view Side-By-Side changes
AAAARCH Research Group A. Taal INTERNET DRAFT G. Sliepen Category: InformationalA.E. HemelC.T.A.M. de LaatNovember 2001March 2002 A grammar for Policies in a Generic AAA Environment<draft-irtf-aaaarch-generic-policy-01.txt><draft-irtf-aaaarch-generic-policy-02.txt> Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC 2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents asInternetInternet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by otherdocuídocu- ments at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This memo describes work in progress within the AAAARCH Research Group. Comments are welcome and should be submitted to aaaarch@fokus.gmd.de. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2001). All Rights Reserved. A. Taal et al. Expires:JuneSeptember 2002 [Page 1] Internet Draft Grammar for Policies in Generic AAANovember 2001March 2002 Abstract In this document a formalmodel of alanguageto describe policiesis presented to describe poli- cies in the context of a generic AAA environment.In suchWe confine the discussion to so called Driving Policies. A Driving Policy deter- mines the behavior of anenvironment, multiple domains or "kingdoms" are involved. Each domain has, in effect, Service Level Agreements (SLAs)AAA Server when it is confronted withother domains. Those SLAs and other rules that may apply toadomain are implemented as policies inspecific message type of the AAAServers. The policiesprotocol. These Driving Policies shouldfacilií tatefacilitate AAA Servers fromthevarious domains to work together in order toSatisfy Requestssatisfy requests from users for services that cross those domains.For complex services, not all knowledge can be packed into a single policy.Therefore, apolicyDriving Policy must be able to referenceanother policy. This might be a reference to a local policy, policy stored at the same AAA Server, as wellother policies, since Service Level Agreements with other domains are implemented asa reference to a remote policy, a policy stored at a remote AAA Server.policies. Other importantcomponentsfeatures of apolicyDriving Policy arecallsthe possibility to call generic functions the AAA Server is equipped with, and the possibility to delegate special tasks to so called Application Specific Modules. Table of Contents Status of this Memo . . . . . . . . . . . . . . . . . . . . . . 1 Copyright Notice . . . . . . . . . . . . . . . . . . . . . . . 1 Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1. AAA environment . . . . . . . . . . . . . . . . . . . . . . 3 2. Use Case Diagram . . . . . . . . . . . . . . . . . . . . . . 4 2.1. The Use Case 'SatisfyRequest'request' . . . . . . . . . . . . . . 5 2.2. The Use Case 'Lookup Driving Policy' . . . . . . . . . . . 5 2.3. The Use Case 'Evaluate Driving Policy' . . . . . . . . . .65 2.4. The Use Case 'AuthenticateUser'user' . . . . . . . . . . . . . 6 2.5. The Use Case 'Authorize User' . . . . . . . . . . . . . . 63. Policies2.6. The Use Case 'Perform Accounting' . . . . . . . . . . . . . .6 3. Driving Policies . . . . . . . . . . . . . . . . . . . . . . . 6 3.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 6 3.2. Formal model . . . . . . . . . . . . . . . . . . . . . . . 7 3.2.1. Conditions . . . . . . . . . . . . . . . . . . . . . . . 10 3.2.2. Constants and variables . . . . . . . . . . . . . . . . 12 3.2.3. Object trees . . . . . . . . . . . . . . . . . . . . . . 12 3.2.4. Policy references . . . . . . . . . . . . . . . . . . .14. 13 3.2.5. Actions . . . . . . . . . . . . . . . . . . . . . . . .1413 3.3. Errors . . . . . . . . . . . . . . . . . . . . . . . . . .15 3.4. Construction guidelines . .14 4. Data Objects and Message Types . . . . . . . . . . . . . . .16 3.5.15 5. Example Policy . . . . . . . . . . . . . . . . . . . . . .18 3.6. Pushing Policies .. 15 6. Ponder policy language . . . . . . . . . . . . . . . . . . .21.18 References . . . . . . . . . . . . . . . . . . . . . . . . . .2220 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . .2220 A. Taal et al. Expires:JuneSeptember 2002 [Page 2] Internet Draft Grammar for Policies in Generic AAANovember 2001March 2002 1. AAA environment +----+ +---+ +---+|AAA|<=============================================>|AAA| +---+<=============|User|<=======>|AAA|<===================================>|AAA| +----+ +---+<========= =========>+---+ /\ /\ \\ // /\ /\ || || || || || || || \/ || || || \/ \/ +--+ || || \/ +--+ +---+ |PR| || || +---+ |PR| |ASM| +--+ \/ \/ |ASM| +--+ +---+ +---+ +---+ +---+|AAA|<=============>|AAA||AAA|<=========>|AAA| +---+ +---+ /\ /\ /\ /\ || || || || || \/ || \/ \/ +--+ \/ +--+ +---+ |PR| +---+ |PR| |ASM| +--+ |ASM| +--+ +---+ +---+ Figure 1. The abstract view of a generic AAA environment This section introduces an