CS236635 Efficient Network Management Class 14 * Danny Raz * Special thanks to Prof. Morris Sloman, Imperial College London, UK 1
Minhalot Ex2: will be returned today Projects : first report DONE Project submission date is: 10 March 2006 2
Objectives Advanced network management Policy based management Event correlation WEB based management So what did we do in this course? 3
Policy Based Network Management Main idea: define offline policies,, and then in real time use the policies to decide what active measures to take Usage: fault/performance management configuration management security management 4
Policy fault management Correction action New functionality Programmable Networks Correction action Fault detection Monitoring Discovery Policies Monitoring policies Fault detection Discovery 5
Policy configuration management Configuration manager Policies Discovery Always use multicast OSPF: use only one area NO QoS ToS1 = minimal delay 6
Policy security management security manager Policies Allow TCP connection from this area only Allow workflow to marketing Allow access to personal data only to top management 7
Example Policies Who is permitted to access a service, what operations they can perform, and when. E.g. Research staff can set up video conferences between UK and USA only between 16:00 and 19:00, Monday to Wednesday. What resources a mobile user can access when visiting a remote location. What information transformations and UI adaptations should take place when a user is mobile. What actions should be performed when a login violation is detected. What diagnostic tests should be performed when an error count is exceeded in a network component. Allocate 10% of available bandwidth to voice over IP. 8
Policy Definition Rule governing choices in behaviour of the system Derived from enterprise goals and service level agreements Need to specify and modify policies without coding into automated agents Policies are persistent But can be dynamically modified Change system behaviour without modifying implementation not new functionality 9
Policy Main idea: Separating the (dynamically changing) set of rules and the flow of the decision process How to define rules (policies)? How to use them? Is SNMP good for that? Is it efficient? 10
IETF Framework 0..n Policy Group Contained policy groups 0..n Policy Rule Contained policy rules 0..n Contained policy conditions Ored set of ANDed conditions or ANDed set of ORed Contained policy actions 0..n Policy Condition 0..n Policy validity period condition Policy Action Range of time Time Masks Month of year Day of Month (1-31 & 31-1) 1) Day of week Time of day 11
IETF Concepts LDAP, Lightweight Directory Access Protocol, is an Internet protocol that programs use to look up information from a server Policy group is a set of related policy rules Each policy rule component (condition, action) is stored as an LDAP object Can reuse (share) policy component objects between multiple rules to avoid respecifying i.e. multiple rules can use the same period condition object. 12
Example IETF Policy Specification (From Strassner Policy 2001) If (SourcePort( == MyWebServerPort) ) then Color DSCP=5 Objectclass:qosPolicyRule Type: 1 Direction: out Priority: 1 Objectclass: qoscolorpolicyaction DSCPValue: : 5 Objectclass: qoscolorpolicycondition Type: Integer OID Operator: == == Objectclass: qospolicyvariable Name: SourcePort Type: IntegerOID Objectclass: qospolicyconstant Name: MyWebServerPort Type: IntegerOID Objectclass: qospolicynumbervalue Type: IntegerOID PortValue: : 80 13
IETF Policy Architecture Policy Management Application Status & Config. Info. Notification Repository Access Protocol (e.g. LDAP) User interface Conflict detection Notification generation Management information repository Policy Repository (e.g. Directory, DB) Policy rules Policy Consumer Policy decision point Policy translation PDP Policy Protocol (e.g.: COPS, SNMP...) Policy Target Policy execution point Network element interface PEP 14
Policy Consumer Receives policy and translates it into format applicable to target Knows about target capabilities Policy Decision Point (PDP) makes policy decisions based on policy conditions and configures target to enforce policy, e.g. access control list, priority Q relating to packet address Each target is controlled by one consumer Consumer may control multiple targets 15
Policy Target Policy Execution Point (PEP) A specific functional feature (interface) of a device e.g. priority queuing, committed access rate for router a router with 2 interfaces and 4 manageable features will have 8 targets. A sophisticated device (programmable( node) may include both PDP and PEPs 16
PEP PDP Interaction 1) Event e.g. RSVP Request 5)RSVP Request PEP RSVP Router 2) REQ: Request (Source addr,, etc) 3) DEC: Decision (resources) 4) Reserve resources Can also pre-configure devices with policy data, so they do not have to query PDP on every event provisioning PDP Policy Server 17
