1

Policy-Based NetworkingPolicy-Based NetworkingIntroduction, Concepts, Protocols, Products

Presented by

Andreas Polyrakis

apolyr@softlab.ntua.gr

04.04.2003

Greek Research Network (GRNET),National Technical University of Athens (NTUA)

2

What is Policy-Based Networking?

“A modern network management approach that attempts to control the network through abstract high-level policies.”

3

RoadMap Part I: Policy Based Networks

The need for PBN Policy-Based Networks

• Architecture, advantages, entities

Part II: COPS The COPS base protocol COPS-RSVP COPS-PR

• PIB, example

Part III: Current Status

Part IV: QoS and PBN

4

PART I: Introduction to

Policy-Based Networking

5

Properties of Modern Networks Exponential Growth (size/volume) Big variety of managed devices (not only

routers/switches anymore…) and resources. Large number of different network services

Converging networks (data, voice, video, web) New services (VPN, VoIP)

Increased complexity (MPLS, DiffServ, RSVP)

Level of abstraction & automation in Network Management must be raised

Scalable NM solutions are necessary

6

Traditional NM techniques: CLI Command Line Interface NM

Goals set by the Network Manager Each device was programmed to implement these goals The devices had to be programmed independently,

although they served similar goals When the goals/topology changed, the administrator had

to update all nodes independently

SIGNIFICANT scalability problems Consistency issues Difficult to implement complex policies Lack of automation Need for highly-specialized personnel Hard to monitor the network

7

Traditional NM techniques: SNMP Simple Network Management Protocol (SNMP)

Managed objects on the devices handled in a unified way Raised the level of abstraction Allowed some automation

But… SNMP was designed for monitoring – not for configuring

devices Scalability & efficiency issues Still device/vendor dependent Configuration still depends on device’s role,

capabilities/limitations, manufacturer and overall network topology

8

Policy Based Networking (PBN)

A modern Network Management approach Based on policies

E.g., give administrators high priority Policies are Abstract, Goal oriented

(“what” instead of “how”) PBN attempts to

Raise the abstraction level Automate NM Centralize & simplify network configurations Simplify supervision Increase management flexibility

9

Policy Console

PDPPDP

Business/ControlPolicies

Decision Making

Decision Enforcement

Network State/Events

Manager

DirectoryService

OtherServices &

Events

Devices

PEP PEP PEP PEP

PBN ArchitectureKey Entities: Policy Decision Point (PDP) Policy Enforcement Point

(PEP)

Operation Concept: The Administrator edits

abstract Policies with an editing tool

Policies are sent to the describe network behavior with a high level of abstraction (What, not How)

The policies are processed by the PDPs – late binding with network details

Policies are distributed to the PEPs as configuration data - commands (after being transformed to the appropriate form)

10

Advantages of PBN

Advantages: Centralized

management Scalability High abstraction easy

to determine and control behavior

Automation Consistency

Dynamic binding of policies new types of policies, flexibility

e.g:Give engineers higher priority

Policy Console

PDPPDP

Business/ControlPolicies

Decision Making

Decision Enforcement

Network State/Events

Manager

DirectoryService

OtherServices &

Events

Devices

PEP PEP PEP PEP

11

Policy Decision Point (PDP)

Role of the PDP: Receives the high-level policies Monitors the network events Records the capabilities/limitations of the PEPs Produces and updates the configuration data of the

PEPs according to the network policies and network state

The PDP DOES NOT simply distribute policies: Binds the policies with the network state Produces the APPROPRIATE configuration data

according to the type of each specific PEP, its role, its capabilities and its limitations

The intelligence of the model is mainly concentrated at the PDP level

Policy Console

PDPPDP

Business/ControlPolicies

Decision Making

Decision Enforcement

Network State/Events

Manager

DirectoryService

OtherServices &

Events

Devices

PEP PEP PEP PEP

12

Policy Enforcement Point (PEP)

Role of the PEP: Receives configuration data from

the PDP Always enforces the PDP directions

The PEP may contain more than one clients

Different client-types serve non-overlapping management area (Security, QoS, Accounting, …)

Policy Console

PDPPDP

Business/ControlPolicies

Decision Making

Decision Enforcement

Network State/Events

Manager

DirectoryService

OtherServices &

Events

Devices

PEP PEP PEP PEP

13

Policy ConsolePolicies: What instead of How:E.g: The engineers (10.1.1.x) must have high priority (DSCP=6)HOW approach: Remark 10.1.1.x traffic with DSCP=6WHAT approach: Give high priority to Engineers

The policy is still valid even if: topology changes (nodes are added/removed/replaced) the “engineers” subnet is changed/expanded Network services change (e.g. DiffServ is replaced with RSVP)Also, “engineers” do not need to be associated with a

specific subnet!!!

