Policy Based Networking
Several activities in the universities, such as distance learning, distributed computing and virtual laboratories, can be compared to the now emerging Application Server Provider (ASP) activities in the Internet. Such activities require either adapting applications to the intelligent network capabilities, or a piece of equipment which can recognize the traffic from specific applications for authorized users, and apply predefined or dynamic policies to that traffic. Examples are Voice over IP and Video on demand. Having the ability to apply policies to the network in an automated way is essential for ISP's who want to deliver predictable service to specified traffic. Without this capability the networks can and will only be operated in best effort mode.
Goal: Investigate capabilities of AAA functions in combination with policy enforcement equipment based on layer 3/4 switches allowing Access Control and QoS Service Provisioning.
Description: This project is aimed at investigating the feasibility of applying AAA functions to layer 3/4 Gigabit Capable Ethernet switches allowing Policy Based Access Control and QoS provisioning. New generation layer 3/4 switches can take part in a User Authentication sequence and may subsequently perform Policy Enforcement based on Policies retrieved from either a local policy repository (LDAP Directory) or via AAA protocol messages. Unlike locally administered policy repositories, AAA mechanisms allow policies based authorizations from multiple independent organizations.
At first, investigation of AAA functions will be focused on applications such as:
- Access Control and QoS Provisioning for Internet Application Servers. A layer 3/4 switch could act as a AAA proxy for a set of application servers. If for example a certain URL is referenced, the switch should generate an authentication request to the originating user and retrieve relevant policies to either user or application.
- Access Control and QoS Provisioning for xDSL and Cable modem technologies. When a user initiates a session (using a Web Browser or start a PPP connection) the switch should authenticate a user and retrieve and enforce policies relevant to the user.
- The layer 3/4 switch should support both simple and strong authentication mechanisms. Simple mechanisms are username/password based and strong authentication should include token based solutions such as smartcards, SecureID, Vasco etc. or certificate based systems.
If successful, more elaborate policy decisions may be implemented involving User Home Organization AAA servers, Bandwidth Brokerage AAA servers, Financial Authorization Services and allowing AAA services to be embedded in Application Servers.
The project will help to gain broader understanding of requirements
when working on concepts for generic multi-domain AAA services and will
contribute to discussions within the AAAARCH IRTF Research Group.
| CdL - dec 20th 2000 | Visitors of this page: [an error occurred while processing this directive] | Back to home page |