 |
Advanced Internet Research |
|
 |
 |
|
| AIR | Projects | Generic AAA | ||
|
Generic Authorization Authentication and AccountingIntroductionThe concepts of Generic AAA are described in RFC2903 (Generic AAA architecture) and RFC2904 (Authorization Framework). Headed by Leon Gommans, several group members of the Advanced Internet Research Group at University of Amsterdam are researching the Generic AAA principles in both a formal and empirical way. The outcome of this research is aimed at developping a Web Services Architecture-based open source toolkit using J2EE that will enable application developers to incorporate Generic AAA functions as part of the workflow management within a Grid environment. The research uses the problem of on demand provisioning of network connections across multiple domains as a proof of concept. The research provides input towards standards bodies such as the IETF, IRTF and GGF. Principles of Generic AAA.Authorizations may be represented by requests and associated policy based decisions resulting in a reply or action. In our research authorizations are handled by Generic AAA system components. An authorization can be considered as a conditional right that shares a logical and semantical part. When exercised, this conditional right leads to a reply or action. In our research we clearly separate the logical and semantical concepts and handle them separately. The goal of this separation is to allow logical communication of authorization decisions in a distributed fashion without considering the semantical details. The semantical details are transported to parts within a specific domain that understand them. Onlylogical decisions are understood between domains. Below diagram presents the basic concepts around Generic AAA. The inner part of a Generic AAA system is called a Rules Based Engine (RBE) and consists of a generic part that is capable of processing policy rules that drive the system from a logical perspective. Application Specific Modules (ASMs) form the bridge between the logical inner world and the semantical outside world. ASMs are capable of translating logical policy decisions into meaningfull actions that interface with the outside world. In the other direction, ASMs translate meaninfull states or events into conditions that are evaluated within a particular policy rule. AAA requests are messages, when received by the RBE, fetch corresponding driving policy rules that will evaluate the request and so determine the workflow that will lead to a policy decision and corresponding policy actions. Policy actions may result in replies or may drive event in the outside world. Users, ASMs from other Generic AAA systems or RBE's may generate AAA requests. ASM intervention is required when further semantical breakdown of a request is desired. These mechanisms will enable networks of AAA servers to evaluate a distributed set of policies. Driving policies may independantly and automously be determined by individual administrative domains, thus enabling the creation of flexible multi-domain authorization scenarios.
ToolkitOne of the results of our research is the Generic AAA toolkit. We have shown demonstrations of this software at: In addition, we have created a persistent Magic Eightball demonstration, which includes software available for download. Standards body liaisonOur group is active in the following standards body working groups
or research groups:
Publications
|
|||||||||
|
||||||||||
