Policy 2007 13-15 June 2007 - Bologna, Italy XACML-Based Composition Policies for Ambient Networks Carlos Kamienski (cak@ufabc.edu.br) Joseane Fidalgo (joseane@gprt.ufpe.br) Ramide Dantas (ramide@gprt.ufpe.br) Djamel Sadok (jamel@cgprt.ufpe.br) Börje Ohlman (Borje.Ohlman@ericsson.com)
Introduction Ambient Networks (AN): new challenges to the management discipline The key concept is network composition network composition , for allowing instant and dynamic access to services and resources Policies: adequate solution for providing Flexibility Distributed control Self-management Traditional management approaches not designed to deal with Internet services for mobile users 2
Previous Experience Design and implementation of a AN1 AN1 P2P-based version of PBMAN ANI ANI User PEP User PEP PEP ACS ACS ACS ACS PEP ACS ACS User User ACS ACS PBMAN = Policy-based Management Framework for Ambient Networks User User User User ACS ANI ANI ACS ACS ACS PDN ACS PDN ACS PDN ACS PDN ACS ANI ANI Policies used for access control PEP PEP ACS ACS PEP PEP No policies for composition, which is PEP PEP ACS ACS ACS ACS the most important feature of AN ANI ANI Proof-of-concept prototype ANI ANI AN AN 2 2 implemented User User PDN ACS PDN ACS User PDN ACS PDN ACS User User User ACS ACS ACS ACS ACS ACS Important feedback for a new version of PBMAN 3
Paper Proposal To provide a PBM solution for Ambient Networks (AN), focusing on AN composition Extension to the AN Architecture Expected contributions An architecture for PBM for AN, built upon the previous architecture, based on P2P Policies are first class citizens New composition framework for AN Modeling of a simple scenario Policies for AN composition are proposed Policies are written in XACML (extended) 4
PBMAN Architecture Agent Layer Application Area Support Area Voice Video Security File QoS Mobility Sharing Policy Layer Policy Layer Storage Layer 5
Networks and Nodes Policy Decision Network (PDN) Policy Layer Nodes (e.g. servers) interconnected by design P-Nodes: management and policy decision tasks Storage Network (STN) Storage Layer S-Nodes: repository-specific nodes Agent Network (AGN) Agent layer A-Nodes: hosts, devices,… (PEPs) Nodes are not necessarily physical entities 6
Composition Framework Different network entities have different composition requirements PBMAN identifies different composition classes to obtain efficient design and implementation Composition Dimensions Role : Agent, Policy and Storage Compositions Scope : Network, Node and Startup Compositions Examples: Policy Network Composition, Agent Node Composition All of them controlled by policies 7
Structured PDN P-Node A-Node A-Node Agent S-Node Agent P-Node Structured A-Node P-Node Agent A-Node PDN PDN ACS PDN ACS S-Node Agent S-Node P-Node A-Node Agent A-Node S-Node Agent A-Node A-Node Agent Agent 8
Policy and Storage Composition PDN P-Node P-Node P-Node P-Node S-Node S-Node S-Node S-Node STN 9
Policy Network Composition - Before P B2 P B2 P B1 P B1 P A2 P A2 P A1 P A1 PDN B PDN B PDN B PDN ACS PDN ACS PDN ACS - Single - Single - Single Single Single Single PDN PDN PDN PDN ACS PDN ACS PDN ACS B - B - B - PDN A PDN A PDN A PDN PDN PDN PDN ACS PDN ACS PDN ACS A - A - A - - Single - Single - Single Single Single Single PDN ACS PDN ACS PDN ACS P A3 P A3 P A4 P A4 P B4 P B4 P B3 P B3 10
Policy Network Composition - After P AB1 P AB2 P A1 P B2 P A2 P B1 PDN ACS PDN ACS PDN A PDN A PDN ACS PDN ACS - Single - Single Single Single PDN PDN A - A - PDN ACS PDN ACS PDN B PDN B PDN PDN PDN ACS PDN ACS B - B - - Single - Single Single Single P A3 P A4 P B3 P B4 PDN AB PDN AB P AB3 Com posed Com posed P AB4 When networks get composed, policies of both networks are composed too 11
Agent Node Composition A A A A Agent A A 1 Agent Network PDN ACS PDN ACS A Network PDN ACS PDN ACS A A A A P A 1 P A 1 P P PDN PDN ACS PDN ACS P P PDN PDN ACS PDN ACS User P User P A-Node Node Compositio Authentication n 12
Scenario Modeling and Policies Core Network User Home ISP Video ISP Access Network (WiFi Hot Spot) 13
Scenario: Characteristics Scenario comprised of two distinct phases Bootstrapping all networks Using services (network access and video) Compositions for bootstrap Node and Startup compositions (policy, storage and agent) Composition for service usage Network and Node compositions (policy and storage) Both involve the three layers of the architecture 14
Transaction for Bootstrapping (Wi-Fi access service) 15
Policies for Bootstrapping (XACML policies – simplified syntax) Policy P1; Priority : 1; Type : node-composition; Effect : Permit Target : resource=access-agent-network subject=any-node action=compose Condition : CA.agentNetUp(access-agent-network) Processing : CA.addAttribute (access-agent-network.ca-dynamic-nodes, $request.node) Obligation : n/a 16
Policies for Bootstrapping Policy P2; Priority : 1; Type : node-composition; Effect : Permit Target : resource=access-agent-network subject=any-node action=compose Condition : ! CA.agentNetUp(access-agent-network) Processing : Composition. request (resource= access-agent-network; subject=$request-node; action= compose ; role= agent ; scope= startup ) Obligation : n/a 17
Policies for Service Usage Policy P4; Priority : 0; Type : access-control; Effect : Permit Target : resource=any-service; subject=any-subject; action=start Condition : $request.an <> $CA.id && !CA.policyNetUp($request.an,$CA.id) Processing : Composition.request (resource=$request.an; subject=$CA.id; action= compose ; role= policy ; scope= network ) Processing : Service.request (resource=$request.service; subject=$request.subject; action=$request.action) Obligation : n/a 18
Policies for Service Usage Policy P6; Priority: 2; Type: node-composition; Effect: Permit Target : resource=video-agent-network; subject=any-node; action=compose Condition : CA.agentNetUp(video-agent-network) && CA.isUser($request.node) && video-agent-network.current-users < video-agent-network. max-user Processing : CA.addAttribute(video-agent-network. ca-dynamic-users, $request-node) Processing : CA.addAttribute(video-agent-network. ca-current-users, 1) Obligation : n/a 19
Current Status and Future Work Current Status Most specifications are done Prototype development is being finished (p2p storage) Evaluation will begin soon Transactions and policies have been rewritten Future Work Support for conflict resolution User-friendly PMT (under development) Add support for mobility and wireless users 20
Conclusions PBMAN2: PBM framework for Ambient Networks Current concepts evolve from an early version PBMAN now uses XACML Simple scenario modeled and policies written Lessons learned (so far) Putting policies to work needs more effort than just writing policies Framework needed with the right “slots” for policies The problem is in the details Implementation needed to be down-to-earth Writing policies is not easy A good Policy Management Tool is needed 21
Policy 2007 13-15 June 2007 - Bologna, Italy XACML-Based Composition Policies for Ambient Networks Thank You! This work was supported by the Research and Development This work was supported by the Research and Development Centre, Ericsson Telecomunica Telecomunicaç ções ões S.A., Brazil S.A., Brazil Centre, Ericsson
Recommend
More recommend