18
Components of our AAA
Web server (134.74.17.77) Radius client Radius Server Access Control daemon/scripts DHCP server PostgreSQL database
(134.74.17.77/pg/)
19
RADIUS -Remote Authentication Dial In User Service
20
Key features of RADIUS Accounting (RFC 2866)
Client/Server Model Radius protocol uses a shared key to send the
authentication and accounting messages. A Network Access Server (NAS) operates as a client
of the RADIUS server. The client is responsible for passing authentication and accounting information to a designated RADIUS server.
The RADIUS server is responsible for receiving the authentication and accounting request and returning a response to the client indicating that it has successfully received the request.
The RADIUS server can act as a proxy client to other kinds of AAA servers.
All transactions are comprised of variable length Attribute-Length-Value 3-tuples. New attribute values can be added without disturbing existing implementations of the protocol.
21
Generic AAA – RFC 2903, 2904 The Basic Authorization Entities +------+ +-------------------------+ | | | User Home Organization | | | | +-------------------+ | | | | | AAA Server | | | | | | | | | | | +-------------------+ | | | | | | | +-------------------------+ | | | | | | | User | +-------------------------+ | | | Service Provider | | | | +-------------------+ | | | | | AAA Server | | | | | | | | | | | +-------------------+ | | | | | | | | +-------------------+ | | | | | Service | | | | | | Equipment | | | | | +-------------------+ | | | | | +------+ +-------------------------+
22
Glossary User -- the entity seeking authorization to
use a resource or a service. User Home Organization (UHO) -- An
organization with whom the User has a contractual relationship which can authenticate the User and may be able to authorize access to resources or services.
Service Provider -- an organization which provides a service.
23
Single Domain Case In general, the User Home
Organization and the Service Provider are different entities or different "administrative domains".
In the simplest case, the User Home Organization and the Service Provider may be combined as a single entity.
We use Single Domain Case to describe three authorization sequences
24
Authorization Sequences
Agent sequences, Pull sequences Push sequences
25
Agent Sequences +-------------------------+ +------+ | Service Provider | | | 1 | +-------------------+ | | |------+->| AAA Server | | | |<-----+--| | | | | 4 | +-------------------+ | | User | | | /|\ | | | | |2 |3 | | | | \|/ | | | | | +-------------------+ | | | | | Service | | | | | | Equipment | | | | | +-------------------+ | +------+ | | +-------------------------+
Example: A regular user may ask for 1 Mb/s bandwidth (1). The bandwidth broker (AAA Server) tells the router (Service Equipment) to set this user into the 1Mb/s "queue" (2). The router responds that it has done so (3), and the bandwidth broker tells the User the bandwidth is set up (4).
26
Pull Sequences
The pull sequence is what is typically used in the Dialin application, Mobile-IP proposal, and some QoS proposals. The User sends a request to the Service Equipment (1), which forwards it to the Service Provider's AAA Server (2), which evaluates the request and returns an appropriate response to the Service Equipment (3), which sets up the service and tells the User it is ready (4).
+-------------------------+ +------+ | Service Provider | | | | +-------------------+ | | | | | AAA Server | | | | | | | | | | | +-------------------+ | | User | | /|\ | | | | | |2 |3 | | | | | \|/ | | | 1 | +-------------------+ | | |------+->| Service | | | |<-----+--| Equipment | | | | 4 | +-------------------+ | +------+ | | +-------------------------+
27
Push Sequences
The push sequence requires that the User get from the Service Provider's AAA Server a ticket or certificate verifying that it is o.k. for the User to have access to the service (1,2). The User includes the ticket in the request (3) to the Service Equipment. The Service Equipment uses the ticket to verify that the request is approved by the Service Provider's AAA Server. The Service Equipment then sends an o.k. to the User (4).