14

Directory Server

Secondary role in PBN Directories

Store policy-related information• Users & application profiles• Groups• Role of the network devices• Etc

Store policies & distribute them to the PDPs

• Standard or non-standard representation of policies

Policy Console

PDPPDP

Business/ControlPolicies

Decision Making

Decision Enforcement

Network State/Events

Manager

DirectoryService

OtherServices &

Events

Devices

PEP PEP PEP PEP

15

Operation ModesPolicy Server

Device

Initialization1. The PEP connects to the PDP,

reports its capabilities/limitations and requests configuration data

2. The PDP generates the initial policies according to the global policies and current network state

3. The PDP sends the initial policies in the form of configuration data

4. The PEP stores these data and determines the behavior of the device according to them

PEPPEP

PDPPDP

REQ

DEC

BOOT

PROCESS

INSTALL

Policies Current state

1

2

3

4

16

PDPPDP

Operation Modes (Cont’d)

Device

Outsourcing (PULL):

1. A new event is detected that cannot be treated with the existing configuration data

2. The PEP requests directions to treat the event

3. The PDP process the request according to the current policies/network state

4. The PDP downloads the appropriate configuration data

5. The PEP serves this event and all similar events according to this data

Provisioning (PUSH):A. The PDP detects changesB. The PDP sends commands that add,

update or delete configuration dataC. The PEP updates its behavior and

treats future events according to them

PEPPEP

Policies Current state

DEC

CHANGE

INSTALL, UPDATE, DELETE CONFIGURATION DATA

A

B

C

Device

PEPPEP

PDPPDP

REQ

DEC

New Event

PROCESS

INSTALL

Policies

2

3

4

5

Current state

1

17

PART II: COPS, the IETF protocol for PBN

18

IETF Standardization

Policy Framework Architecture, terminology, building blocks Core and QoS Schema

RAP (Resource Allocation Protocol) COPS COPS-RSVP, COPS-PR PIB (Policy Information Base) definition …

Other WGs

19

The COPS Protocol (RFC 2748) COPS: Common Open Policy Service

Developed by the IETF RAP WG Standardizes the communication between PDPs and

PEPs Design Principles:

Statefull Client-Server protocol, uses TCP Reliable, Efficient, fault-tolerant and secure PDP @ Policy Server, PEP @ Managed Entity The PEP always obeys the PDP Both Outsourcing (Pull) and Provisioning (Push)

models A communication protocol - Does NOT define the

semantics of the exchanged policy data

20

The COPS Protocol (Cont’d) The COPS BASE protocol

Provides a way to communicate policy-related information between the PDP to the PEP

Determines the behavior of the entities, as far as the communication is concerned

Does not define the semantics of the exchanged data Does not describe HOW this data is produced by the PDP or

HOW this data will be interpreted by the PEP

COPS client-types Control different management areas (DiffServ, RSVP,

accounting, Security, etc) Each PEP implements one or more clients of various client-

types Client-types are defined on extra documents (standard or

vendor-specific) COPS-RSVP and COPS-PR are such clients

21

COPS Basic Messages OPN: Open Connection CAT: Connection

Accept CC: Connection Close

KA: Keep AlivePEPPEP

PDP1PDP1

OPN

CAT

CC

CC

PDP2PDP2

OPN

CAT

KA

KA

KA

22

COPS Basic Messages (Cont’d) REQ: Request DEC: Decision RPT: Report

SSQ: Synch. Request SSC: Synch. Complete

PEPPEP PDPPDP

REQ

DEC

RPT

DEC

RPT

RPT

SSQ

SSC

23

COPS vs. SNMP

24

Discussion

Is PBN going to replace SNMP? Most probably, no:

• SNMPv3 addresses some issues• Legacy devices – existing software – trained

personnel• Good for Monitoring

Is PBN the only attempt for management automation? No, other technologies also exist, e.g.,

Directory-Enabled Networking (Directories are good for static configuration data, such as IP, DNS, default PDP, etc)

25

COPS usage for RSVP (RFC 2749)

COPS-RSVPCOPS-RSVP::

Defines a client-type of COPS for RSVP

Provides centralized monitoring and control of RSVP

COPS-RSVP PDPs control COPS-RSVP clients on detwork devices

PEP performs (though PDP directions): Admission control Data classification Bandwidth management (queuing) Data policing RSVP usage report

Simplified operation example A Router receives PATH / RESV Attempts to process and serve locally If unable to serve locally, forwards to the PDP Perform admission control according to PDP decision

26

The COPS-PR Protocol (RFC 3084)COPSCOPS for Policy for Policy PRPRovisioning:ovisioning:

Extends COPS (Common Open Policy Service)

A client-type of COPS

PRovisioning mode: The PEP always serves events according to

pre-downloaded policies-the PDP keeps these policies updated

Simpler than COPS (Provisioning mode only)

Not suitable for all management areas (e.g., RSVP)

Initially designed for DiffServ, but seems suitable for several

management areas

Does NOT address a specific management area.

