COPSCOPSCommon Open Policy ServiceCommon Open Policy Service

Vemuri NamrathaVemuri Namratha

Kandaswamy BalasubramanianKandaswamy Balasubramanian

Venreddy NireeshaVenreddy Nireesha

COPSCOPS IntroductionIntroductionArchitectureArchitectureModelsModelsOperationsOperationsApplicationsApplicationsEvent flows, message formatsEvent flows, message formats IssuesIssuesQuestionsQuestions

IntroductionIntroduction

COPS is a simple query and response protocol, COPS is a simple query and response protocol, used to exchange information between used to exchange information between PDPPDP and and PEPPEP

PDP : Policy Enforcement PointPDP : Policy Enforcement Point RoutersRouters PDP : Policy Decision Point PDP : Policy Decision Point Servers containing policy statementsServers containing policy statements

What are PoliciesWhat are Policies

The Basic regulations negotiated for The Basic regulations negotiated for ensuring Qos to the users.ensuring Qos to the users.

Like allocation of Resources, Priorities and Like allocation of Resources, Priorities and hierarchal authorization.etchierarchal authorization.etc

COPSCOPSClient and Server model.Client and Server model.Allocation of resources to desired Allocation of resources to desired

priorities of services.priorities of services.COPS with RSVPCOPS with RSVPUses TCP as transport protocol for Uses TCP as transport protocol for

message passing.message passing.

ARCHITECTUREARCHITECTURE

Policy Mgmt

Tool

PEP

PEP

PEP

PDPCOPS

COPS

COPS

Human networkmanager

Policyconsole

Policy editor

Policyrepository

PURPOSEPURPOSE COPS allows the router (PEP) to communicate COPS allows the router (PEP) to communicate

with PDP about the allocation of requested with PDP about the allocation of requested resources for different kinds of trafficresources for different kinds of traffic

Admission control: Sees if there are enough Admission control: Sees if there are enough resources to satisfy the requestresources to satisfy the request

Policy control: Whether the request should be Policy control: Whether the request should be considered. Considers priority.considered. Considers priority.

Client TypesClient Types

COPS-PR

"COPS Usage for Policy Provisioning" is the protocol that

is used when policy decisions are "pushed" from the PDP to PEPs. In this provisioning model PDP can send policy decisions to PEPs without having specific request from PEP.

COPS_RSVPCOPS_RSVP

"COPS Usage for RSVP" is the protocol that is used when policy decision is "pulled" from PDP. When an RSVP message requiring a policy decision is received by PEP the relevant RSVP objects from the message are put into a COPS Request message, which is sent to PDP. The PDP determines what to do with RSVP message and sends a COPS Decision message back to the PEP,

MODELSMODELS

OutsourcingOutsourcing::

The PEP always explicitly asks the PDP for a The PEP always explicitly asks the PDP for a given amount of resourcesgiven amount of resources

Flexibility and Efficiency Flexibility and Efficiency Resource allocation requests are properly Resource allocation requests are properly

aggregatedaggregated Aggregate state information is kept in PDP/BBAggregate state information is kept in PDP/BB

Provisioning modelProvisioning model

More scalableMore scalable Inflexibility : difficult to handle modification of Inflexibility : difficult to handle modification of

configuration.configuration. Not explicitly customized to handle dynamic QoSNot explicitly customized to handle dynamic QoS

COPS The way it works.. COPS The way it works..

PEP is responsible for initiating a PEP is responsible for initiating a persistent TCP connection to a PDP. persistent TCP connection to a PDP.

The PEP uses this TCP connection to The PEP uses this TCP connection to send requests send requests

Communication between the PEP and Communication between the PEP and remote PDP is mainly a request/decision remote PDP is mainly a request/decision exchange.exchange.

Sometimes unsolicited decisionSometimes unsolicited decision

PEP’S ResponsibilitiesPEP’S Responsibilities

The PEP has to report to the PDP about The PEP has to report to the PDP about successful enforcement of the decision.successful enforcement of the decision.

The PEP is responsible for notifying the The PEP is responsible for notifying the PDP when a request state has changed.PDP when a request state has changed.

In simple words….it needs to keep things In simple words….it needs to keep things synchronized i.e keep the PDP informed.synchronized i.e keep the PDP informed.