abstract view of a generic AAAenvironíenviron- ment [RFC2903], and what kind of components it consists of. Only those components are presented that are necessary to illustrate the discussion in this draft. An AAA Server may receive a request from an entity operating on a user's behalf. The contents of the requestcontaincontains what kind of service the user wants. This request is evaluated by the Rule Based Engine (RBE) of the AAA Server where a Driving Policy resides that needs to be evaluated with respect to the request. The Driving Policy specifies the behavior of the AAA Server for a certain request. For each message type of a future AAA protocol[OBJMSG](section 4) there exists a corresponding Driving Policy that is evaluated. These Driving Policies are stored in the Policy Repository (PR). Whether the request will be accepted or rejected depends on the evaluation of the Driving Policy. In case the Driving Policy is part of a distributed policy, the AAA Server that receives the request has to communicate with other AAA Servers in order to fully evaluate the request.Complex andFor special tasksnot possible or too cumbersome to express intothepolicy language are handled byAAA Server (RBE) resorts to genericcomponentsfunctions orbyto so called Application Specific Modules (ASMs). Because Driving Policies can refer to local policies and to ASMs for complextasks,taks, the contents of the Policy Repository(PR)and the ASMs determine the behavior of the AAA Server. A change of theA. Taal et al. Expires: June 2002 [Page 3] Internet Draft Grammar for Policies in Generic AAA November 2001contents of the PR and the ASMs will result in a different AAA Server. This feature should be dynamically supported to give anadministratorAdministrator the possibility to adjust the behavior of an AAA Server without the necessity to recompile the AAA Server code. A. Taal et al. Expires: September 2002 [Page 3] Internet Draft Grammar for Policies in Generic AAA March 2002 2. Use Case Diagram +-+ +-+ | request +-----------------+ <<include>> ----- <=========> | SatisfyRequestrequest |============ | +-----------------+ || / \ || \/ User || <<include>> +-----------------------+\/|| | Lookup Driving Policy |+-------------------------+\/ +-----------------------+|+-------------------------+ ===>| Evaluate Driving Policy*<====|<========== || +-------------------------+ \\ <<extend>>/\|| <<extend>> /\ \\ policy requires<<extend>>||\\ authorizationpolicy requires || <<extend>> \\ authorization ||authenticationaccounting || policy requires \\ +------------+ || authentication \\ | Perform | +-------------------+ +----------------+ | Accounting | | Authenticate User | | Authorize User | +------------+ +-------------------+ +----------------+ Figure 2. Use Case diagram foraan AAA request We will consider the role of a Driving Policy in response to a so called AAA request. To illustrate the scope of this policy in the generic AAA environment, we present a UML Use Case diagram for a future system of AAA Servers, fig. 2. As this is not the right document to fully describe the Use Cases in fig. 2, only a concise description is presented. We define a single Actor, called User, as an entity that speaks the AAA protocol. This generalized user wants a request to be satisfied, the Use Case 'SatisfyRequest'.request'. The relationship between the Actor and this Use Case is abi-direcíbi-direc- tional association. It depicts the participation of the Actor in the Use Case. This association is bi-directional because the User expects an answer to his request. At the highest level we have: - Use Case: 'SatisfyRequest'request' - System: Network of AAA ServersA. Taal et al. Expires: June 2002 [Page 4] Internet Draft Grammar for Policies in Generic AAA November 2001- Actors: User - Precondition: none In total we distinguishfivesix Use Cases: - 'SatisfyRequest'request' - 'Lookup Driving Policy' - 'Evaluate Driving Policy' - 'AuthenticateUser'user' - 'AuthorizeUser'user' - 'Perform Accounting' A. Taal et al. Expires: September 2002 [Page 4] Internet Draft Grammar for Policies in Generic AAA March 2002 Between the Use Case 'SatisfyRequest'request' and 'Lookup Driving Policy', as well as between 'SatisfyRequest'request' and 'Evaluate Driving Policy', there exists an include relationship. The functionality described in 'SatisfyRequest'request' always includes the functionality of 'Lookup Driving Policy' and 'Evaluate Driving Policy'. Those last two Use Cases are mandatory for 'SatisfyRequest'.request'. The extendrelationírelation- ships are interpreted as conditional include relationships. The Use Cases 'AuthenticateUser'user' and 'AuthorizeUser'user', and æPerform AccountingÆ are onlyperí formedperformed if some internal condition in the Use Case 'Evaluate Driving Policy' requires