XACML-Based Composition Policies for Ambient Networks Carlos - - PowerPoint PPT Presentation

XACML-Based Composition Policies for Ambient Networks

Policy 2007 13-15 June 2007 - Bologna, Italy

Carlos Kamienski (cak@ufabc.edu.br) Joseane Fidalgo (joseane@gprt.ufpe.br) Ramide Dantas (ramide@gprt.ufpe.br) Djamel Sadok (jamel@cgprt.ufpe.br) Börje Ohlman (Borje.Ohlman@ericsson.com)

2

Introduction

Ambient Networks (AN): new challenges to the management discipline

The key concept is network composition network composition, for allowing instant and dynamic access to services and resources

Policies: adequate solution for providing

Flexibility Distributed control Self-management

Traditional management approaches not designed to deal with Internet services for mobile users

3

Previous Experience

Design and implementation of a P2P-based version of PBMAN

PBMAN = Policy-based Management Framework for Ambient Networks

Policies used for access control

No policies for composition, which is the most important feature of AN

Proof-of-concept prototype implemented

Important feedback for a new version of PBMAN

PEP PEP ACS ACS User User ACS ACS User User ACS ACS User User ACS ACS PEP PEP ACS ACS ANI ANI PDN ACS PDN ACS PDN ACS PDN ACS ANI ANI ANI ANI ANI ANI AN1 AN1 AN AN 2 2 User User ACS ACS User User ACS ACS PEP PEP ACS ACS PDN ACS PDN ACS PDN ACS PDN ACS PEP PEP ACS ACS User User ACS ACS User User ACS ACS PEP PEP ACS ACS ANI ANI

4

Paper Proposal

To provide a PBM solution for Ambient Networks (AN), focusing on AN composition

Extension to the AN Architecture

Expected contributions

An architecture for PBM for AN, built upon the previous architecture, based on P2P

Policies are first class citizens

New composition framework for AN Modeling of a simple scenario Policies for AN composition are proposed Policies are written in XACML (extended)

5

PBMAN Architecture

Policy Layer Policy Layer

Storage Layer Agent Layer

Security Support Area Mobility QoS Application Area File Sharing Video Voice

6

Networks and Nodes

Policy Decision Network (PDN)

Policy Layer Nodes (e.g. servers) interconnected by design P-Nodes: management and policy decision tasks

Storage Network (STN)

Storage Layer S-Nodes: repository-specific nodes

Agent Network (AGN)

Agent layer A-Nodes: hosts, devices,… (PEPs)

Nodes are not necessarily physical entities

7

Composition Framework

Different network entities have different composition requirements PBMAN identifies different composition classes to obtain efficient design and implementation Composition Dimensions

Role: Agent, Policy and Storage Compositions Scope: Network, Node and Startup Compositions

Examples:

Policy Network Composition, Agent Node Composition

All of them controlled by policies

8

Structured PDN

PDN ACS PDN ACS

Structured PDN

P-Node S-Node P-Node S-Node P-Node S-Node P-Node S-Node A-Node Agent A-Node Agent A-Node Agent A-Node Agent A-Node Agent A-Node Agent A-Node Agent A-Node Agent

