Part I: Introduction

Download Report

Transcript Part I: Introduction

Greek Research Network (GRNET),
National Technical University of Athens (NTUA)
Policy-Based Networking
Introduction, Concepts, Protocols, Products
Presented by
Andreas Polyrakis
[email protected]
04.04.2003
1
What is Policy-Based Networking?
“A modern network management approach
that attempts to control the network
through abstract high-level policies.”
2
RoadMap
 Part I: Policy Based Networks
 The need for PBN
 Policy-Based Networks
• Architecture, advantages, entities
 Part II: COPS
 The COPS base protocol
 COPS-RSVP
 COPS-PR
• PIB, example
 Part III: Current Status
 Part IV: QoS and PBN
3
PART I:
Introduction to
Policy-Based Networking
4
Properties of Modern Networks
 Exponential Growth (size/volume)
 Big variety of managed devices (not only
routers/switches anymore…) and resources.
 Large number of different network services
Converging networks (data, voice, video, web)
 New services (VPN, VoIP)

 Increased complexity (MPLS, DiffServ, RSVP)
Level of abstraction & automation in Network
Management must be raised
 Scalable NM solutions are necessary
5
Traditional NM techniques: CLI
 Command Line Interface NM
 Goals set by the Network Manager
 Each device was programmed to implement these goals
 The devices had to be programmed independently, although
they served similar goals
 When the goals/topology changed, the administrator had to
update all nodes independently
SIGNIFICANT scalability problems
 Consistency issues
 Difficult to implement complex policies
 Lack of automation
 Need for highly-specialized personnel
 Hard to monitor the network
6
Traditional NM techniques: SNMP
 Simple Network Management Protocol (SNMP)
 Managed objects on the devices handled in a unified way
 Raised the level of abstraction
 Allowed some automation
 But…
 SNMP was designed for monitoring – not for configuring devices
 Scalability & efficiency issues
 Still device/vendor dependent
 Configuration still depends on device’s role,
capabilities/limitations, manufacturer and overall network
topology
7
Policy Based Networking (PBN)
 A modern Network Management approach
 Based on policies

E.g., give administrators high priority
 Policies are Abstract, Goal oriented
 (“what” instead of “how”)
 PBN attempts to





Raise the abstraction level
Automate NM
Centralize & simplify network configurations
Simplify supervision
Increase management flexibility
8
PBN Architecture
Key Entities:
 Policy Decision Point (PDP)
 Policy Enforcement Point (PEP)
Operation Concept:
 The Administrator edits
abstract Policies with an
editing tool
 Policies are sent to the
describe network behavior with
a high level of abstraction
(What, not How)
 The policies are processed by
the PDPs – late binding with
network details
 Policies are distributed to the
PEPs as configuration data commands (after being
transformed to the appropriate
form)
9
Advantages of PBN
Advantages:
 Centralized management
 Scalability
 High abstraction  easy
to determine and control
behavior
 Automation  Consistency
 Dynamic binding of policies
 new types of policies,
flexibility
e.g:
Give engineers higher
priority
10
Policy Decision Point (PDP)
 Role of the PDP:
 Receives the high-level policies
 Monitors the network events
 Records the capabilities/limitations of the PEPs
 Produces and updates the configuration data of the PEPs
according to the network policies and network state
 The PDP DOES NOT simply distribute policies:
 Binds the policies with the network state
 Produces the APPROPRIATE configuration data
according to the type of each specific PEP, its role, its
capabilities and its limitations
 The intelligence of the model is mainly
concentrated at the PDP level
11
Policy Enforcement Point (PEP)
 Role of the PEP:
 Receives configuration data from the
PDP
 Always enforces the PDP directions
 The PEP may contain more than
one clients
 Different client-types serve nonoverlapping management area
(Security, QoS, Accounting, …)
12
Policy Console
Policies: What
instead of How:
E.g: The engineers (10.1.1.x)
must have high priority
(DSCP=6)
HOW approach: Remark 10.1.1.x
traffic with DSCP=6
WHAT approach: Give high
priority to Engineers
The policy is still valid even if:
 topology changes (nodes are added/removed/replaced)
 the “engineers” subnet is changed/expanded
 Network services change (e.g. DiffServ is replaced with RSVP)
Also, “engineers” do not need to be associated with a specific
subnet!!!
13
Directory Server
 Secondary role in PBN
 Directories
 Store policy-related information
•
•
•
•

