RSVP Policy Control using XACML Pontifícia Universidade Católica do Paraná PUC-PR, Brazil Emir Toktar Edgard Jamhour Carlos Maziero Presented by: Emir Toktar [email protected].
Download ReportTranscript RSVP Policy Control using XACML Pontifícia Universidade Católica do Paraná PUC-PR, Brazil Emir Toktar Edgard Jamhour Carlos Maziero Presented by: Emir Toktar [email protected].
RSVP Policy Control using XACML Pontifícia Universidade Católica do Paraná PUC-PR, Brazil Emir Toktar Edgard Jamhour Carlos Maziero Presented by: Emir Toktar [email protected] Summary Motivation Proposal RSVP Policy Control XACML Framework XACML Extensions Example Conclusions Future Works Emir Toktar - Policy 2004 2 Motivation Many IETF publications for QoS management is based on PCIM extensions. PCIM is an information model PCIM deployment can be complex XACML offers an alternative for defining policies in XML. A model suited for business level policies Easy to understand and deploy IETF: Internet Engineering Task Force OASIS: Organization for the Advancement of Structured Information Standards PCIM: Policy Core Information Model XACML: eXtensible Access Control Markup Language Emir Toktar - Policy 2004 3 Motivation RSVP Policy Control is an “Access Control” problem suited to be addressed by XACML. However: For properly addressing the RSVP issue, additional RSVP information must be returned with access control decision: e.g. Tspec It requires XACML extensions Policy Control is Not Admission Control Emir Toktar - Policy 2004 4 Proposal Define XACML extensions for addressing the RSVP Policy Control issue. Compare the XACML-based framework with IETF PCIM-based framework with respect to: policy definition and framework implementation. Emir Toktar - Policy 2004 5 RSVP Policy Control [RFC 2753] manage the use of network resources and services based on policies derived from criteria such as: to identify users and applications, traffic/bandwidth requirements, security considerations and time-of-day/week. Business Level Policies i.e. can be addressed by XACML Emir Toktar - Policy 2004 6 RSVP Admission Control Only takes into account the requester’s resource reservation request available capacity The available capacity is a stateful information available in the routers, and it is not addressed in our proposal. Emir Toktar - Policy 2004 7 XACML PolicySet 1 1 1 1 0..* 1 Policy Combining Algorithm 1 0..* 1 1 0..1 Target 0..* 0..1 Policy Obligations 1 0..1 1 1..* Subject 1 1..* Resource 1 1 1 1..* Rule Combining Algorithm Action 1 0..* 1 Rule Effect 1 1 Condition 0..1 1 Policy Language Model Emir Toktar - Policy 2004 8 XACML Example Target 1 0..1 Policy =Multimedia 0..1 1 1 1 1 1 1..* Subject [email protected] 1..* Resource =VideoServer Rule Combining Algorithm =Deny-Overrides 1..* Action =login 1 1 Effect = Permit 0..* Rule 1 = UsersRegs 1 1 0..1 Condition = >08h00 and <17h00 “the user [email protected] can login on a Video Server in the period between 08:00AM and 05:00PM” Emir Toktar - Policy 2004 9 XACML Framework adapted to RSVP PEP RSVP client Receiver Multimidia Server Sender PDP Policy Server XACML u ri-re f# xp o in te r( ) Request connection RSVP path RSVP path PATH RSVP reservation Policy.xml (XACML Request context ) Resources.xml RESV Router (XACML Response context ) Subjects.xml PEP element is a component of the Server Application Router PEP is responsible for all integration with RSVP daemon The Applicaton is releasing from any task of QoS negotiation This approach can be implemented in any system that supports RSPV APIs. XACML doesn´t define any Policy Transaction Protocol between PDP and PEP. Emir Toktar - Policy 2004 10 XACML Problems Resource and User Information is supposed to be defined in the policy document. The reuse of resource and user information requires creating references to external information. The issue of addressing external information was not well-developed in XACML 1.1. Emir Toktar - Policy 2004 11 Proposal Use XPointer language to create policies with reusable User and Resource Information. u ri-re f# x p o in te r( ) RSVP Policy Set (XACML) Resource Repository (XML) Information about network services with RSVP support, including the required Tspec. u ri-re f# x p o in te r( ) User Repository (XML) Emir Toktar - Policy 2004 Information about user and attributes 12 Proposal The strategy adopted for describing a RSVP policy <?xml version="1.0" encoding="UTF-8" ?