Cisco Secure Policy Manager Components Policy Manager Functions IE 5.0 Policy Reporting NS 4.x Policy Administration Policy Config Policy Server Policy Monitoring Report Generation Central Policy Database Policy Server Functions Event Collection Policy Distribution PIX Control Agent Cisco IOS Control Agent IDS Control Agent Network Infrastructure Policy Enforcement Points (i.e network devices) PIX Firewall Router/VPN Gateway IDS Sensor Networks Policy Generation Certificate Authority Server 18
HP OpenView PolicyXpert Initially a policy-based network management tool QoS/Bandwidth management Access and security management Now evolved to automated provisioning with policy and configuration management features. Uses CIM + XML to unite application specific data sources into a configuration management database (CMDB) 19
OV PolicyXpert Architecture Console creates, assigns, and deploys policies Primary server stores and distributes policies; maintains status information secondary server provides intra-domain scalability Configuration proxy provisions network elements Configuration PEP provisions application/file servers Outsourcing PEP enforces PDP decisions (signaled QoS) COPS used to communicate policies, requests, decisions user interface server agent CLI, SNMP,... COPS - Common Open Policy Service. This is a protocol developed by IETF to provide policy console a common methodology for policy services COPS to communicate with devices that apply priority to traffic. PDP PolicyXpert database configuration proxy primary policy server secondary policy server COPS COPS COPS PDP PEP COPS PEP (outsourcing) (configuration) 20
Problems with the IETF Approach No distinction between authorisation and obligation policies Association of policy with consumer (subject) and target is not clearly specified No event triggering of policies No language for specifying policies Representing each policy component (action, condition etc) as an LDAP object is unwieldy and leads to consistency problems on update Instance-based reuse rather than specification based reuse Very QoS management oriented, although meant to be applicable to other applications. Conflicts detection and resolution identified but not defined. 21
The Ponder Policy Framework Domains Primitive policies Composite Policies Object orientation issues 22
Domains Grouping A domain is a collection of objects which have been explicitly grouped together for management purposes e.g. to apply a common policy (LDAP) directory Hub People Hardware Components Software Components 23
Domains Hierarchy Sub-domains & overlapping domains A D B C A B E C D E 24
Domains and Policies Policy Policy Managers Manager Agents Impractical to specify policy for individual objects in large systems with many objects specify policy for domains Can change domain membership without changing policy Managed Objects 25
Primitive Policies Authorisation Defines what a subject is permitted or not permitted (prohibited) to do to a target Permitted operations Protect target objects from unauthorised management actions Target based interpretation and enforcement Obligation Defines what actions a subject must do Subject based subject interprets policy and performs actions on targets Event triggered obligation Actions can be remote invocations or local scripts Can specify sequencing or concurrency of actions 26
Composite Policies Group Policies Defines a syntactic scope for specifying a set of related policies to be instantiated at the same time + constraints on the policies Role relationships Role groups the rights and duties related to a position in an organisation E.g., network operator, network manager, finance director, ward-nurse Specify policy in terms of roles rather than persons Object orientation Role Instances Role Specialisation Inheritance 27
Ponder Summary Object Meta Model Class Hierarchy Object BasicPolicy MetaPol CompositePolicy auth oblig refrain deleg group role rel mstruct auth+ auth- deleg+ deleg- 28
Policy Conflicts Modality conflict detection and resolution Policy priority Semantic conflicts and meta-policies Policy analysis tools 29
Precedence Can resolve some conflicts automatically by specifying precedence. e.g.: Negative policies override Does not permit positive exceptions to negative policies. Specified Priorities Hard to define priority Several managers may specify inconsistent priority Evaluating a distance between a policy and the object to which it refers Refinement level more concrete overrides? Time of last update more recent overrides? 30
Constraints Only potential modality conflicts are detected as constraints may limit the applicability of a policy e.g., to a particular time interval Typed Constraints: Inst auth+lineop { subject s = operators ; actions enable, disable, reset, off ; target Sregion ; when time.between(0800,1800) and s.state = active } time inst auth- lineop {subject s= operators actions enable, disable, reset, off} target Sregion when time.between(1600,2400) and s.state = standby } subject state 31
Semantic Conflicts Types of conflict: separation of duty e.g., the same person is not allowed to authorise payments and initiate them self-management e.g., a manager cannot authorise it s s own expenses conflict for resources e.g., not more than 5 persons are authorised to change the DB Need to specify the conditions which result in conflict Constraints on a set of policies (Meta-Policies). Specified using Prolog,, OCL Included in composite policies such as roles or mstructs 32
