INTERNET DRAFT J. Salowey draft-irtf-aaaarch-aaa-pol-01.txt G. Sliepen A. Taal D. Spence March 2001 Policies in AAA Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC 2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (2000). All Rights Reserved. Abstract This document defines some terms related to the Generic AAA architecture. The first section describes some broad aspects of such an architecture. The second section looks at the various aspects and types of policy that come into play in an AAA architecture. The third section will describe some of the components of a single policy. This work is preliminary and is expected to be complimented by other work from the AAAARCH research group such as [POLICY MODEL] and [POLICY ACCOUNTING]. This document is also meant as an extension to the [POLICY] document from the Policy Framework working group. Some terms from the [POLICY] document are also defined in this document, to make it more J. Salowey et al. Expires: September 2001 [Page 1] Internet Draft Policies in AAA March 2001 self-contained. Where possible, the meaning of the terms has been kept the same. Please note however that the primary focus of this document is the AAAARCH research group, and hence some descriptions may deviate from those given in the [POLICY] document. Comments on this document should be sent to the mailing list of the IRTF AAA architecture [AAAARCH] mailing list: aaaarch@fokus.gmd.de. 1. Generic descriptions 1.1 The Generic AAA Architecture The goal of the Generic AAA Architecture is to control and provide authentication, authorization and accounting for systems and environments based on the policies set by the administrators and users of the system. Much of this section is based on [RFC2903]. The following terms specify some of the broader aspects of the generic AAA architecture: o AAA Domain A single administrative domain. Contains a collection of one or more AAA services owned by the same organizational entity. Note that every AAA Service belongs to one AAA domain, but an AAA domain can contain many AAA Services. Note that this is slightly different from a "policy domain" as defined in [POLICY]. o AAA Server / AAA Service A Service that performs one or more of the following functions: accounting, authentication and authorization. An AAA Server is contained within a single device and is not spread across multiple servers. An AAA Server such as a RADIUS server is an example of an AAA service. The definition of an AAA Service is broader than that of an AAA Server, for example it also includes Service Equipment that authorizes use based on evaluating various Policies. o Application Specific Module (ASM) A component of an AAA Service that allows Policies to influence Service Equipment. Service Equipment can be anything, and therefore there is no standard API to communicate with. An ASM however does have a standard API, and it can be used to translate requests into something the Service Equipment understands. J. Salowey et al. Expires: September 2001 [Page 2] Internet Draft Policies in AAA March 2001 o Policy As defined in [POLICY]: 1. A definite goal, course or method of action to guide and determine present and future decisions. "Policies" are implemented or executed within a particular context (such as policies defined within a business unit). 2. Policies as a set of rules to administer, manage, and control access to network resources. In the Generic AAA Architecture, Policies are expressed as policy rules. A "simple" policy rule consists of a policy condition and a policy action. The policy condition is evaluated and depending on the evaluation of the condition a policy action is taken or not. A RBE will evaluate the policy condition to take a policy decision. Based on the outcome, the RBE will execute the policy action. o Request A Request is any kind of message that asks for a service. There are lots of different requests (see [OBJMSG]), and many ways to send a request to the service, for example via the push, pull or agent model as described in [RFC2904]. A Request will initiate the evaluation of one or more Policies, which may execute some Actions and return a response. o Rule Based Engine (RBE) A RBE may be generic and able to process rules of a given type with little or no knowledge of an application. In other cases the RBE may be application specific. In general, a RBE in service equipment is application specific. A generic RBE may enlist the help of an Application Specific Module (ASM) to evaluate some policies. A policy decision may result in either a true or false, which may then result in an action that assigns a value to an attribute, retrieve or generate another policy rule or call a certain function. If the result is a policy rule, then its condition needs to be resolved to determine the next action. This rule may be parsed locally or may be forwarded to another AAA service. o Service Equipment (SE) J. Salowey et al. Expires: September 2001 [Page 3] Internet Draft Policies in AAA March 2001 Term used for equipment like (but not limited to) smart switches, routers, firewalls, bandwidth brokers, network access equipment, et cetera. 