it. 2.1. The Use Case 'SatisfyRequest'request' This Use Case will describe how an AAA Server deals with an AAARequestrequest issued by a device acting on the behalf of a real user, and what answers towards the user can begiven [OBJMSG].given. Every request is forwarded to the AAA Server where the process to satisfy a request actually starts. This AAA Server may manage a Policy Repository where the Driving Policy resides that needs evaluation. The AAA Server evaluatesthethis policy andformulates aconstructs the corres- ponding response.It isA more detailed view ofimportance thatthis Use Case would be therequester is well informed aboutset of Use Cases associated with theoutí comedifferent message types ofhis request, especially when his request is rejected.the AAA protocol. 2.2. The Use Case 'Lookup Driving Policy' The AAA Server must retrieve the Driving Policy that needs to be evaluated before the request can be satisfied.Which policy to retrieve must be clear from the request. Any request will result in a lookup for the Driving Policy in the local Policy Repository (PR).As there exists a one-to-onemappingad onto relationship between AAA requests and Driving Policies, itisclear to the AAA Server which Driving Policy it has to retrieve.A. Taal et al. Expires: June 2002 [Page 5] Internet Draft Grammar for PoliciesAny request will result inGeneric AAA November 2001the lookup of the corresponding Driving Policy in the local Policy Repository (PR). 2.3. The Use Case 'Evaluate Driving Policy' Policies can either be used in a stand-alone fashion or they can refer to other policies. It is the task of the AAA Server toevalíeval- uate all policies necessary. This task is delegated to the Rule Based Engine (RBE, see fig. 2). A complex situation occurs when a request contains a policy that is pushed by the user. If thishapíhap- pens it must be clear what logical relation this policy has with the stored Driving Policy, and whether this pushed policy contains conditions the user is not authorized to push. The request may contain objects (primitive data types ) to be sub- stituted for free variables occurring in the Driving Policy. The RBE substitutes everything at the proper place into the policy. After the RBE has substituted all it knows, it decides whether the policy is false, true or undecided yet. It is theresponsií bilityresponsibility of the AAA Server to keep track of all the decisionprocess.processes. A. Taal et al. Expires: September 2002 [Page 5] Internet Draft Grammar for Policies in Generic AAA March 2002 2.4. The Use Case 'AuthenticateUser'user' The authentication of the user is the process of verifying the proof of his identity. Authentication of the user is onlyperíper- formed if the Driving Policy under evaluation requires it. When that is the case, the request must contain information aboutnecesíneces- sary policy variables with respect to authentication. Furthermore, the request may contain a certificate or password, his proof of identity. In order to be sure the user is the one he says he is, his proof of identity needs to be verified. 2.5. The Use Case 'Authorize User' An AAA Server performs authorization of a user's request, i.e. whether the user is allowed to obtain the requested service or resource(s).Like authentication,Authentication and authorization is only performed ifathe Driving Policy requires it. It is not strictly necessary to perform authentication before authorization. There are cases where the decision whether the request is authorized or not does not in any way depend on information about the user.3. Policies 3.1. Introduction As can be derived from the2.6. The Use Casediagram in fig. 2,'Perform Accounting' Accounting is thebehaviorcollection ofanall the data about resource con- sumption. Intermediate accounting or accounting indication informs the User about currently used resources. The AAA Serveris policy driven with respectmust provide the information about which Resource Managers need to be consulted. Resource Managers resorts to Meters that capture data about resource consumption in the network. 