27

Policy Information Base A structure similar to a MIB structure A tree of PRovisioning Classes (PRCs) PRovisioning Instances (PRIs) Policies can be constructed as a set of PRIs PIBs are pre-defined Different PIBs for different policing areas (Diffserv, Accounting, IP Different PIBs for different policing areas (Diffserv, Accounting, IP

filtering, etc)filtering, etc)

28

PIB Example

VALUEPRID

(128.1.1.2,6)2.2.1.1.2(128.1.1.1,6)2.2.1.1.1(100,1,11)2.2.1.2.2(100,2,10)2.2.1.2.1(4,NO)2.1.3.1.2(100,2)2.1.3.2.1

29

COPS-PR Example 1Policy: if traffic to IPs 128.1.1.1 or 128.1.1.2 has DSCP=4

then remark it with DSCP=6

2.1.3.2.1 (100,2)2.1.3.1.2 (6,NO)2.2.1.2.1 (100,2,10)2.2.1.2.2 (100,1,11)2.2.1.1.1 (128.1.1.1,4)2.2.1.1.2 (128.1.1.2,4)

Install:2.1.3.2.1 (100,2)2.1.3.1.2 (6,NO)2.2.1.2.1 (100,2,10)2.2.1.2.2 (100,1,11)2.2.1.1.1 (128.1.1.1,4)2.2.1.1.2 (128.1.1.2,4)

PEP connects

PDP->PEP DECEvent: PIB (@ PEP)

30

COPS-PR Example 2Policy: if traffic to engineers has DSCP=4 then remark it with DSCP=6

2.1.3.2.1 (100,2)2.1.3.1.2 (6,NO)2.2.1.2.1 (100,2,10)2.2.1.1.1 (128.1.1.1,4)

Remove:2.2.1.2.22.2.1.1.2

Engineer at 128.1.1.2 logs outif traffic to 128.1.1.1 has DSCP=4 then remark with DSCP=6

<EMPTY><NULL>PEP connects

No Engineer is logged

Similar to the first case

Install:2.2.1.2.2 (100,1,11)2.2.1.1.2 (128.1.1.3,4)

An Engineer logs to 128.1.1.3(similar to the first case)

2.1.3.2.1 (100,2)2.1.3.1.2 (6,NO)2.2.1.2.1 (100,2,10)2.2.1.2.2 (100,1,11)2.2.1.1.1 (128.1.1.1,4)2.2.1.1.2 (128.1.1.2,4)

Install:2.1.3.2.1 (100,2)2.1.3.1.2 (6,NO)2.2.1.2.1 (100,2,10)2.2.1.2.2 (100,1,11)2.2.1.1.1 (128.1.1.1,4)2.2.1.1.2 (128.1.1.2,4)

Two Engineers log on at 128.1.1.1 and 128.1.1.2if traffic to 128.1.1.1 or 128.1.1.2 has DSCP=4 then remark with DSCP=6

PIB (@ PEP)PDP->PEP DECEvent:

31

PIB Reuse

32

My MSc Thesis in 60’’Definition of a supplementary COPS-PR client type that

increases:

Efficiency (Bandwidth, monitoring, PDP resources )

Distribution (Intelligent PEPs, de-centralized decision and monitoring)

Robustness (PDP loaded, smaller messages)

Fault-tolerance (less PDP dependence )

Related Publications:• R. Boutaba and A. Polyrakis, "COPS-PR with Meta-Policy Support", IETF, Internet-Draft, April 2001 (www.ietf.org/internet-

drafts/draft-boutaba-copsprmp-00.txt).• R. Boutaba and A. Polyrakis, “Towards Extensible Policy Enforcement Points”, IEEE Workshop on Policies for Distributed

Systems and Networks, Bristol, U.K., 29-31 January 2001, pp. 247-261.• R. Boutaba and A. Polyrakis, “Projecting FCAPS to Active Networks”, Proc. IEEE Enterprise Applications and Services

Conference (EntNet@Supercomm 2001), Atlanta, GA, USA, June 2001.• R. Boutaba and A. Polyrakis, “Extending COPS-PR with Meta-Policies for scalable management of IP networks”, Journal of

Network and Systems Management, Special Issue on Management of Converged Networks, Vol. 10, No. 1, March 2002.• R. Boutaba and A. Polyrakis; “Projecting Advanced Enterprise Network and Service Management to Active Networks”, IEEE

Network Magazine, Vol.16 No.1, January 2002, pp 28-33.• A. Polyrakis and R. Boutaba; “The Meta-Policy Information Base”; IEEE Network Magazine, Special issue on Policy Based

Networking, Vol.16 No.2, March/April 2002, pp 40-48.• A. Polyrakis and R. Boutaba; “The Meta-Policy Information Base”, IETF, Internet-Draft, April 2002 (www.ietf.org/internet-

drafts/draft-polyrakis-mpib-00.txt).