> – <PolicySet PolicySetId="RSVP_Aware_server_Application"> + <Target> – <!-- Defines the Services (RESOURCES) to which the policy applies --> <Policy PolicyId="Service Level 1"> <!-- Policy 1 - e.g. SERVICE GOLD --> – <Rule> – <Target> <!-- Subjects to Which the policy applies --> </Target> – <Condition> <!-- Time and client’s IP address restrictions--> </Condition> </Rule> – <Obligations> <!-- Tspec specifications for Service Level 1 --> </Obligations> </Policy> + <Policy PolicyId="Service Level 2"> <!-- Policy 2 - e.g. SERVICE SILVER --> + <Policy PolicyId="Service Level 3"> <!-- Policy 3 - e.g. SERVICE BRONZE --> + <Policy PolicyId="Default Policy"> <!-- Policy 4 - usually Deny All --> </PolicySet> Emir Toktar - Policy 2004 13 Proposal QoS information is returned by the Obligations Single service can offer different service levels A XML schema for RSVP parameters for building the PATH msg Tspec {r,b,p,m,M} type of service (GS / CL) reservation style described in the RFC 2210 and RFC 2215 Emir Toktar - Policy 2004 14 Example a) Registered students have permission to access any server in the campus offering a “TutorialVideoStreaming” service without time restrictions. If a student connects to a server using a client host from inside the campus, he will receive a “GOLD” or “SILVER” service level. Otherwise, it will receive a “BRONZE” service level. Emir Toktar - Policy 2004 15 Example b) Unregistered students can have access to the “TutorialVideoStreaming” service only from the internal network and not in businesstime. They can receive only the “BRONZE” service level. Emir Toktar - Policy 2004 16 Scenario example… XACML Request context PEP RSVP client Receiver PDP Multimidia Server Policy Server Sender TutorialVideo etoktar Request connection 192.168.200.10 192.168.0.1 PATH (XACML Request context) getResourceQos RESV Router Receiver Sender <Subject> <"...:subject-id"> etoktar </Attribute> <"...:ip-address:receiver"> 192.168.0.1 </Attribute> </Subject> <Resource> <"...:resource-id"> TutorialVideo </Attribute> <"...:ip-address:sender"> 192.168.200.10 </Attribute> </Resource> <Action> <"...:action-id:ServerAction"> getResourceQoS </Attribute> </Action> Emir Toktar - Policy 2004 17 Example of Service Document Resources.xml <?xml version="1.0" encoding="UTF-8"?> <service serviceId="TutorialVideoStreaming"> <description>tutorial videos in the university campus</description> + <sap> <serviceLevel serviceId="Gold"> + <ResourceRsvp AttributeId="qosG711" RsvpClass="G711"> </serviceLevel> <serviceLevel serviceId="Silver"> + <ResourceRsvp AttributeId="qosH261Q" RsvpClass="H261QCIF"> </serviceLevel> <serviceLevel serviceId="Bronze"> + <ResourceRsvp AttributeId="qosH263C" RsvpClass="H263CIF"> </serviceLevel> </service> Emir Toktar - Policy 2004 18 Example of User Document Subjects.xml <?xml version="1.0" encoding="UTF-8"?> <subjects> – <user> <cn>Emir Toktar</cn> <sn>Toktar</sn> <uid>etoktar</uid> <mail>[email protected]</mail> <businessCategory>RegisteredStudent</businessCategory> </user> – <user> <cn>Luiz Cesar</cn> <sn>Cezar</sn> <uid>lcezar</uid> <mail>[email protected]</mail> <businessCategory>RegisteredStudent</businessCategory> </user> + <user> – <user> <cn>Guest</cn> <uid>guest</uid> <businessCategory>UnregisteredStudent</businessCategory> </user> + <user> + <user> + <user> </subjects> Emir Toktar - Policy 2004 19 Example of Policy Document Policy.xml <?xml version="1.0" encoding="UTF-8" ?> – <PolicySet PolicySetId="TutorialVideo" xmlns="... " xmlns:xsi="..." xsi:schemaLocation="..." PolicyCombiningAlgId="...:policy-combining-algorithm:first-applicable"> + <Target> <!