3. Driving Policies 3.1. Introduction As can be derived from the Use Case diagram in fig. 2, the behavior of an AAARequest.Server is policy driven with respect to a request. In order to expand the Use Case 'Evaluate Driving Policy', it is important to have a model for policies. In this section we will outline such a model. It will have components we believe arenecínec- essary for any future model. There are several reasons to come with a formal model for apolicy.Driving Policy. In this document a grammar isA. Taal et al. Expires: June 2002 [Page 6] Internet Draft Grammar for Policies in Generic AAA November 2001presented. As a Driving Policy determines the behavior of an AAA Server into a large extent, there is a tight relationship between the grammar and the architecture of an AAA Server. For instance components like an ASM (Application Specific Module) provide the real functionality of an AAA Server, and therefore there will certainly be provisions for that in the grammar. The type of constructions defined in the A. Taal et al. Expires: September 2002 [Page 6] Internet Draft Grammar for Policies in Generic AAA March 2002 grammar influence the ways in which the ASMs will be accessed, and therefore the way the whole AAA environment will react. Driving Policies might be distributed, i.e.a policyit may reference apolicyPolicy residing at another AAA Server. In that case communication between AAA Servers is involved during policy evaluation. TheAAArequest and response objects[OBJMSG][section ??] must be suited to accommodate the necessary information for remote policy evaluation. This shows an interdependence between the formal model and the object types of a future AAA protocol. Another important reason for a formal model of a policy is the needforto allow pushedand pulledpolicies in the AAA environment. An AAA Server or even an application acting on behalf of a user should be allowed to presentor requestpolicies inan AAA Request. Obvií ouslya request. Obviously a standard protocol or language must exist for those policies so that theparí tiesparties involved agree upon thecontents of those policies.contents. Since the AAA concept (architecture and protocol) is a complicated one, there exists a large need for simulation. As the behavior of an AAA Server is policy driven, the contents of the PolicyReposiíReposi- tory will be reflected in the outcome of a simulation. The need for simulation comes from the hope to proof the decidability of policies in a distributed, generic AAA system. 3.2. Formal model There can be many definitions of a policy grammar. The grammar we propose here is NOT presented as an official AAA policy grammar. However, we present it to pinpointsomethe elements, which will most likely be part of an official AAA policy grammar. The grammar is kept as concise as possible, so that policies according to this grammar turn out to be a subset of existing policy languages. In section ?? a short outline is presented how these policies can be described by the policy language Ponder [PONDER]. We also presentitthis grammar to facilitate the discussion about AAA policies, and to document this language in order to explain the results of a possiblesimulaí tionsimulation of a generic AAA system. The notation of the grammar below is in EBNF (Extended Backus Naur Formalism), terminal symbols are placed between double quotes: Policy ::= "if" "(" Condition ")" "then" "(" ActionList ")" "else" "(" ActionList ")" Condition ::= BoolExpr BoolExpr ::= BoolA. Taal et al. Expires: December 2001 [Page 7] Internet Draft Grammar for Policies in Generic AAA November 2001| Var | ComputedBoolean | {Var "="}? Procedure | Policy | UnaryBooleanOperator BoolExpr | "(" BoolExpr BinaryBooleanOperator BoolExpr ")" A. Taal et al. Expires: September 2002 [Page 7] Internet Draft Grammar for Policies in Generic AAA March 2002 UnaryBooleanOperator ::= "!" BinaryBooleanOperator ::= "&&" | "||" Procedure ::= PolicyRef | FunctionCall PolicyRef ::= PolicyName "@" Hostname "(" ARGList ")" FunctionCall ::= FunctionName "(" ARGList ")" ARGList ::= {ARG {"," ARG}*}? ARG ::= Var "=" Bool | Var "=" ComputedBoolean | Var "=" NonBooleanExpr | Var "=" Procedure ActionList ::= {Action{","{";" Action}*}? Action ::= Var "=" Bool | Var "=" ComputedBoolean | Var "=" NonBooleanExpr | {Var "="}? Procedure | Policy ComputedBoolean ::= NonBooleanExpr ComparisonOperator NonBooleanExpr | "exists" Var ComparisonOperator ::= "==" | ">" | ">=" | "<" | "<=" | "!=" NonBooleanExpr ::= Int | Float | String | Var | UnaryArithmeticOperator NonBooleanExpr | "(" NonBooleanExprA. Taal et al. Expires: June 2002 [Page 8] Internet Draft Grammar for Policies in Generic AAA November 2001BinaryArithmeticOperator NonBooleanExpr ")" UnaryArithmeticOperator ::= "-" BinaryArithmeticOperator ::= "+" | "-" | "/" | "*" | "%" A. Taal et al. Expires: September 2002 [Page 8] Internet Draft Grammar for Policies in Generic AAA March 2002 Var ::= Source {"." Source}* Source ::= Identifier PolicyName ::= Identifier FunctionName ::= Identifier Hostname ::="[a-zA-Z0-9_.]+"String Identifier ::= "[a-zA-Z_].[a-zA-Z0-9_]*" String ::= "\"[^"\n]*\"" Int ::= "-?[0-9]+" Float ::= "-?[0-9]+\.[0-9]*(E-?