AlastairJohnson-ControlPlanesAndRADIUSBitses

Download Report

Transcript AlastairJohnson-ControlPlanesAndRADIUSBitses 

NZNOG 2007
Control Planes and RADIUS Bitses
Alastair Johnson
Senior IP Technologist, Alcatel-Lucent
[email protected]
All Rights Reserved © Alcatel-Lucent 2006, #####
Agenda
Introduction
What is AAA?
 A
 A
 A
Types of AAA
What, Why, How?
Triple Play
Issues
Q&A
2 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Introduction
Solution Design IP guy for Alcatel-Lucent Professional Services in NZ and AU.
Support many clients, mostly telcos or large ISPs/carriers.
Focus on ‘next gen’ and ‘IP transformation’
Experience analyzing and deploying large carrier Control Plane solutions
ISP Background, too.
3 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
What is AAA?
AAA is
 Authentication
 Validation of an identity and credentials, and allowing a subscriber to receive the service(s)
requested.
 Authorisation
 Identify and grant network access to a subscriber, based on authentication, time of day, service
type, where they are on the network, etc.
 Tunneling…
 Accounting
 Network resource utilisation accounting data, allowing you to “route money”.
 Audit
 If you’re scary.
4 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
What is AAA cont’d
Many protocols, common ones:
 RADIUS (RFC 2809/2865/2866/2867/2868/2869)
 DHCP (RFC 2131)
 Diameter (RFC 3588)
 TACACS+ (draft-grant-tacacs-02)
So we care a lot about getting people online and supporting the network
infrastructure around that.
5 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
RADIUS
RADIUS
 FreeRADIUS
 XT RADIUS, Gnu RADIUS
 Alcatel 5750 SSC
 Bridgewater Service Controller
 Juniper/Funk Steel Belted RADIUS
 RADIATOR by Open Systems
 Lucent Navis RADIUS
 But we ate them, so…
6 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
DHCP
Alcatel 5750 SSC
 Bridgewater Systems DHCP Service Controller
ISC DHCP
Many other DHCP implementations
7 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Control Planes
Not your data or forwarding plane
Part of your management plane – somewhat
Provision services, subscribers, manage elements, identities.
Link them.
Your AAA platform forms part of your Network Control Plane.
8 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Why?
Authentication of subscribers
 We really want to only have paying customers online
 But do we need a password?
Authorisation
 Perhaps we want to tunnel them somewhere, or apply policy…
Accounting
 We like getting paid!
Policy Decision and Enforcement
 So, we have authorisation… lets give it some policy.
Subscriber identity and network location
9 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
How?
Authorisation and policies
 Vendor specific attributes for pre-configured NAS policy
 We know who the subscriber is (identity), and we know where they are (access).
 We can return some policy which makes them jump through tricks.
Accounting
 Session Start records
 Session Interim records
 Sometimes too much information can hurt
 Session Stop records
Authentication
 Identity
 Ways of integrating your identity management
10 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Why?
Because we need to control access to our network
Because we need to bill for that same access, in some manner.
Because it’s “all about the user (subscriber)”
11 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
A normal network topology for delivering broadband services:
CPE
Network
Control
Plane
DSLAM
Transport
BRAS/
LAC
AAA
Control
Plane
Customer
DB
Accounting
12 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
LNS
Triple Play
Buzzword.
Voice, Video, Internet, converged over a single access service, and delivered to a
subscriber by a single provider.
Requires intensive end-to-end quality of service.
Requires a lot of policy, and changes to that policy “in service”.
Interaction between your subscriber control plane, and your network control plane.
Builds upon the previous AAA changes.
13 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Session State
Really quite cool.
We know where subscribers are on the network, so what can we do with it?
We can determine IP address pools, provisioning, and whether a subscriber is
online.
Perform actions based on that.
Cause events.
14 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Common AAA Disasters
15 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Slightly More Common AAA Disasters
Generally, AAA is overlooked by companies. We need it, but we don’t invest.
Peak demand, and average demand, and why ensuring we engineer for multiples of the peak demand is
real important.
Redundancy.
Geographical redundancy.
Proxy events can cause knockon problems.
Poor subscriber linkage
Poor documentation
Often not really understood by the people who run it.
16 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Remember
AAA helps you route money from the subscriber to you.
17 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Q&A
Any questions?
18 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Thank You!
Contact me off-list if you have any queries about my RADIUS server.
19 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
www.alcatel-lucent.com
20 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####