+-------------------------+ +------+ | Service Provider | | | 1 | +-------------------+ | | |------+->| AAA Server | | | |<-----+--| | | | | 2 | +-------------------+ | | User | | | | | | | | | | | | | 3 | +-------------------+ | | |------+->| Service | | | |<-----+--| Equipment | | | | 4 | +-------------------+ | +------+ | | +-------------------------+
28
What is “Roaming”
Roaming -- the User Home Organization is not the Service Provider
Examples of roaming include an ISP selling dialin ports to other organizations or a Mobile-IP provider allowing access to a user from another domain.
29
Roaming Agent Sequence +------+ +-------------------------+ | | 1 | User Home Organization | | |----->| +-------------------+ | | | | | AAA Server | | | |<-----| | | | | | 4 | +-------------------+ | | | | | | | +-------------------------+ | | | /|\ | | |2 |3 | | \|/ | | User | +-------------------------+ | | | Service Provider | | | | +-------------------+ | | | | | AAA Server | | | | | | | | | | | +-------------------+ | | | | | | | | +-------------------+ | | | | | Service | | | | | | Equipment | | | | | +-------------------+ | | | | | +------+ +-------------------------+
30
Roaming Pull Sequence +------+ +-------------------------+ | | | User Home Organization | | | | +-------------------+ | | | | | AAA Server | | | | | | | | | | | +-------------------+ | | | | | | | +-------------------------+ | | /|\ | | | |2 |3 | | | \|/ | | +-------------------------+ | | | Service Provider | | User | | +-------------------+ | | | | | AAA Server | | | | 1 | | | | | |----->| +-------------------+ | | | | | | |<-----| +-------------------+ | | | 4 | | Service | | | | | | Equipment | | | | | +-------------------+ | | | | | +------+ +-------------------------+
31
Roaming Push Sequence +------+ +-------------------------+ | | 1 | User Home Organization | | |----->| +-------------------+ | | | | | AAA Server | | | |<-----| | | | | | 2 | +-------------------+ | | | | | | | +-------------------------+ | | | | | | | User | +-------------------------+ | | | Service Provider | | | | +-------------------+ | | | | | AAA Server | | | | 3 | | | | | |----->| +-------------------+ | | | | | | |<-----| +-------------------+ | | | 4 | | Service | | | | | | Equipment | | | | | +-------------------+ | | | | | +------+ +-------------------------+
32
Distributed Services
Any service that is provided by more than one Service Provider a distributed service
An example would be a user who requires a QoS service for a session that crosses multiple ISPs.
+-------------------+ +-------------------+ +------+ | Org1 | | Org2 | | | | +-------------+ | | +-------------+ | | | | | AAA Server | | | | AAA Server | | | | | | | | | | | | | | | +-------------+ | | +-------------+ | | User |======| |======| | | | | +-------------+ | | +-------------+ | | | | | Service | | | | Service | | | | | | Equipment | | | | Equipment | | | | | +-------------+ | | +-------------+ | +------+ | | | | +-------------------+ +-------------------+
33
Policy
Policy Retrieval Policy Evaluation Policy Enforcement
34
Policy Retrieval Policy definitions are maintained and
stored in a policy repository by the organization that requires them.
Policy retrieval is typically done by the administration that defines the policy.
An example policy may define the times of day that a particular User is allowed to connect to the network.
35
Policy Evaluation Evaluation of policy requires access to information referenced
by the policy. Often the information required is not available in the
administration where the policy is retrieved. For example, checking that a user is allowed to login at the
current time can readily be done by the User Home Organization because the User Home Organization has access to current time. But authorizing a user requiring a 2Mb/s path with less than 4 hops requires information available at a Service Provider and not directly available to the UHO
So the UHO must either 1) have a way to query a remote administration for the needed information or 2) forward the policy to the remote administration and have the remote administration do the actual evaluation or 3) attempt somehow to "shadow" the authoritative source of the information (e.g by having the Service Provider send updates to the UHO).
36
Policy Enforcement
Policy Enforcement is typically done by the Service Provider on the Service Equipment.
Examples: NAS enforces destination IP address
limits via “filters”. Router may enforces QoS restrictions
on incoming packets.