[0-9]+)?" Bool ::= "(true|false)" A Policy (Driving Policy) can be viewed as an if-then-elseconstruction.con- struction. TheCondií tionCondition (if-part) yields a Boolean value, which may be the result of evaluating a larger expression. Recursion of Conditions is allowed and opens the possibility to make complex policies. Both the then-part and the else-part consist of a list ofActions.Actions (ActionList). Actions are tasks to be performed, and their execution is guarded by the Condition. The Actions in the then-part are executed when the Condition is true, and the Actions in the else-part areexeíexe- cuted when the Condition is false. To a Policy we also attach a Boolean value. We define a Policy to be true if and only if the Condition is true, and the Actions of the then-part aresuccessí fullysuccessfully executed. A Policy is said to be false if and only if the Condition is false, and the Actions in the else-part aresuccessí fullysuccessfully executed. In all other situations, the state of the Policy is undetermined due to the occurrence of an error. As the grammar does not provide for exception handling, the only reasonable choice is to stop the evaluation of the Policy after error occurrence. Policies can be nested in both Conditions as well as Actions. A Policy in an ActionList gives the possibility to express a more deterministic policy, while allowing a Policy within a Condition introduces the notion of `attaching Actions tosub-expressionssubexpressions of aA. Taal et al. Expires: June 2002 [Page 9] Internet Draft Grammar for Policies in Generic AAA November 2001Condition'. According to the above definition it follows that, whether a Policy is part of a Condition, or is used as an Action, its truth value determines the truth value of the Policy one level up in thenestí ing.nesting. Two other components of the model that can have a truth value are a PolicyRef and aFunctioní Call.FunctionCall. A PolicyRef is a reference to a policy that may reside in the same Policy Repository (local policy) or may reside at another AAAServerserver (remote policy). It should be clear that local or remore policies refered to in a Policy are not subjected to the grammar presented, they may be A. Taal et al. Expires: September 2002 [Page 9] Internet Draft Grammar for Policies in Generic AAA March 2002 expressed in other policy languages. The component FunctionCall can beinterí pretedinterpreted as a function call to an Application Specific Module (ASM), or more general a call of a generic library function the AAAServer might beserver is equipped with. An important concept is the result of a PolicyRef and a FunctionCall. With respect to the result their is nodifferí encedifference between a PolicyRef and a FunctionCall. In general the result is an object tree, all members of the tree are accessible. The root object of the object tree contains the truth value of the PolicyRef or FunctionCall. As these components have a truth value, they can be part of a Condition or can be applied as an Action. In the next sections we will explain the syntax of the grammar accompanied with remarks about the semantics of that grammar. 3.2.1. Conditions A Condition is defined as an arbitrary Boolean formula, i.e. we don't make the restriction to a formula in DNF (Disjunctive Normal Form) or CNF (Conjunctive Normal Form) notation. The introduction of bracketsensuresavoids anyambiguity is avoided and, noambiguity, without the need to define a precedencerulesrule foroperatorsthe logical AND- ("&&") and OR-operator ("||"). It is desirable to define how a Condition is evaluated, or in otherconstructions to resolve parsing coní flicts are needed. Apart from that,words theconventions fromif-statement is said to be deterministic. Here we follow the Claní guage are used. Conditionslanguage, which also guarantees that `&&' and `||' areto beevaluatedfromleft to right. For anOR expressionOR-expression it holds that the right operand is notevaluí atedevaluated if the left operand evaluates to true. The same holds for theAND expressionAND-expression if the left operand evaluates to false. This also implies that different parts of aPolicyCondition can not be evaluated in parallel. From parallel evaluation follows that the requester should be satisfied with any result making the Condition true or false. Consider an OR-expression composed of references to remote AAA Servers. Parallel evaluation means parallel requests to the remote AAA Servers. There is no guarantee that the AAA Server with the first positive response will be the same any time the Driving Policy is evaluated. In order to give an administrator more freedom to specify how a Condition should be evaluated, the grammar should be extended by concurrency operators. According tothisthe above definition the following two Policies areequivaí lent: Policy 1: if (equivalent: 1) if( if ( C1 ) then ( A11 ) else ( A12 ) && if ( C2 ) then ( A21 ) else ( A22 )A. Taal et al. Expires: June 2002 [Page 10] Internet Draft Grammar for Policies in Generic AAA November 2001) then ( A00 ) else ( A01 )Policy 