33

Part III: Current Status

34

COPS Products

COPS stack implementations COPS servers COPS clients

35

Vovida COPS implementation

Open source COPS stack COPS-PR support

Basic COPS Server, extensible

Can be used in buliding applications such as: Implementing policy based QoS Implemetating application level AAA

(Authorization, Authentication and Accouting) functions in IP telephony

…

36

Intel COPS Implementation

COPS client SDK:COPS client SDK: Open source COPS stack

COPS-RSVP client COPS-PR client

• DiffServ PIB

Test PDP (non-extensible)

37

HP PolicyXpert

PBN platform, controls through COPS or CLI: Cisco routers hewlett-packard pro-curve switches Packeteer packetshapers Microsoft Windows NT servers

Uses an hp-defined COPS type

No Directory integration

38

Cisco COPS QoS Policy Manager

Cisco COPS-QPM:Cisco COPS-QPM: COPS Server Controls devices through COPS and SMNP Supports COPS – RSVP

Catalyst 6000 5.4(1) and 5.4(2) Cisco 7200 and 7500/RSP routers Cisco IOS® 12.1(1)T Cisco 2600, 3600, 4500, and 4700 routers

Supports COPS-PR Catalyst 6000 switch CatOS 5.4(1) and 5.4(2) Catalyst 5000 switch CatOS 5.3, 5.4, 5.5 and 6.1

No Directory integration

39

CISCO COPS-RSVP support

Appears in IOS 12.1(1)T and later COPS-RSVP PDP: COPS-QPM. COPS-RSVP PEP: on the router

Enabling COPS-RSVP on a Cisco Router:

Router(config)# ip rsvp policy cops servers 161.44.130.168 161.44.129.6

(Tells the router to request RSVP policy decisions from the servers listed, Also enables a COPS-RSVP client (PEP) on the router. )

Supported protocols: RFC 2749, COPS Usage for RSVP RFC 2205, Resource ReSerVation Protocol (RSVP) RFC 2748, The COPS (Common Open Policy Service) Protocol

40

Intel® Local Policy Module for COPS

COPS-LPM: COPS-LPM: Allows Windows 2000 hosts accept bandwidth, security, and access policies from a policy server:

The Win2k ACS (Admission Control Service) acts as a SBM (Subnet Bandwidth Manager) in the domain

The ACS outsources admission control to a policy server through COPS-LPM

COPS-LPM is used in conjunction with resource RSVP

Part of the Win2k Resource Kit

41

Nortel Optivity Policy Services

Designed to manage traffic prioritization and network access security

Targets specific Bay/Passport routers

Targets DiffServ (only) COPS-PR, DiffServ PIB CLI 802.1p

Centralized management for DiffServ policies

LDAP support (ships with iPlanet 5)

42

Part IV: QoS and PBN

43

Why PBN is necessary

Need for new types of dynamic policies Need for automation Need for high-level management

44

How?

COPS-RSVP COPS-PR/Diffser PIB Other standard COPS clients

• COPS-LPM• …

Other non-standard COPS clients • see the PolicyXpert approach

Other non-IETF approaches

45

Difficulties

Too many Too many technologies/protocols/architectures:technologies/protocols/architectures:

Insufficient COPS products LDAP necessary User authentication in the network. How? RSVP vs Diffserv. Mapping. SBM, 802.1p… Inter-domain policies for user-specific

requests. How?

46

Case study: the GRNET approach Solve the problem at the LAN, solve it at the WAN,

police in the boundary LAN approach

Directory service RSVP Custom tools for non RSVP-enabled applications Custom tools for user authentication Traffic marked before entering the WAN Traffic policed before entering the LAN according to its own

policies NO COPS at this time, can be supported later

WAN approach DiffServ Domain Egress - Shengen Model (Check on Exit, travel free) Ingress – Visa Model (Check on entrance) SLAs between LANs-WAN or among LANs

47

?Presented byPresented by Andreas PolyrakisAndreas Polyrakis

apolyr@softlab.ntua.grapolyr@softlab.ntua.gr