Users & application profiles
Groups
Role of the network devices
Etc
Store policies & distribute them
to the PDPs
• Standard or non-standard
representation of policies
14
Operation Modes
The PEP connects to the PDP,
reports its capabilities/limitations
and requests configuration data
2.
The PDP generates the initial
policies according to the global
policies and current network state
3.
The PDP sends the initial policies in
the form of configuration data
4.
The PEP stores these data and
determines the behavior of the
device according to them
PDP
Policies
Current
state
2 PROCESS
3
DEC
1.
Policy Server
REQ
Initialization
1
BOOT
4 INSTALL
PEP
Device
15
Operation Modes (Cont’d)
Outsourcing (PULL):
Policies
Current
state
4
treated with the existing configuration
data
2. The PEP requests directions to treat
the event
3. The PDP process the request according
PDP
4. The PDP downloads the appropriate
Device
A CHANGE
B
to the current policies/network state
New
Event
5
1
INSTALL
Current
state
Policies
DEC
2
PDP
DEC
REQ
3 PROCESS
1. A new event is detected that cannot be
configuration data
5. The PEP serves this event and all
similar events according to this data
Provisioning (PUSH):
PEP A. The PDP detects changes
B. The PDP sends commands that add,
update or delete configuration data
C. The PEP updates its behavior and
treats future events according to them
C
INSTALL, UPDATE,
DELETE
CONFIGURATION
DATA
PEP
Device
16
PART II:
COPS, the IETF protocol for PBN
17
IETF Standardization
 Policy Framework
 Architecture, terminology, building blocks
 Core and QoS Schema
 RAP (Resource Allocation Protocol)
COPS
 COPS-RSVP, COPS-PR
 PIB (Policy Information Base) definition
…

 Other WGs
18
The COPS Protocol (RFC 2748)
 COPS: Common Open Policy Service
 Developed by the IETF RAP WG
 Standardizes the communication between PDPs and
PEPs
 Design Principles:
Statefull Client-Server protocol, uses TCP
 Reliable, Efficient, fault-tolerant and secure
 PDP @ Policy Server, PEP @ Managed Entity
 The PEP always obeys the PDP
 Both Outsourcing (Pull) and Provisioning (Push) models
 A communication protocol - Does NOT define the
semantics of the exchanged policy data

19
The COPS Protocol (Cont’d)
 The COPS BASE protocol
 Provides a way to communicate policy-related information
between the PDP to the PEP
 Determines the behavior of the entities, as far as the
communication is concerned
 Does not define the semantics of the exchanged data
 Does not describe HOW this data is produced by the PDP or
HOW this data will be interpreted by the PEP
 COPS client-types
 Control different management areas (DiffServ, RSVP,
accounting, Security, etc)
 Each PEP implements one or more clients of various client-types
 Client-types are defined on extra documents (standard or
vendor-specific)
 COPS-RSVP and COPS-PR are such clients
20
COPS Basic Messages
 OPN: Open Connection
OPN
 CAT: Connection Accept
CAT
 CC: Connection Close
KA
PDP1
KA
 KA: Keep Alive
KA
PEP
CC
OPN
CAT
PDP2
CC
21
COPS Basic Messages (Cont’d)
 REQ: Request
REQ
 DEC: Decision
DEC
 RPT: Report
RPT
 SSQ: Synch. Request
 SSC: Synch. Complete
DEC
PEP
RPT
PDP
SSQ
SSC
RPT
22
COPS vs. SNMP
23
Discussion
 Is PBN going to replace SNMP?
 Most probably, no:
• SNMPv3 addresses some issues
• Legacy devices – existing software – trained
personnel
• Good for Monitoring
 Is PBN the only attempt for management
automation?

No, other technologies also exist, e.g.,
Directory-Enabled Networking (Directories are
good for static configuration data, such as IP,
DNS, default PDP, etc)
24
COPS usage for RSVP (RFC 2749)
COPS-RSVP:
 Defines a client-type of COPS for RSVP
 Provides centralized monitoring and control of RSVP
 COPS-RSVP PDPs control COPS-RSVP clients on detwork devices
 PEP performs (though PDP directions):





Admission control
Data classification
Bandwidth management (queuing)
Data policing
RSVP usage report
 Simplified operation example




A Router receives PATH / RESV
Attempts to process and serve locally
If unable to serve locally, forwards to the PDP
Perform admission control according to PDP decision
25
The COPS-PR Protocol (RFC 3084)
COPS for Policy PRovisioning:

Extends COPS (Common Open Policy Service)

A client-type of COPS

PRovisioning mode: The PEP always serves events according to predownloaded policies-the PDP keeps these policies updated

Simpler than COPS (Provisioning mode only)

Not suitable for all management areas (e.g., RSVP)