2:2) if( C1 )then ( A11;then( if( C2 ) then(A21;A11 ; A21 ; A00 ) else(A22;A11 ; A22 ; A01 ) ) else (A12;A12 ; A01 ) A. Taal et al. Expires: September 2002 [Page 10] Internet Draft Grammar for Policies in Generic AAA March 2002 A Condition, or Boolean expression, is composed offivesix different types of operands (literals): Bool, Var, ComputedBoolean,Proceí dure,Procedure, Policy, andPolicy. An operand of type Bool, Var, ComputedBoolean, or Policy is just the Boolean value true or false.BoolExpr. A ComputedBoolean is a comparison between a left and right hand expression. An important aspect of an expression is that it can contain variables (Var). A variable (Var) refers to a node (sub-tree) of an object tree. The correspondingdotted notationdot-structure provides the RBE (Rule Based Engine) with the information where the sub-tree referenced can be retrieved. The object tree of the request always starts with the reserved word "Request", whereas the object tree of thecorrespondí ingcorrespon- ding reply begins with the reserved word "Reply". A reference to a policy (PolicyRef) opens the possibility to reuse local policies (policies in the same Policy Repository) as well as remote policies (policies residing in a Policy Repository managed by another AAA Server). This type may be interpreted as a Remote Procedure Call. A consequence of policy references is the need of communication between AAA Servers during policy evaluation. A future AAA protocol should provide for request/response objects in order to support referencing remote policies[OBJMSG].(section 4). The other type, FunctionCall, may be interpreted as a function call to an Application SpecificModule,Module (ASM), or as a call to a library function. Both Procedures, a PolicyRef and a FunctionCall, are equivalent in the sense that the result is an object tree. If an assignment is made all parts of this result tree are accessible in the remaining Policy. Whether or not an assignment is made, the truth value of the Procedure is implicitly used to determine the truth value of the Policy it is contained in. The only reason a different syntax is applied for PolicyRef and FunctionCall, is to indicate that different APIs (protocols) are involved for PolicyRefs and FunctionCalls, respectively. An example of an `Authentication Policy' illustrates some of the concepts dealt with above:if A. Taal et al. June 2002 [Page 11] Internet Draft Grammar for Policies in Generic AAA November 2001 (if( Query =getPassword(useridgetPassword( userid =Request.UserID)Request.UserID ) && Request.PassW == Query.PassW ) then (...) else (...)HereinHerein, the Condition compares the password supplied in theRequest object is comparedrequest with the password of the user stored in the authenticationdatabase.data- base. The ASM function getPassword() retrieves the passwordcorrespondingcor- responding to the username that has been supplied as an argument. This argument refers to a variable called "UserID" in theRequest object.Request. By making the assignment"Query = getPassword(...)","Query=getPassword(...)", the password in the return tree can be referred to. This is done in the right hand side of the Condition. A. Taal et al. Expires: September 2002 [Page 11] Internet Draft Grammar for Policies in Generic AAA March 2002 A useful feature is the operator "exists" in combination with an object as a ComputedBoolean. This allows checking if a certain object exists in a return tree orrequest: if (Request: if( exists Request.Bandwidth && Request.Bandwidth >= 10 )then (...)then(...) else (...) 3.2.2. Constants and variables The grammar allows the use of constants and variables, but like in other scripting languages (e.g. JavaScript) the grammar does not provide for type checking. Therefore, the use of variables andconí stantsconstants of different types in the same expression may result in an error state. For example the multiplication of two variables, one representing a string and the other representing a floating point numberis not defined.results in an abortion of the evaluation. 3.2.3. Object trees As mentioned above, variables (Vars) refer to a member of an object tree. We use the following definitions. A node is a leaf if it has no children. All other nodes are internal nodes. If a Var refers to a leaf of an object tree, it refers to a primitive type, likea bool,an int, float or string value. A reference to an internal node means that the Var refers to an object, i.e.aan sub-tree of the object tree starting at that specific internal node. Take for instance the Authentication Request/Reply[OBJMSG]: A. Taal et al. Expires: June 2002 [Page 12] Internet Draft Grammar for Policies in Generic AAA November 2001 AAA Client AAA Server(section 4) Request:---> - Identity - AuthenticationData <---Reply:-Identity