Policy Implementation Edit, enable disable... Authorisation Policies Policy service Query subjects & targets Obligation & Refrain Policies Domain service Query targets Target Objects Actions Policy Management Agents (Subjects) Events Events Monitoring service 33
Policy ManagementAgent Generic Interface Distribute, Remove, Enable, Disable obligation & refrain policies Load, Unload code Policies Agent specific functions Programming Execution Environment Application Specific Interface Operations on target objects Events 34
Authorisation Agent Load, Remove, Enable, Disable, policies Authentication Policies Map onto operating system or object-support access control mechanisms 35
Future Work Inter-organisational policy negotiation Policy based response to network attacks Refinement and analysis tools Trust specification, analysis and refinement into security management policy Case studies and implementation Policy based programmable networks Policy aware applications Policy based network elements routers and firewalls Direct implementation of policy in hardware (FPGAs( FPGAs) 36
Policy and efficiency Computation efficiency in the manager in the agent Communication efficiency Creating policies Access to policies Encoding policy The old tradeoff abstraction Vs. efficiency A newer tradeoff Distributing policies or keep in a centralized repository 37
Event correlation What is an event? An example: Errors log file We want to reduce the number of events and to find the root event 38
Event correlation - issues False positive Vs. false negative Efficiency which resource is limited Communication computation Centralized Vs. distributed Where will the knowledge come from 39
WEB based NM Web based tool are out there HTML, XML, Easy to use tools and knowledge is available Should we use it for NM? Cons: portability easy to use reusable code 40
SNMP WEB-based Network Management WEB based manager push SERVER WEB/SNMP gateway Notification Service SNMP Get - Set SNMP Trap SNMP Agent 41
Web based NM Is it good? Is it efficient? Do we really need it? 42
Overall CONTEXT Architecture Consumer Scripts/Users Provider Scripts/ Users Service Layer Service Subscription/ Customization Server Policy -based Service lifetime Management High-Level Service APIs Service 1 Service N Context aware Service Creation Server Active Application Network Platform Active Application Layer Low-Level Medium-Specific APIs IP Layer Network Element Abstraction GPRS IP WLAN Layers considered in CONTEXT 43
WP5 Services Demo Technology / Infrastructure Demo WP2 Service Management Policy Server Context Services Repository Service Deployment Context Services Creation Server WP3 AS AS WP4 Active Management platform Active Application Layer AS AS AS AS Mobile Network Network Management platform mobile user Internet fixed user 44
Service Framework CAS Provider Register/ Manage Proxy Proxy SLA/Policy Mngt. Tool Policy Repository Component DB Proxy Subscription Portal CAS Reconfiguration Policy-based Policy-based CAS CAS Control Control Module Module CAS Composition Informs context change thus triggers the re-reasoning of policies Context Mngt. Module Context DB CAS PEP CAS PEP CAS PEP WLAN Broker QoS Broker Control Broker DINA Packet Formatter Context Info. Broker DINA API AAL Active Packets WLAN IP IP GPRS 45
Service Framework Definition Realization Service Creation Service Definition Modules Context Info Realization Action Functional Broker Service Publication Service Management Logic Configuration Subscription Invocation Assurance Deployment Customers AN EE CIAH AN EE Network CIAH AN EE CIAH 46
47
Where is the Management? What if it does not work? configuration management and provisioning What if it does not pay? accounting management What if it works slow? performance management What if it works bad? fault management What if it works against you? security management 48
What is NM? Normal operation conditions Network Management It is all a matter of design 49
The Challenges Guaranty the desired end to end QoS to the application Utilize much of the available resources with as little as possible overhead Automated discovery and configuration in the heterogeneous environment Distributed cost aware network management 50
Our Goal Introduce efficiency to network management using active networks technology Shorter control loops Fusion of control messages in the network Exposing the actual cost to the programmer 51
Are Active Networks Efficient? An AN node is always slower than a router Fast/slow track System view: fewer packets shorter control loops smarter algorithms 52
Course Objectives Advanced course in computer communication networks Provide a basis knowledge of the field of network management Understand the challenges of efficient network management, and the modern techniques that may help to generate tools that address these challenges (mobile code, active networks) 53
54