Initially designed for DiffServ, but seems suitable for several
management areas

Does NOT address a specific management area.
26
Policy Information Base
 A structure similar to a MIB structure
 A tree of PRovisioning Classes (PRCs)
 PRovisioning Instances (PRIs)
 Policies can be constructed as a set of PRIs
 PIBs are pre-defined
 Different PIBs for different policing areas (Diffserv,
Accounting, IP filtering, etc)
27
PIB Example
PRID
2.1.3.2.1
2.1.3.1.2
2.2.1.2.1
2.2.1.2.2
2.2.1.1.1
2.2.1.1.2
VALUE
(100,2)
(4,NO)
(100,2,10)
(100,1,11)
(128.1.1.1,6)
(128.1.1.2,6)
28
COPS-PR Example 1
Policy:
if traffic to IPs 128.1.1.1 or 128.1.1.2 has DSCP=4
then remark it with DSCP=6
Event:
PDP->PEP DEC
PEP connects
Install:
2.1.3.2.1  (100,2)
2.1.3.1.2  (6,NO)
2.2.1.2.1  (100,2,10)
2.2.1.2.2  (100,1,11)
2.2.1.1.1  (128.1.1.1,4)
2.2.1.1.2  (128.1.1.2,4)
PIB (@ PEP)
2.1.3.2.1  (100,2)
2.1.3.1.2  (6,NO)
2.2.1.2.1  (100,2,10)
2.2.1.2.2  (100,1,11)
2.2.1.1.1  (128.1.1.1,4)
2.2.1.1.2  (128.1.1.2,4)
29
COPS-PR Example 2
Policy:
if traffic to engineers has DSCP=4 then remark it with DSCP=6
Event:
PDP->PEP DEC
PEP connects
No Engineer is logged
Two Engineers log on at
128.1.1.1 and 128.1.1.2
if traffic to 128.1.1.1
or 128.1.1.2 has DSCP=4
then remark with DSCP=6
<NULL>
Engineer at 128.1.1.2 logs out
if traffic to 128.1.1.1 has
DSCP=4
then remark with DSCP=6
Remove:
An Engineer logs to 128.1.1.3
(similar to the first case)
Install:
PIB (@ PEP)
<EMPTY>
Install:
2.1.3.2.1  (100,2)
2.1.3.1.2  (6,NO)
2.2.1.2.1  (100,2,10)
2.2.1.2.2  (100,1,11)
2.2.1.1.1  (128.1.1.1,4)
2.2.1.1.2  (128.1.1.2,4)
2.2.1.2.2
2.2.1.1.2
2.2.1.2.2  (100,1,11)
2.2.1.1.2  (128.1.1.3,4)
2.1.3.2.1  (100,2)
2.1.3.1.2  (6,NO)
2.2.1.2.1  (100,2,10)
2.2.1.2.2  (100,1,11)
2.2.1.1.1  (128.1.1.1,4)
2.2.1.1.2  (128.1.1.2,4)
2.1.3.2.1  (100,2)
2.1.3.1.2  (6,NO)
2.2.1.2.1  (100,2,10)
2.2.1.1.1  (128.1.1.1,4)
Similar to the first case
30
PIB Reuse
31
My MSc Thesis in 60’’
Definition of a supplementary COPS-PR client type that increases:
 Efficiency (Bandwidth, monitoring, PDP resources
)
 Distribution (Intelligent PEPs, de-centralized decision and monitoring)
 Robustness (PDP loaded, smaller messages)
 Fault-tolerance (less PDP dependence )
Related Publications:
•
•
•
•
•
•
•
R. Boutaba and A. Polyrakis, "COPS-PR with Meta-Policy Support", IETF, Internet-Draft, April 2001 (www.ietf.org/internetdrafts/draft-boutaba-copsprmp-00.txt).
R. Boutaba and A. Polyrakis, “Towards Extensible Policy Enforcement Points”, IEEE Workshop on Policies for Distributed
Systems and Networks, Bristol, U.K., 29-31 January 2001, pp. 247-261.
R. Boutaba and A. Polyrakis, “Projecting FCAPS to Active Networks”, Proc. IEEE Enterprise Applications and Services
Conference (EntNet@Supercomm 2001), Atlanta, GA, USA, June 2001.
R. Boutaba and A. Polyrakis, “Extending COPS-PR with Meta-Policies for scalable management of IP networks”, Journal of
Network and Systems Management, Special Issue on Management of Converged Networks, Vol. 10, No. 1, March 2002.
R. Boutaba and A. Polyrakis; “Projecting Advanced Enterprise Network and Service Management to Active Networks”, IEEE
Network Magazine, Vol.16 No.1, January 2002, pp 28-33.
A. Polyrakis and R. Boutaba; “The Meta-Policy Information Base”; IEEE Network Magazine, Special issue on Policy Based
Networking, Vol.16 No.2, March/April 2002, pp 40-48.
A. Polyrakis and R. Boutaba; “The Meta-Policy Information Base”, IETF, Internet-Draft, April 2002 (www.ietf.org/internetdrafts/draft-polyrakis-mpib-00.txt).
32
Part III:
Current Status
33
COPS Products
 COPS stack implementations
 COPS servers
 COPS clients
34
Vovida COPS implementation
 Open source COPS stack
 COPS-PR support
 Basic COPS Server, extensible
 Can be used in buliding applications such as:
 Implementing policy based QoS
 Implemetating application level AAA
(Authorization, Authentication and Accouting)
functions in IP telephony
…
35
Intel COPS Implementation
COPS client SDK:
 Open source COPS stack
COPS-RSVP client
 COPS-PR client