-- Policy 1 --> + <Policy PolicyId="...:policy:TutorialRegStudentsInternal" RuleCombiningAlgId="...:rule-combining-algorithm:first-applicable"> <!-- Policy 02 --> + <Policy PolicyId="...:policy:TutorialRegStudentsExternal" RuleCombiningAlgId="...:rule-combining-algorithm:first-applicable"> <!-- Policy 03 --> + <Policy PolicyId="...:policy:TutorialRegStudentsGuest" RuleCombiningAlgId="...:rule-combining-algorithm:first-applicable"> <!-- Policy 04 - Deny for All --> + <Policy PolicyId="...:policy:TutorialDenyForOthers" RuleCombiningAlgId="...:rule-combining-algorithm:first-applicable"> </PolicySet> Emir Toktar - Policy 2004 20 Example of Policy – PolicySet Target <Target> + <Subjects> – <Resources> – <Resource> – <ResourceMatch MatchId="...:function:string-equal"> <…Value>TutorialVideo</…> Request context <…Designator …="...:resource-id" /> </ResourceMatch> – <ResourceMatch MatchId="...:function:xpath-node-match"> <…Value>http://pdp/resources.xml#xpointer(//service[@serviceId ="TutorialVideoStreaming"]/sap/inetaddress/text()) </…> Request context <…Designator …="...ip-address:sender"/> </ResourceMatch> u ri-re f# x p o in te r( ) </Resource> </Resources> + <Actions> </Target> Policy.xml Resources.xml Emir Toktar - Policy 2004 21 Example of Policy # 1 <Policy PolicyId="...:TutorialRegStudentsInternal" RuleCombiningAlgId="..."> + <Target> – <Rule RuleId=".:Reg_Studens_Internal_Get_Gold_Silver" Effect="Permit"> – <Target> <!-- it was supressed other elements --> – <SubjectMatch MatchId="...:function:xpath-node-match"> <…Value>http://pdp/subjects.xml#xpointer(//subjects /user[businessCategory='RegisteredStudent']/uid/text()) </…> Request context <…Designator …="...:subject-id“/> </SubjectMatch> – <ActionMatch MatchId="...:function:string-equal"> <…Value …>getResourceQoS</…> <…Designator …="...:action-id:ServerAction"/> </ActionMatch> Request context </Target> Emir Toktar - Policy 2004 22 Example of Policy Document # 1 <!-- Continue of Rule… --> – <Condition FunctionId="...:function:or"> <!--IP IntraNet Range--> – <Apply FunctionId="...:function:any-of"> <Function FunctionId="...:function:regexp-string-match" /> <…Value …>192.168.0.*</…> <…Designator …="…:ip-address:receiver"…/> Request context </Apply> </Condition> </Rule> – <Obligations> – <Obligation ObligationId="...:GoldSilverStudentsInternal" FulfillOn="Permit"> <AttributeAssignment AttributeId="...:qosG711" …> http://pdp/resources.xml#xpointer(//service/serviceLevel [@serviceId='Gold']/ResourceRsvp/*)</AttributeAssignment> <AttributeAssignment AttributeId="...:qosH261Q“ …> http://pdp/resources.xml#xpointer(//service/serviceLevel [@serviceId='Silver']/ResourceRsvp/*)</AttributeAssignment> </Obligation> </Obligations> </Policy> Emir Toktar - Policy 2004 23 Example of Policy Document # 4 <!-- Policy 04 - Deny for All --> <Policy PolicyId="...:TutorialDenyForOthers" RuleCombiningAlgId="..."> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> <Rule RuleId="...:Tutorial_Deny_Rule_For_Others" Effect="Deny"/> </Policy> Emir Toktar - Policy 2004 24 Example of Response <?xml version="1.0" encoding="UTF-8"?> <Response xmlns="...:context" xmlns:xsi="..." xsi:schemaLocation="... cs-xacml-schema-context-01.xsd"> <Result> <Decision>Permit</Decision> + <Status> <Obligations xmlns="...:policy"> <Obligation ObligationId="...:qos:GoldSilverStudentsInternal" FulfillOn="Permit"> <AttributeAssignment AttributeId="RsvpClass#1" DataType="...#string">G711</AttributeAssignment> <AttributeAssignment AttributeId="TokenBucketRate_r#1" DataType="...#double">9250.0</AttributeAssignment> <AttributeAssignment AttributeId="TokenBucketSize_b#1" DataType="...#double">680.0</AttributeAssignment> <AttributeAssignment AttributeId="PeakRate_p#1" DataType="...#double">13875.0</AttributeAssignment> <AttributeAssignment AttributeId="MinimumPoliceUnit_m#1" DataType="...#integer">13875</AttributeAssignment> <AttributeAssignment AttributeId="MaximumPacketSize_M#1" DataType="...#integer">13875</AttributeAssignment <AttributeAssignment AttributeId="RsvpService#1" DataType="...