9 P-Node S-Node P-Node S-Node P-Node S-Node

Policy and Storage Composition

P-Node S-Node

PDN STN

10

Policy Network Composition - Before

PDN ACS PDN ACS PDN PDN A

A -

• Single

Single PDN ACS PDN ACS PDN PDN B

B -

• Single

Single

PA1 PA2 PA3 PA4 PB1 PB3 PB2 PB4

PDN ACS PDN ACS PDN PDN A

A -

• Single

Single PDN ACS PDN ACS PDN PDN A

A -

• Single

Single PDN ACS PDN ACS PDN PDN B

B -

• Single

Single PDN ACS PDN ACS PDN PDN B

B -

• Single

Single

PA1 PA2 PA3 PA4 PB1 PB3 PB2 PB4

11

Policy Network Composition - After

PDN PDN AB

AB

Com posed Com posed

PDN ACS PDN ACS

PDN PDN A

A -

• Single

Single

PDN ACS PDN ACS

PDN PDN A

A -

• Single

Single

PAB1

PA2 PA4 PA1

PAB3

PA3

PDN ACS PDN ACS

PDN PDN B

B -

• Single

Single

PDN ACS PDN ACS

PDN PDN B

B -

• Single

Single

PB1 PB3

PAB2

PB2

PAB4

PB4

When networks get composed, policies of both networks are composed too

12

Agent Node Composition

PDN ACS PDN ACS

A A A A A

PDN ACS PDN ACS

P P P P

PDN Node Authentication

Agent Network

User

A1

PDN ACS PDN ACS

A A A A A

PDN ACS PDN ACS

P P P P

PDN A-Node Compositio n

Agent Network

User

A1 A1

13

Scenario Modeling and Policies

Core Network User Home ISP Video ISP Access Network (WiFi Hot Spot)

14

Scenario: Characteristics

Scenario comprised of two distinct phases

Bootstrapping all networks Using services (network access and video)

Compositions for bootstrap

Node and Startup compositions (policy, storage and agent)

Composition for service usage

Network and Node compositions (policy and storage)

Both involve the three layers of the architecture

15

Transaction for Bootstrapping (Wi-Fi access service)

16

Policy P1; Priority: 1; Type: node-composition; Effect: Permit Target: resource=access-agent-network subject=any-node action=compose Condition: CA.agentNetUp(access-agent-network) Processing: CA.addAttribute (access-agent-network.ca-dynamic-nodes, $request.node) Obligation: n/a

Policies for Bootstrapping

(XACML policies – simplified syntax)

17

Policies for Bootstrapping

Policy P2; Priority: 1; Type: node-composition; Effect: Permit Target: resource=access-agent-network subject=any-node action=compose Condition: !CA.agentNetUp(access-agent-network) Processing: Composition.request (resource= access-agent-network; subject=$request-node; action=compose; role=agent; scope=startup) Obligation: n/a

18

Policies for Service Usage

Policy P4; Priority: 0; Type: access-control; Effect: Permit Target: resource=any-service; subject=any-subject; action=start Condition: $request.an <> $CA.id && !CA.policyNetUp($request.an,$CA.id) Processing: Composition.request (resource=$request.an; subject=$CA.id; action=compose; role=policy; scope=network) Processing: Service.request (resource=$request.service; subject=$request.subject; action=$request.action) Obligation: n/a

19

Policies for Service Usage

Policy P6; Priority: 2; Type: node-composition; Effect: Permit Target: resource=video-agent-network; subject=any-node; action=compose Condition: CA.agentNetUp(video-agent-network) && CA.isUser($request.node) && video-agent-network.current-users < video-agent-network. max-user Processing: CA.addAttribute(video-agent-network. ca-dynamic-users, $request-node) Processing: CA.addAttribute(video-agent-network. ca-current-users, 1) Obligation: n/a

20

Current Status and Future Work

Current Status

Most specifications are done Prototype development is being finished (p2p storage) Evaluation will begin soon Transactions and policies have been rewritten

Future Work

Support for conflict resolution User-friendly PMT (under development) Add support for mobility and wireless users

21

Conclusions

PBMAN2: PBM framework for Ambient Networks

Current concepts evolve from an early version

PBMAN now uses XACML Simple scenario modeled and policies written Lessons learned (so far)

Putting policies to work needs more effort than just writing policies Framework needed with the right “slots” for policies

The problem is in the details

Implementation needed to be down-to-earth

Writing policies is not easy

A good Policy Management Tool is needed

XACML-Based Composition Policies for Ambient Networks

Policy 2007 13-15 June 2007 - Bologna, Italy

Thank You!

This work was supported by the Research and Development This work was supported by the Research and Development Centre, Ericsson Centre, Ericsson Telecomunica Telecomunicaç ções ões S.A., Brazil S.A., Brazil