• DiffServ PIB

Test PDP (non-extensible)
36
HP PolicyXpert
PBN platform, controls through COPS or CLI:
 Cisco routers
 hewlett-packard pro-curve switches
 Packeteer packetshapers
 Microsoft Windows NT servers
 Uses an hp-defined COPS type
 No Directory integration
37
Cisco COPS QoS Policy Manager
Cisco COPS-QPM:
 COPS Server
 Controls devices through COPS and SMNP
 Supports COPS – RSVP



Catalyst 6000 5.4(1) and 5.4(2)
Cisco 7200 and 7500/RSP routers Cisco IOS® 12.1(1)T
Cisco 2600, 3600, 4500, and 4700 routers
 Supports COPS-PR


Catalyst 6000 switch CatOS 5.4(1) and 5.4(2)
Catalyst 5000 switch CatOS 5.3, 5.4, 5.5 and 6.1
 No Directory integration
38
CISCO COPS-RSVP support
 Appears in IOS 12.1(1)T and later
 COPS-RSVP PDP: COPS-QPM.
 COPS-RSVP PEP: on the router
Enabling COPS-RSVP on a Cisco Router:
Router(config)# ip rsvp policy cops servers
161.44.130.168 161.44.129.6
(Tells the router to request RSVP policy decisions from the servers listed,
Also enables a COPS-RSVP client (PEP) on the router. )
Supported protocols:



RFC 2749, COPS Usage for RSVP
RFC 2205, Resource ReSerVation Protocol (RSVP)
RFC 2748, The COPS (Common Open Policy Service) Protocol
39
Intel® Local Policy Module for COPS
COPS-LPM: Allows Windows 2000 hosts accept
bandwidth, security, and access policies from a policy
server:
 The Win2k ACS (Admission Control Service) acts as a
SBM (Subnet Bandwidth Manager) in the domain
 The ACS outsources admission control to a policy
server through COPS-LPM
 COPS-LPM is used in conjunction with resource RSVP
 Part of the Win2k Resource Kit
40
Nortel Optivity Policy Services
 Designed to manage traffic
prioritization and network
access security
 Targets specific Bay/Passport
routers
 Targets DiffServ (only)



COPS-PR, DiffServ PIB
CLI
802.1p
 Centralized management for
DiffServ policies
 LDAP support (ships with
iPlanet 5)
41
Part IV:
QoS and PBN
42
Why PBN is necessary
 Need for new types of dynamic policies
 Need for automation
 Need for high-level management
43
How?
 COPS-RSVP
 COPS-PR/Diffser PIB
 Other standard COPS clients
• COPS-LPM
• …
 Other non-standard COPS clients
• see the PolicyXpert approach
 Other non-IETF approaches
44
Difficulties
Too many technologies/protocols/architectures:
 Insufficient COPS products
 LDAP necessary
 User authentication in the network. How?
 RSVP vs Diffserv. Mapping.
 SBM, 802.1p…
 Inter-domain policies for user-specific requests.
How?
45
Case study: the GRNET approach
 Solve the problem at the LAN, solve it at the WAN,
police in the boundary
 LAN approach







Directory service
RSVP
Custom tools for non RSVP-enabled applications
Custom tools for user authentication
Traffic marked before entering the WAN
Traffic policed before entering the LAN according to its own
policies
NO COPS at this time, can be supported later
 WAN approach
 DiffServ Domain
 Egress - Shengen Model (Check on Exit, travel free)
 Ingress – Visa Model (Check on entrance)
 SLAs between LANs-WAN or among LANs
46
Presented by Andreas Polyrakis
[email protected]
47