#string">Guaranteed</AttributeAssignment> <AttributeAssignment AttributeId="ServiceQoS#1" DataType="...#string">FF</AttributeAssignment> <AttributeAssignment AttributeId="RsvpClass#2" DataType="...#string">H261QCIF</AttributeAssignment> <AttributeAssignment AttributeId="TokenBucketRate_r#2" DataType="...#double">12000.0</AttributeAssignment> <AttributeAssignment AttributeId="TokenBucketSize_b#2" DataType="...#double">6000.0</AttributeAssignment> <AttributeAssignment AttributeId="PeakRate_p#2" DataType="...#double">12000.0</AttributeAssignment> <AttributeAssignment AttributeId="MinimumPoliceUnit_m#2" DataType="...#integer">80</AttributeAssignment> <AttributeAssignment AttributeId="MaximumPacketSize_M#2" DataType="...#integer">2500</AttributeAssignment> <AttributeAssignment AttributeId="RsvpService#2" DataType="...#string">Controlled-load</AttributeAssignment> <AttributeAssignment AttributeId="ServiceQoS#2" DataType="...#string">SE</AttributeAssignment> </Obligation> </Obligations> </Result> </Response> Emir Toktar - Policy 2004 25 Framework Implementation Sun Package for XACML at (URL): http://sourceforge.net/projects/sunxacml/ SUN ONE Studio 4 update1 Java™ 2 SDK, Standard Edition 1.4.2 XACML XPath functions are optional they are not implemented Emir Toktar - Policy 2004 26 Framework Modifications for supporting the Proposal Used JAXEN to support XPath statements RSVP XML schema definition Stand-alone XPath implementation Works with DOM, JDOM and EletricXML RSVP parameters (Tspec) to support definitions of Resources XMLSpy® v.5.0, release 4 Function xpath-node-match developed Syntax type of expressions: “full XPointers” uri-reference#scheme(expression) scheme(expression)… scheme name: xpointer(xptr-expr) Emir Toktar - Policy 2004 27 Conclusions XACML is suited for business level policies The available framework is easy to use and extend PCIM has not addressed the business level issue, it is focused on device configuration. XACML requires additional specification for creating policies that refer to external documents The obligation structure must be extended to support a more flexible strategy for returning parameters. XACML is an open standard that enables the setting of new tools for controlling the managing of policies. Emir Toktar - Policy 2004 28 Thank you! Questions ? address to [email protected] Emir Toktar - Policy 2004 29 Example of Service Document - SAP <?xml version="1.0" encoding="UTF-8"?> <service serviceId="TutorialVideoStreaming"> <description>tutorial videos in the university campus</description> – <sap> <!-- BACK --> <inetaddress>192.168.200.10</inetaddress> <inetaddress>192.168.200.25</inetaddress> <inetaddress>192.168.5.3</inetaddress> <protocol>TCP</protocol> <port>8976</port> </sap> <serviceLevel serviceId="Gold"> + <ResourceRsvp AttributeId="qosG711" RsvpClass="G711"> </serviceLevel> <serviceLevel serviceId="Silver"> + <ResourceRsvp AttributeId="qosH261Q" RsvpClass="H261QCIF"> </serviceLevel> <serviceLevel serviceId="Bronze"> + <ResourceRsvp AttributeId="qosH263C" RsvpClass="H263CIF"> </serviceLevel> </service> Emir Toktar - Policy 2004 30 Example of Service Document - RSVP <?xml version="1.0" encoding="UTF-8"?> <service serviceId="TutorialVideoStreaming"> <description>tutorial videos in the university campus</description> + <sap> <serviceLevel serviceId="Gold"> – <ResourceRsvp AttributeId="qosG711" RsvpClass="G711"> <!--BACK--> <TspecBucketRate_r>9250</TspecBucketRate_r> <TspecBucketSize_b>680</TspecBucketSize_b> <TspecPeakRate_p>13875</TspecPeakRate_p> <TspecMinPoliceUnit_m>340</TspecMinPoliceUnit_m> <TspecMaxPacketSize_M>340</TspecMaxPacketSize_M> <RsvpService>Guaranteed</RsvpService> <RsvpStyle>FF</RsvpStyle> </ResourceRsvp> </serviceLevel> <serviceLevel serviceId="Silver"> + <ResourceRsvp AttributeId="qosH261Q" RsvpClass="H261QCIF"> </serviceLevel> <serviceLevel serviceId="Bronze"> + <ResourceRsvp AttributeId="qosH263C" RsvpClass="H263CIF"> </serviceLevel> </service> Emir Toktar - Policy 2004 31