Answer AuthenticationData Suppose the Identity object in theRequest objectrequest contains a string called UserID. This member of the Requestobjectmay berepreí sentedrepresented as a Var (variable) with the dot-structure:Request.Idení tity.UserID.Request.Identity.UserID. A Var refers to an empty object tree if the head of the corresponding dot-structure is not the reserved word "Request" or "Reply", and it is neither the head of a previously mentioned dot-structure. Such a Var may be interpreted as a leaf without a value. With this definition in mind we propose the following semantics of assignments withvariables is the following.variables. Consider the assignment of the form Var = Var with corresponding dot-structure A.B.C = D.E. Four different cases can be distinguished.1.1) The left and right hand side bothreferrefers toalready definedan existent object tree, i.e. a non-empty objecttrees.tree. Then the assignment means that all children of E are copied and become the children of C. All original children of C are lost. If C is a leaf but E is a node, then C becomes a node. In case both C and E are leaves, C remains a leaf but its value is changed to the value of E.2.A. Taal et al. Expires: September 2002 [Page 12] Internet Draft Grammar for Policies in Generic AAA March 2002 2) Theleft handleft-hand side is anexistingexistent object tree whereas theright handright-hand side is an empty(not yet declared)object tree. This means that the sub-tree of the tree at the left-hand side starting at node C is deleted. Node C becomes a leaf with no value.3.3) The left-hand side is an empty object tree whereas the right-hand side is anexistingexistent object tree. This is thedeclaí rationdeclaration of a new object tree.4.4) Both sides of the assignment refer to an empty object tree. There is no need to define this as an error. As nothing has to be done, such an assignment might be ignored. It is important to notice that all assignments are assignments by value and NOT by reference. Assignment by reference would lead to undesirable effects. The assignment A.B.C = A.B would result in an object tree with node C pointing to itself.A. Taal et al. Expires: June 2002 [Page 13] Internet Draft Grammar for Policies in Generic AAA November 20013.2.4. Policy references There is a difference between a policy reference (PolicyRef) to a local policy and one to a remote policy. A reference to a remote policy(Polií cyRef)will initiate communication with another AAA Server. As all communication among AAA Servers will proceed via the AAA protocol, only predefined message types areused [OBJMSG].used. Therefore, the name part (PolicyName) of the policy reference is limited to the name of one of these predefined message types. This restriction does not hold for references to locally stored policies. Such a reference has only a restriction with respect to the host name used.Like Procedures, a reference to a local policy might be accompanied with arguments and returns an object tree. This raisesIf thequestion if a difference in syntax is necessary. A FunctionCall and a PolicyRefPolicyReference refers to a local policy, the PolicyName indicates which policymightshould besyntactically indistiní guishable, only different name spaces will reveal if one has to deal with a generic function call, a call to an ASM, or a reference to a local policy.retrieved from the Policy Repository. In general PolicyRefs are not interchangeable with the policies they refer to. 3.2.5. Actions In order to reduce unexpected effects to a minimum and make sure that different AAA Servers always exhibit the same behavior, wedefinepropose the following semantics with respect to Actions. The requirements mentioned below are arbitrary in the sense that another policy language might impose different requirements.AllThey have to defined however, for reasons mentioned above. All Actions in an ActionList must always be executed immediately after evaluating the corresponding Condition. Immediately here means that Actions are executed in the order in which they appear in the ActionList, and an Action is only executed when the previous Action has finished successfully. During execution of the Actions in the ActionList, policy evaluation is postponed. A. Taal et al. Expires: September 2002 [Page 13] Internet Draft Grammar for Policies in Generic AAA March 2002 Take for example the Policy below. In this example, it is clear that the Action openfirewall() of the first Policy HAS to havesucí cessfullysuccessfully finished BEFORE the Action sendpacket() from the second Policy is run. Otherwise it might be possible that sendpacket() will fail (because the packet can't pass the firewall if it hasn't been opened yet).if ( if (if( if( firewallready() ) then ( openfirewall() ) else (...)A. Taal et al. Expires: June 2002 [Page 14] Internet Draft Grammar for Policies in Generic AAA November 2001&&if (if( packetready() ) then( sendpacket() ) else ( closefirewall() ) ) then (...) else(...)