2 Policies The following sections provide terms for some aspects of policies, such as where they are located, where they are evaluated and what their purpose is. Please note that for a specific policy, more than one of the terms described below might apply. If this is the case, avoid ambiguities by combining the terms that apply. As an example, a policy that is stored on a remote AAA Service, is evaluated by the Generic RBE, but mainly interacts with an ASM to set some metering parameters can thus be described as a "Remote Application Specific Metering Policy". 2.1 Location of Policies Policies must be obtained before they can be evaluated. We break the location of policy into a few categories. Please note that policies cannot be labeled with these terms as if the location is an intristic aspect. It rather depends on the viewpoint you take. o Distributed Policy A Distributed Policy is a set of Local and/or Remote policies that all need to be evaluated to give an answer to a specific request. In a degenerated form it can be a single policy in one AAA Service, but it can also be multiple policies in the same AAA Service or in different AAA Services. o Local Policy A Policy stored in an AAA Service. This policy would have been provisioned to the service sometime in the past (for example by putting it into its Policy Repository), so it is available when it needs to be evaluated. o Remote Policy A Policy that is stored on a remote AAA Service. The policy may be obtained through push or pull mechanisms from the remote AAA Service so it may be evaluated locally. A Remote Policy may also be evaluated remotely at the request of the AAA service. J. Salowey et al. Expires: September 2001 [Page 4] Internet Draft Policies in AAA March 2001 2.2 Distribution of Policies across Domains In complex environments it is possible for policies to be distributed across several AAA Domains. o Extra-domain Policy Is stored and administered in a foreign domain. It can be evaluated in the foreign domain in response to a request from the local domain. o Inter-domain Policy A Policy that crosses administrative domain boundaries, either by push or pull mechanisms. Inter-domain Policies may originate in a foreign domain and be evaluated in the local domain, or it may originate in the local domain and be evaluated in a foreign domain. If it is specific to Distributed Policies, then it means that the Distributed Policy consists of multiple Policies which do not all live in the same administrative domain. o Intra-domain Policy Originate from and are evaluated entirely within a single administrative domain. They may be distributed throughout multiple AAA services and policy repositories, however all of these are part of the same service provider domain. 2.3 Policy niche There is a big difference between Policies that are meant to be interpreted by different parts of an AAA Service. To make a clear distinction between those types of policies, the following terms are introduced: o Application Proprietary Policy In other cases the Policy is in a format or language that must be evaluated by an application specific RBE, in this case the Policy (and attributes) must be passed to the Application Specific Module to be evaluated. The AAA Service does not evaluate these policies, it only transports them. o Application Specific Policy A Policy that a generic RBE may be able to evaluate, but depends J. Salowey et al. Expires: September 2001 [Page 5] Internet Draft Policies in AAA March 2001 heavily on interaction with an Application Specific Module. o Generic Policy A Policy that can be and is meant to be interpreted by the Rule Based Engine of the Generic AAA Server itself, not by any other component like an ASM or Service Equipment. 