rfc2905.txt
来自「中、英文RFC文档大全打包下载完全版 .」· 文本 代码 · 共 1,607 行 · 第 1/5 页
TXT
1,607 行
9. The AAA protocol must allow for unsolicited messages to be sent to a "client", such as the AAA client running on the Home Agent.4. Bandwidth Broker This section describes authorization aspects derived from the Bandwidth Broker architecture as discussed within the Internet2 Qbone BB Advisory Council. We use authorization model concepts to identify contract relationships and trust relationships, and we present possible message exchanges. We will derive a set of authorization requirements for Bandwidth Brokers from our architectural model. The Internet 2 Qbone BB Advisory Council researches a single and multi- domain implementation based on 2-tier authorization concepts. A 3- tier model is considered as a future work item and therefore not part of this description. Information concerning the Internet 2 Bandwidth Broker work and its concepts can be found at: http://www.merit.edu/working.groups/i2-qbone-bb The material in this section is based on [13] which is a work in progress of the Internet2 Qbone BB Advisory Council.Vollbrecht, et al. Informational [Page 12]
RFC 2905 AAA Authorization Application Examples August 20004.1. Model Description The establishment of a model involves four steps: 1. identification of the components that are involved and what they are called in this specific environment, 2. identification of the relationships between the involved parties that are based on some form of agreement, 3. identification of the relationships that are based on trust, and 4. consideration of the sequence of messages exchanged between components.4.2. Components of the Two-Tier Model for Bandwidth Brokerage We will consider the components of a bandwidth broker transaction in the context of the conceptual entities defined in [2]. The bandwidth broker two-tier model recognizes a User and the Service Provider controlling the Service Equipment. The components are as follows: - The Service User (User) -- A person or process willing to use certain level of QoS by requesting the allocation of a quantifiable amount of resource between a selected destination and itself. In bandwidth broker terms, the User is called a Service User, capable of generating a Resource Allocation Request (RAR). - The Bandwidth Broker (Service Provider) -- a function that authorizes allocation of a specified amount of bandwidth resource between an identified source and destination based on a set of policies. In this context we refer to this function as the Bandwidth Broker. A Bandwidth Broker is capable of managing the resource availability within a network domain it controls. Note: a 3-tier model involving a User Home Organization is recognized in [13], however its development is left for future study and therefore it is not discussed in this document.4.3. Identification of Contractual Relationships Authorizations to obtain bandwidth are based on contractual relationships. In both the single and multi-domain cases, the current Bandwidth Broker model assumes that a User always has a contractual relationship with the service domain to which it is connected.Vollbrecht, et al. Informational [Page 13]
RFC 2905 AAA Authorization Application Examples August 20004.3.1. Single-Domain Case In the single-domain case, the User has a contract with a single Service Provider in a single service domain. +-------------+ | | | +---------+ | | |Bandwidth| | +-------+ | |Broker | | | | | | | | |Service| | +---------+ | |User |=========| | | | | +---------+ | | | | | Network | | +-------+ | | Routing | | | | Devices | | | +---------+ | | Autonomous | | Service | | Domain | +-------------+ ==== contractual relationship Fig. 5 -- Two-Tier Single Domain Contractual RelationshipsVollbrecht, et al. Informational [Page 14]
RFC 2905 AAA Authorization Application Examples August 20004.3.2. Multi-Domain Case In the multi-domain case, the User has a contract with a single Service Provider. This Service Provider has a contract with neighboring Service Providers. This model is used when independent autonomous networks establish contracts with each other. +-------------+ +-------------+ | | | | | +---------+ | | +---------+ | | |Bandwidth| | | |Bandwidth| | +-------+ | |Broker | | | |Broker | | | | | | | | | | | | |Service| | +---------+ | | +---------+ | |User |=========| |========| | | | | +---------+ | | +---------+ | | | | | Network | | | | Network | | +-------+ | | Routing | | | | Routing | | | | Devices | | | | Devices | | | +---------+ | | +---------+ | | Autonomous | | Autonomous | | Service | | Service | | Domain A | | Domain B | +-------------+ +-------------+ ==== contractual relationship Fig. 6 -- Two-Tier Multi-Domain Contractual RelationshipsVollbrecht, et al. Informational [Page 15]
RFC 2905 AAA Authorization Application Examples August 20004.4. Identification of Trust Relationships Contractual relationships may be independent of how trust, which is necessary to facilitate authenticated and possibly secure communication, is implemented. There are several alternatives in the Bandwidth Broker environment to create trusted relationships. Figures 7 and 8 show two alternatives that are options in the two- tier Bandwidth Broker model. +-------------+ +-------------+ | | | | | +---------+ | | +---------+ | | |Bandwidth| | | |Bandwidth| | +-------+ | |Broker | | | |Broker | | | O***********O O************O | | |Service| | +----O----+ | | +----O----+ | |User |=========| * |========| * | | | | +----0----+ | | +----O----+ | | | | |Network | | | |Network | | +-------+ | |Routing | | | |Routing | | | |Devices | | | |Devices | | | +---------+ | | +---------+ | | Autonomous | | Autonomous | | Service | | Service | | Domain A | | Domain B | +-------------+ +-------------+ ==== contractual relationship O**O trust relationship Fig. 7 -- Two-Tier Multi-Domain Trust Relationships, alt 1Vollbrecht, et al. Informational [Page 16]
RFC 2905 AAA Authorization Application Examples August 2000 +-------------+ +-------------+ | | | | | +---------+ | | +---------+ | | |Bandwidth| | | |Bandwidth| | +-------+ | |Broker | | | |Broker | | | | | | | | | | | | |Service| | +----O----+ | | +----O----+ | |User |=========| * |========| * | | | | +----O----+ | | +----O----+ | | O***********O Network O************O Network | | +-------+ | | Routing | | | | Routing | | | | Devices | | | | Devices | | | +---------+ | | +---------+ | | Autonomous | | Autonomous | | Service | | Service | | Domain A | | Domain B | +-------------+ +-------------+ ==== contractual relationship O**O trust relationship Fig. 8 -- Two-Tier Multi-Domain Trust Relationships, alt 2 Although [13] does not recommend specifics regarding this question, the document recognizes the need for trust relationships. In the first model, a trust relationship, based on some form of authentication method, is created between the User and the Bandwidth Broker and among Bandwidth Brokers. In the second model, which enjoys some popularity in enterprise networks, the trust relationship may be established via the wiring closet and the knowledge of which physical router port or MAC address is connected to which user. The router-Bandwidth Broker relationship may be established physically or by some other authentication method or secure channel. A Certificate Authority (CA) based trust relationship is shown in figure 9. In this figure, a CA signs public key certificates, which then can be used in encrypted message exchanges using public keys that are trusted by all involved. As a first step, each involved party must register with the CA so it can join a trust domain. The Router-Bandwidth Broker relationship may be established as described in the two previous figures. An interesting observation regarding this kind of model is that the bandwidth broker in domain B may route information to the user via the bandwidth broker in domain A without BB1 being able to read the information (using end-to-end security). This model creates a meshed trust relationship via a tree like CA structure.Vollbrecht, et al. Informational [Page 17]
RFC 2905 AAA Authorization Application Examples August 2000 +-------------------+ | Certificate | ....................| Authority | : ..| |.. : : +-------------------+ : : : : : : : : ***************:*********************** :⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?