Transcript APNOMS2003
Policy-based Automatic Configuration
of Network Elements in Separate Segments
Tomomi Yoshioka, Tomohiro Igakura, and Toshio Tonouchi
NEC Corporation
Networking Research Laboratories
4-1-1 Miyazaki, Miyamae-ku, Kawasaki-city,
Kanagawa 216-8555, Japan
E-mail: {t-yoshioka@ab, t-igakura@bx, tonouchi@cw}.jp.nec.com
Introduction – Corporate Network
• Large networks always suffer from
heterogeneity.
• Networks divided by division firewalls bring
inconsistency.
• Evolving corporate network requires frequent
management system update.
Policy based
management
system
NMS
Client
Firewall Server
Client
Firewall Server
Firewall
Client
Client
Firewall
Firewall
Server
Firewall
(2)
Client
Firewall
Firewall
Firewall
Server
Issues
Policy Server
Policy deployment
Policy Server
Policy deployment
policy policy policy
a
policy enforcement points
b
c
policy enforcement points
• General Purpose Policy
Control Language such as
[Sloman94]
• COPS Policy Server [RFC
2748]
– Distributes the same policy set
to all network elements
– Supports homogeneous
environment only
– Focuses on the control of a
network element.
– Lacks the ability to describe
relationship among managed
network elements.
(3)
Proposal; Policy-based Automatic
Configuration System
•
Policy Server;
–
–
•
accepts policies that determine messages sent to network elements,
receives the control command messages, and forwards the message to hosts that have to receive it.
Therefore;
–
–
this policy-based automatic network control system is able to handle heterogeneity because the Policy
Server can receive and send messages to any kinds of network elements,
since the message forwarding is managed with the policy on the server, each network element receives
messages that do relate the element.
From:
Bob
Message Acceptance
Policy:
(policy data)
Bob registers his
policy in the
Policy Server.
Policy Server
1
The printer sends a
control command
message.
To:
3
Receiver
Content
Administrator
Console
All errors
Printer Manager
Printer Error
Bob
Paper Jam
Pager Server
Any severe trouble
2
The Policy Server forwards the
message to a host whose policy
indicates that it offers that
particular service.
(features of NE)
To do:
(control data)
Bob
Printer
Printer
Manager
(4)
Pager
Server
Policy-based System Architecture
~Automatic management consistent over separated segments~
•
Network structure : Three segments
– Personnel Department
– Research Department
– System Administration Department
•
For a Client in the Research Department to use a service offered by the Personnel
Department…
System Administration Department
Authentication Server
Policy Server
1. Authentication
of a Client
Firewall
Research Department
2. Reconfiguration of
all relevant firewalls
Personnel Department
VPN
Client
Firewall
Firewall
3. Access to the AP
AP Service Server
Service Server
VPN:Virtual Private Network
(5)
Policy-based System Architecture
~Configuration Sequence~
• A Client logs onto the network control system.
Command message
message: send
4. A request to conduct a further
messageid: 003
reconfiguration of the firewalls
receivers: /net/fw/
(syncopation)
Client
receivers=/net/fw/research/xxx01
:FW ID
FW of the Personnel
Department
receivers=/net/fw/personnel/xxx01
:FW ID
System Administration Department
AP Service Server 1
2
Head
sName “ClientNatAndFw”;
pName “thruClient”;
rID 8;
Body
sT,”192.168.0.50”;
sT,”10.56.33.54”
End
Policy
FW of the Research
Department
sv=vvv01 :Service name
pt=9000 :Port number
Policy Server
Authentication
Server 3
Firewall
5. Forward messages
requesting reconfiguration
1
6
9
Personnel Department
VPN
7
8
Firewall
Firewall
Research Department
AP Service Server
(6)
Policy-based System Architecture
~Control Command Message and Policy~
Policy
FW of the Research
Department
receivers=/net/fw/research/xxx01
:FW ID
FW of the Personnel
Department
receivers=/net/fw/personnel/xxx01
:FW ID
AP Service Server 1
sv=vvv01 :Service name
pt=9000 :Port number
Control command message
Header, which the
Policy Server
compares to
registered policies.
message: send
messageid: 003
receivers: /net/fw/
Attribute “receivers” indicates
destination(s) of messages to be
forwarded.
(syncopation)
Command name to be executed
Payload, which
contains the control
command to
reconfigure
firewalls. The
control command is
written in “cDR”.
Head
sName “ClientNatAndFw”;
pName “thruClient”;
rID 8;
Body
sT,”192.168.0.50”;
sT,”10.56.33.54”;
End
(7)
Parameter name of Command
Parameter value, which is the
string data indicating the IP
address of the Research firewall.
Parameter value of the IP address
of the Client.
Feature 1
~Plug and Play of a New AP Service Server~
• The server registers itself to
Policy Server.
• The Policy Server
reconfigures the related
firewalls.
DHCP:Dynamic Host Configuration Protocol
System Administration Department
Policy Server
DHCP Server
1. A DHCP request is sent to the
DHCP server. DHCP server
assigns an IP address to the new
AP Service Server and replies it a
DHCP reply.
5. The Policy server also
reconfigures the client
side firewall.
Firewall
4. The AP service server
requests the reconfiguration
of the Research Department
firewall.
2. AP Service Server
registers its policy into
the Policy Server.
VPN
Firewall
Firewall
3. The AP service server
reconfigures firewalls.
Research Department
AP Service
Server
Personnel Department
(8)
Feature 2 ~Automatic Failure Recovery (1)~
• Failed AP Service Server deregistration process
System Administration Department
3. Error report forward
Fault Management Server
Policy Server
4. A request message to deregister
AP Service Server 1 policy
Firewall
2. Error report
Personnel Department
Research Department
VPN
Firewall
Client
Firewall
Execution request
message to the failed
AP Service Server 1
(9)
1. Error
response
AP Service
Failure Server 2
AP Service Server 1
Feature 2 ~Automatic Failure Recovery (2)~
• AP Service Server 2 take-over process
5. Take-over
request message
System Administration Department
8. Result forward
Fault Management Server
Policy Server
6. Forward of the takeover request message
9. Result return
Firewall
7. Result for the request
Research Department
VPN
Firewall
Client
Firewall
10. Result notification
Failure
AP Service
Server 2
AP Service Server 1
Personnel Department
(10)
Feature 3 ~Reconfiguration of Network Segments~
System Administration Department
Policy Server
1. Registration of
firewall at Department b
Department b
4
2. Registration of AP
Service Server b
3
Authentication
Server
AP Service
Server b
Firewall 5. Forward of message
Firewall
requesting reconfiguration
5
Research Department
VPN
Firewall
5
Firewall
Department a
AP Service
Server a
Client
Even if a new network segment is added,
existing policies is required no modifications.
(11)
Conclusion & Future Work
• Conclusion
– We proposed a network control system utilizing our Policy Server and
made a proof-of-concept implementation.
– Important features of this network control system are:
• Enabling to apply policy control even in heterogeneous network
environment
• Adapting policy controls respecting the relationship among network
elements
– The example applications of our system are:
• Plug and play of a new AP Service Server
• Automatic failure recovery
• Reconfiguration of network segments
• Future Work
•
•
•
•
A translator which makes stubs changing protocols from WSDL
An application tool which helps administrators to write policy
Quantitative evaluation
A study of next-generation autonomous system
(12)