2.4 Policy types This section looks at various specific types of policy that an Generic AAA Architecture deals with directly or indirectly. The distinction between the policies in this section are not based on the place (niche) in the AAA environment where they live, but on their contents or purpose. o Accounting Policy Accounting Policies govern the generation, transportation and storage of accounting data. Accounting data may be used for trend analysis, capacity planning, and billing. o Attribute Conflict Policy It is possible that attributes may conflict. This may also be resolved by signaling an error condition, overriding, or intersection. It is also possible that an attribute may be expected to have more than one value. In other cases attributes may be out of range. How this is resolved is determined by the Attribute Conflict Policy. o Attribute Forwarding Policy In many cases it is important not to send attributes to another party for privacy reasons. Attribute Forwarding Policies determine which attributes can be forwarded, under what conditions and how they must be protected (perhaps encrypted so only an AAA Service at the end of the evaluation chain can read it). o Auditing Policy Auditing Policies deal with information that is collected for auditing purposes. Auditing verifies the correctness of operation. o Authentication Policy J. Salowey et al. Expires: September 2001 [Page 6] Internet Draft Policies in AAA March 2001 An Authentication Policy has to deal with how authentication is performed. For example, in evaluating a certificate, such a policy may determine where CRL's are kept and how often they are re-issued. It may also determine how to deal with multi-byte character passwords. Authentication Policies are typically used where authentication is performed, however the Policy used during authentication may be used as context information when evaluating the Authorization Policy. For example, authorization policy may require information about what kind of authentication was used, whether CRL's were checked, forwarded Kerberos tickets were used, et cetera. o Authorization Policy Authorization Policies deal with granting different types of access to a particular object. Typically, an Authorization Policy statement is made up of the following: 1) Access identity: the identity of the entity requesting access. 2) Grantor identity: the identity of an entity granting permissions. 3) Access rights: the actions available to be performed on a certain object. 4) Conditions: additional criteria that must be met to grant the requested access. ACL based authorization uses access control lists associated with objects. The ACLs contain the identities allowed certain access to an object. Capability based authorization stores a list of grantors that can grant permission (capability) to certain access to an object. Evaluation of a Authorization Policy typically needs the identity of the accessor and/or the grantor. The identity may be authorized to take on group membership, which can be used along with or instead of the original identity. Identities may represent users, hosts, or applications. Identities do not have to be directly traceable back to the original entity they represent (this may be desirable for privacy reasons). Anonymous or anybody may be a valid identity in some systems. Authorization Policies that extend beyond more than one domain may be more complicated. Not only must the end user be authorized, but access to resources in other domains must be J. Salowey et al. Expires: September 2001 [Page 7] Internet Draft Policies in AAA March 2001 authorized against service level agreements between domains. o Billing Policy Billing Policies deal with pricing and charging for service. o Boot Policy A Policy that will be retrieved from the Policy Repository and evaluated right after the AAA Service has started. It can be used to set default parameters on the AAA Service, ASMs and/or Service Equipment. o Configuration Policy In many cases policy rules and attributes must be presented in an application format so they can be processed by another device. A Configuration Policy determines how the results of one policy evaluation are translated into an application specific form so they can be evaluated by service equipment. o Driving Policy The first Policy that will be retrieved from the Policy Repository upon the reception of a Request. It might be that there is one Policy in an AAA Service that is always consulted first, or it might be that each time a different one is retrieved depending on the contents of the request. o Metering Policy Metering Policies govern how information about the usage of resources will be collected and measured. o Policy Conflict Policy In evaluating Policies conflicts may arise (see the definition of "policy conflicts" in [POLICY]). Conflicts may occur at the policy rule level where two rules conflict. For example it may be that one rule says "if it is past 11AM then Joe can have a beer" and another rule may say "if it is before 11AM then Joe can have a beer". Policy conflicts can be resolved in several ways. One may choose to error out and not evaluate the policy, one policy may override the other, or the policies may be intersected in some way ("Joe can have a beer as long as it is not exactly 11AM"). A Policy Conflict Policy determines how policy conflicts are J. Salowey et al. Expires: September 2001 [Page 8] Internet