"[slides]" means there was stuff I didn't write down and one should
the presentation slides for info.
IRTF/IETF AAAarch meeting 49th IETF 10-Dec-2000 San Diego
interim meeting in Jan/Feb
hope to have a roud of drafts submitted for rfcs by spring IETF 2001
sponsored this room and the t-shirts.
goal to figure out how to do AAA between apps, user orgs, with postulated "brokers" in the mix
the lines between entities in the diagram rep SLAs and perhaps security associations
the fact that these are SLAs are impt
qos + network access
sip conns + netwk bandwidth
distrib academic course admin
b2b e-commerce stuff
tasks in AAAarch
generic aaa server
lots of related ietf stuff
updated doc from -00 to -01
Policy Language: what do we need?
gave examples of distinctions between "accounting policies" and
SLA seen as the "information base"
drives the provisioning and config of the accounting environment.
Future work & open issues
derivation of policies from sla
binding of user ids to sessions and accounting data is a key aspect,
where the session id doc comes in.
AAA servers need to exchange and parse policies
there's network environment issues wherein it isn't possible to
have a policy
eval'd at a "remote" server.
e.g. proxy environ.
home agent not reachable
goal of the policy draft
actions attached to results of subexpr
can do computations on varbs
actions can send ? to ASMs (?) [slides]
what possible ways to express policies?
DNF disjunctive normal form
off the shelf parsers around
supports strict def of policy language
xml is just a "preparser"
extending the language means extending and spreading new DTDs (but this is
byte-compiled: optimizes execution time
hard to check for validity
analogy with smartcards
(claim that smartcards provide many of the things we need for AAA)
Termination of distributed policies
TTL, timeout?, loop detection, all the usual stuff in here
must AAA servers resolve them or must policy implementors?
IBM Courteous Logic Programming?
how to represent actions? AVPs?
Policy Language - is v. open question
termination of eval of distrib policies.
Strasner question: are you postulating all AAA servers are omipotent
equally-capable. original policy doc acknowledged conflicts but didn't really
main point is to try to align policy terminology
where is draft going?
should be merged into policy working groups
parts into other docs, specfic to authn
entirely within one domain
origs in a diff domain
Ed ques: in ipsec there's a policy exch when setting up a tunnel --
multiple levels of policy exchange going on or need to go on, some might need
to get negotiated, so this concept ought to be included into the terminology.
strasner: in ipsec one goes thru neg to construct a policy, and in other
settings, pol is already constructed and simply needs to be eval'd.
Application vs. generic policy
eval'd by generic aaa server
eval'd w/ help from ASM
opaque to generic aaa?
specific policy types
e.g. registration, authn, authz, etc.
RLBob: what about term to describe hierarchically-related domains?
would be nice to have a common terminology basis between aaaarch & policy-wg
had policy terminology bofs at a couple of past ietf meetings.
pol terminology is being worked on in the policy-wg by AD fiat.
goal is no creativity -- not attempting a taxonomy. want to doc the way
words are presently being used today, in order to keep them from being
want to bridge gaps & diffs
usage of draft
as a resource to constrain term migration & creep.
51 terms defined presently, 31 acronyms
scaned & incorp'd many diff docs
using rfc 2828 techniques
filter in terms of packet filtering
there's an SLA bof (this meeting?)
want input from IRTF aaaarch folks
want to go to last call as soon has have this input
[again, not wanting to do a taxonomy]
JV: so since aaaarch is doing a taxonomy + defining terms, how do we
JS: one can do a taxonomy w/o doing an explicity definition doc.
Ed?: we can get in input that we can this week, but there'll be more
do after the meeting.
www based services
JV: it doesn't say anything about the rel between authn ids and session ids.
SZ: need some input on that sort of stuff.
Interdomain SIP usage with AAA and QoS (with SIP mobility)
there's related drafts in other WGs with "sip" in their filenames
VoD -- voice over data?
MA "Media agent"
APS "Application and policy server"
slide for "Call setup for interdomain SIP call with AAA and QoS"
in telephony community there's two concepts: if you don't have qos,
doesn't go thru. another is if you don't get qos, give the end user a choice
whether to put the call thru (at reduced cost) or not.
ques: what's relation in this work to work in the session id doc. are
specific reqs about what entities need to keep knowledge of some of the state
from the "call" afterwards?
ans: there's a notion in sip of "call id", and that needs to be
JV: (some question about
ques: any policy exchange provided for?
Multi-kingdom AAA with Krb v5
Association is a rel btwn two endpoints
contexts consists of specific context attrs that are used to establish,
maintain, and release associations.
krb sec contexts
sec contexts cover only the krb application exchange and not the comm with
end to end mode
data is opaque to interstitial kingdoms
hop by hop mode
data decrypt & re-encrypt at each hop
need a combo of these modes
use hop-by-hop to send info along path that each interstitial kingdom needs
to see, use end2end for stuff that needs to be seen just by each end.
dependency on data modeling
need to know the distinctions btwn diff data so it is used in the proper
sec association type
JV: what's key here is sep of authn and authz in "some very interesting ways"
(taxonomy of the various message types that entities in the AAA model
need to exchange)
(taxonomy of various "top level" objects that gett passed around)
ques: list of top level objects is nicely abstracted, except "authn
-- lots of authn mechs don't know how to challenge.
ans: it's just a place holder for if some info needs to flow in the
rlbob: there could be an unlimited # of exchanges in doing the authn
exchange(s), so maybe calling it "challenge" is too specific.
rlbob: is there a higher-level agregation of these objects? have you
it or decided not to do it that way? (object modeling?)
daves: (his answer went down into more detail instead of going "up"
agregated objects -- missunderstood question?)
looking at making a video about AAA reqs.
www.ispworld.com -- article on AAA and thsi group (boardwatch zine)
AAAarch is 1 yr old now.
slide on the different perspectives on AAA from a requester (user) asks
agent, pull, push
do we need these three models? too much, not enough? discuss on list.
the prior work on having a PDP and PEP
generic AAA engine that uses applciation specific engine as necessary (in
PDP), and then..
communicates with PEP.
RBE - rule based engine
asm - application spec. module
2. there is a global addres space btwn the rbe and the asm
3. there is only generic stuff in the rbe and all the application specific
stuff is in the ASMs
4. the rel btwn AAA servers is symmetric
rels in pcitural model
type 1-7 comm.
internal struc in model
global address space
revine layered model
scalable aaa server model
ques: we're straying outside of aaaarch's orig domain? e.g. resource
discovery, complexity due to genericism?
we need to think about the interim meeting in (probably) Jan. discuss on list
proposal to NANOG for a AAA operations group? source of reqs & practices?
lots of ietf interactions for this group --
authn security context area
accounting/auditing/session id stuff
SLS -- service level specification -- how's that play in the aaaarch space?
?: CdNP folks are looking at accounting stuff
rlbob: there's work in the "web services" space that's related to the
|CdL - dec 11th 2000||Visitors of this page:|