And also local policy decision via its Local And also local policy decision via its Local Policy Decision Point (LPDP) Policy Decision Point (LPDP)

Messages/Requests/DecisionsMessages/Requests/Decisions

request statesrequest states the type of requestthe type of requestpreviously installed requestspreviously installed requestspolicy decisionspolicy decisions error reportserror reports client information. client information.

The Context of RequestThe Context of Request

The context of each request corresponds The context of each request corresponds to the type of event that triggered it .to the type of event that triggered it .

COPS identifies three types of events: COPS identifies three types of events:

(1) the arrival of an incoming message (1) the arrival of an incoming message

(2) allocation of local resources (2) allocation of local resources

(3) the forwarding of an outgoing message. (3) the forwarding of an outgoing message.

Message FormatMessage Format

Each COPS message consists of the Each COPS message consists of the COPS header followed by a number of COPS header followed by a number of typed objects.typed objects.

The fields in the header are: The fields in the header are:

Version: 4 bits COPS version number. Version: 4 bits COPS version number. Current version is 1. Current version is 1.

Flags: 0x1 Solicited Message Flag Bit 0 Flags: 0x1 Solicited Message Flag Bit 0 otherwise.otherwise.

Op Code: 8 bits (Explained in next slide).Op Code: 8 bits (Explained in next slide).Client-type: 16 bits Client-type: 16 bits Message Length: 32 bits Message Length: 32 bits

Op Code: 8 bits The COPS Op Code: 8 bits The COPS operations:operations:

1 = Request (REQ) 1 = Request (REQ) 2 = Decision (DEC) 2 = Decision (DEC) 3 = Report State (RPT) 3 = Report State (RPT) 4 = Delete Request State (DRQ) 4 = Delete Request State (DRQ) 5 = Synchronize State Req (SSQ) 5 = Synchronize State Req (SSQ) 6 = Client-Open (OPN) 6 = Client-Open (OPN) 7 = Client-Accept (CAT) 7 = Client-Accept (CAT) 8 = Client-Close (CC) 8 = Client-Close (CC) 9 = Keep-Alive (KA) 9 = Keep-Alive (KA) 10= Synchronize Complete (SSC) 10= Synchronize Complete (SSC)

Better Explained with an applicationBetter Explained with an application

IP-Telephony VOIPIP-Telephony VOIPWe need to assure Qos to the users.We need to assure Qos to the users.

Now lets look at the message flow.Now lets look at the message flow.

APPLICATION (IP-TELEPHONY)APPLICATION (IP-TELEPHONY)

MESSAGE FLOWMESSAGE FLOW

MESSAGE FLOWSMESSAGE FLOWS Client Open (CO) PEP->PDPClient Open (CO) PEP->PDP Client Accept (CA) PEP->PDP Client Accept (CA) PEP->PDP Client Close (CC) PEP<->PDPClient Close (CC) PEP<->PDP Request (REQ) PEP->PDPRequest (REQ) PEP->PDP Decision (DEC) PDP->PEPDecision (DEC) PDP->PEP Report State (RPT) PEP->PDPReport State (RPT) PEP->PDP Synchronize State Request (SSQ) PDP->PEPSynchronize State Request (SSQ) PDP->PEP Synchronize State Complete (SSC) PEP->PDPSynchronize State Complete (SSC) PEP->PDP Keep Alive (KA) PEP<->PDP Keep Alive (KA) PEP<->PDP

EVENT FLOWEVENT FLOW

CALL FLOW EXPLAINEDCALL FLOW EXPLAINED

PDPAgent: The functional unit which PDPAgent: The functional unit which supports PDP threads.supports PDP threads.

PDPThread:Currently Excuted PDP PDPThread:Currently Excuted PDP program, on the state of executionprogram, on the state of execution

COSPIntf: COPS and OSP interfaceCOSPIntf: COPS and OSP interfaceOSP: Open Settlement ProtocolOSP: Open Settlement Protocol

STATE DIAGRAMSTATE DIAGRAM

Issues and ExtensionsIssues and Extensions

Issues related to COPSIssues related to COPS

Scalability issues in heterogenous Scalability issues in heterogenous networksnetworks

PDP only control limited number of PEP PDP only control limited number of PEP devices within a domaindevices within a domain

Inter vendor COPS compatibility is less.Inter vendor COPS compatibility is less.Not directly transferable among PDPsNot directly transferable among PDPsNo load sharing and balancing No load sharing and balancing

mechanisms at PDPmechanisms at PDP

Good Thing??! About COPSGood Thing??! About COPS

According to RFC 2748 and net archives.According to RFC 2748 and net archives.So far No vulnerability has been listed.So far No vulnerability has been listed.There have been claims for Denial of There have been claims for Denial of

Service attacks….but no authenticate Service attacks….but no authenticate reports.reports.