Draft Policies in AAA March 2001 resolved in a system. Some policy conflicts can be resolved in a Generic RBE. In other cases specific knowledge of the application is needed to resolve the conflict. o Privacy Policy Privacy Policies deal with how and to whom collected data is disclosed. For example a Privacy Policy may dictate that actual user identities may not be directly traceable to a particular session without the cooperation of the user's home organization. o Registration Policy Registration Policies deals with how users and other entities are registered on the network and how credentials are created and distributed. One example of Registration Policy is a password policy: how often are passwords renewed, how long must a password be, how many characters, is there a dictionary check, et cetera. Another example of Registration Policy is the policy associated with a PKI: how is the identity of a user verified when the certificate is issued, what is in the certificates et cetera. o Security Policy Security Policies govern the requirements for secure transactions. This type of policy creates additional requirements for the above policies. For example it may require that strong authentication always be used and that all data must be encrypted when traversing a network. o Service Allocation Policy One of the conditions authorization to a service may depend upon is the current utilization and availability of a service. An AAA service would evaluate service allocation before allowing access to a service. It verifies whether the resources requested are available and may specify rules to follow if they are becoming scarce. Some examples: 1) if utilization<.7 then Answer=Yes else if utilization <.8 and PrivilegeClass>1 then Answer=Yes else if utilization <.9 and PrivilegeClass>2 then Answer=Yes else Answer=No 2) if Status(Queue1)=NotCongested then Queue=1 else if Status(Queue2)=NotCongested then Queue=2 else Queue=3 J. Salowey et al. Expires: September 2001 [Page 9] Internet Draft Policies in AAA March 2001 o Service Specification Policy This type of Policy is specified by the user and determines what service is desired under what conditions. For example a user may say: if (cost < 50) request = 100 else request 10 3. Policy components Policies are made up of several components, and although we do not give a description of how policies are made or look like, we can identify some parts that will definitely belong to any Policy: o Policy Action Something that effectively tells some Service Equipment to really do something. It can be a parameter that is changed or a command that is given to an ASM to effectuate this. o Policy Attribute Any data element that can be processed by a Policy Rule. For example, an Attribute Value Pair that was supplied in a request, or an application specific attribute that was retrieved through an ASM. o Policy Condition A boolean expression, for example like "(bandwidth > 50) AND accesslevel = 10". o Policy Rule Almost anything you can describe with an if..then..else clause. References [AAAARCH] Authorization, Authentication and Accounting ARCHitecture research group, http://www.phys.uu.nl/~wwwfi/aaaarch/ [OBJMSG] D. Spence, "Data Objects and Message Types in the Generic AAA Architecture", draft-spence-aaaarch-objmsg-00.txt, January 2001 [POLICY] A. Westerinen et al., "Policy Terminology", draft-ietf- policy-terminology-02.txt, February 2001 J. Salowey et al. Expires: September 2001 [Page 10] Internet Draft Policies in AAA March 2001 [POLICYACCT] G. Carle, S. Zander and T. Zseby, "Policy-based Accounting", draft-irtf-aaaarch-pol-acct-01.txt, September 2000 [POLICYMODEL] A. Taal, G. Sliepen and D. Spence, "Policies in AAA", draft-taal-aaaarch-generic-pol-01.txt, March 2001 [RFC2903] C. de Laat, L. Gommans, G. Gross, D. Spence and J. Vollbrecht, "Generic AAA Architecture", RFC 2903, August 2000 [RFC2904] J. Vollbrecht et al., "AAA Authorization Framework", RFC 2904, August 2000 Authors' Addresses Joseph Salowey Cisco Systems Building 20 725 Alder Drive Milpitas, CA 95035 USA Phone: +1 408 525 6381 Email: jsalowey@cisco.com Guus Sliepen Physics and Astronomy department Utrecht University Pincetonplein 5 3584 CC Utrecht Netherlands Phone: +31 30 2537724 Phone: +31 30 2537555 Email: sliepen@phys.uu.nl Arie Taal Physics and Astronomy department Utrecht University Pincetonplein 5 3584 CC Utrecht Netherlands Phone: +31 30 2537556 Phone: +31 30 2537555 Email: taal@phys.uu.nl J. Salowey et al. Expires: September 2001 [Page 11] Internet Draft Policies in AAA March 2001 David W. Spence Interlink Networks, Inc. 775 Technology Drive, Suite 200 Ann Arbor, MI 48108 USA Phone: +1 734 821 1203 Fax: +1 734 821 1235 Email: dspence@interlinknetworks.com J. Salowey et al. Expires: September 2001 [Page 12] --