Extension to COPS protocolExtension to COPS protocol

COPS-ODRA is a Outsourcing COPS-ODRA is a Outsourcing Differentiated Resource AllocationDifferentiated Resource Allocation

COPS-DRA is Differentiated Resource COPS-DRA is Differentiated Resource AllocationAllocation

COPS-ODRACOPS-ODRA

ODRA stands for Outsourcing Diffserv ODRA stands for Outsourcing Diffserv Resource Allocation .Resource Allocation .

Dynamic Admission Control and resource Dynamic Admission Control and resource Management in a Differentiated Services Management in a Differentiated Services network. network.

COPS ODRA protocol is used on COPS ODRA protocol is used on interface between the Edge Router and interface between the Edge Router and the admission / policy control serverthe admission / policy control server

COPS vs COPS-ODRA:

COPS allocation made by the PEP based on local

resources, the PDP is in charge to authorize or deny.

specific for RSVP

COPS-ODRA resource allocation refers to domain-wide

resources . PDP is in control of these resources This allows Dynamic Allocation.

COPS-DRACOPS-DRA

COPS DRA (Diffserv Resource Allocation) COPS DRA (Diffserv Resource Allocation) Dynamic Admission Just like ODRA but Dynamic Admission Just like ODRA but

has additional flexibility. (Explained later) has additional flexibility. (Explained later) COPS DRA protocol is also used on COPS DRA protocol is also used on

interface between the Edge Router and interface between the Edge Router and the admission / policy control server. the admission / policy control server.

COPS-DRA ArchitectureCOPS-DRA Architecture

Important Use of COPS-DRAImportant Use of COPS-DRA

COPS has two different modelsCOPS has two different models

1. Outsourcing1. Outsourcing

2. Provisioning2. ProvisioningCOPS-DRA can exploit both the models COPS-DRA can exploit both the models

easily and can be set to follow either way.easily and can be set to follow either way.

While ODRA is specifically meant for While ODRA is specifically meant for Outsourcing model.Outsourcing model.

QuestionsQuestions

1.1. Where is the policy configuration information Where is the policy configuration information stored and maintained?stored and maintained?

(Explanations about Policy server, Policy (Explanations about Policy server, Policy repositoty and network administrator).repositoty and network administrator).

2.2. What is the protocol used in conjunction with What is the protocol used in conjunction with which COPS outsources the policy decisions which COPS outsources the policy decisions from a router to the server?from a router to the server?

(Explanation about COPS and RSVP)(Explanation about COPS and RSVP)3.3. What is meant by ‘State-sharing’ in COPS?What is meant by ‘State-sharing’ in COPS? As long as PDP and PEP are connected,TCP As long as PDP and PEP are connected,TCP

messages are being sent, no other process messages are being sent, no other process can make changes to PEP configuration.can make changes to PEP configuration.

REFERENCESREFERENCES http://www.ietf.org/proceedings/99mar/slides/raphttp://www.ietf.org/proceedings/99mar/slides/rap

-cops-99mar/sld002.htm-cops-99mar/sld002.htm

http://www.coritel.it/publications/IP_download/icchttp://www.coritel.it/publications/IP_download/icc2001.pdf2001.pdf

http://www.coritel.it/projects/cops-bb/Download/chttp://www.coritel.it/projects/cops-bb/Download/cops-dra-2.PDFops-dra-2.PDF

http://www.coritel.it/projects/cops-bb/Download/dhttp://www.coritel.it/projects/cops-bb/Download/draft-salsano-issll-cops-odra-00.txtraft-salsano-issll-cops-odra-00.txt

QUESTIONS?QUESTIONS?

THANKYOUTHANKYOU