(...). The introduction of concurrency operators in the grammar opens the possibility to indicate in which order Actions should be executed. 3.3. Errors There are several circumstances under which errors can occur during the evaluation of policies or the execution of actions. The Policy might refer to objects that are missing. AFunctioní Call,FunctionCall, for example getPassword(), might generate an error, because for example the password is not found in the database, or because the database is off-line. Actions can also generate errors, for instanceopení firewall()openfirewall() may fail. Since we allow arithmetic expressions, another type of error might be caused by a division byzero or other illegal operations.zero. As Vars might be of different types, incompatibilities might occur during evaluation of an expression, like a string multiplied by a float. Suppose that errors do not break or interfere with evaluation. If in the above example(in the previous(previous section) openfirewall() fails, then continuing the evaluation of the Condition willcerí tainlycertainly make sendpacket() fail as well. In this example it isdesirí abledesirable that the evaluation stops after the first error.However there are examples where it make sense to continue after error occurrence. The consideration whether to stop or continue after an error also holds for ActionLists.So, when an error that is not caught by whatever construction in the Policy occurs, theAAA ServerRBE either has to ignore the error and continue or abortevaluaí tion. Both choices have advantages in some situations, and disadí vantages in others. The AAA Server cannot decide for itself what is best. A possible solution might be to introduceevaluation. As exception handlinginis not part of the grammar,so that the policy administrator can tell the AAA Server how to react in case an error occurs. Again, an `arbitrary' choice has to be made in order to make all AAA Servers react inthesame waymost safe strategy is toerrors. Since errors occurring early in the Policy evaluation might trigger even more errors later on, possibly resulting in a disastrous cascade, we will require that AAA Serversabortevaluation of a Policy the moment an error occurs.evaluation. The administrator can make sure that the Policies are constructed in such a way thaterrors do not result in an undesirablethe occurrence of error states are limited. This might be done by checking the input for Procedures if it meets A. Taal et al. Expires:JuneSeptember 2002 [Page15]14] Internet Draft Grammar for Policies in Generic AAANovember 2001 situation. This is shown inMarch 2002 thenext section. 3.4. Construction guidelines An example: +---+ | 3 | +---+ / / +---+ +---+ | 1 |------| 2 | +---+ +---+ User AAA \ \ +---+ | 4 | +---+ Suppose a User at location "1" wants bandwidth to startprecondition. Take for instance aone hour long video stream at time t = T from location "3" to location "4". The User issues an AAA Request, say at t = 0 to reserve the necesí sary bandwidth. This request is sent to the AAA Server at location "2" (a bandwidth broker). There the request is recognized as a request for bandwidth reservation. The User, or rather the applií cation acting on behalf of the real user, has the a priori knowlí edge which parameters are needed by the AAA Server to fulfill his request. Those parameters are added to theService requestinto thefor band- width that contains an objectServiceData, say: ServiceData.Bandwidth = 100, ServiceData.Source = "3", ServiceData.Destination = "4", ServiceData.StartTime = T, ServiceData.StopTime = T + 3600ServiceData. Asimple Driving Policy for this particular request at the AAA Server at location "2" may look like this: if ( reserveBandwidth(source = Request.Source, destination = Request.Destination, bandwidth = Request.Bandwidth, starttime = Request.StartTime, duration = (Request.StopTime - Request.StartTime)) A. Taal et al. Expires: June 2002 [Page 16] Internet Draft Grammar for Policies in Generic AAA November 2001 then ( Reply.Answer.Message = "Requestprecondition forbandwidth has been satisfied" ) else (...) The reservation ofthebandwidth is typically a taskFunctionCall to the appropriate ASM, might beperí formed by an ASM. Asthat thereservation ofrequested bandwidthbetween devicesis at least 10 and at most 100. Then acomplicated process, different errors can occur. However, the grammar allows a nested if-then-else structure by which the occurí rence of errors can be reduced, for instance by checking the preí conditions: if (Driving Policy may look like: if( existsRequest.BandwidthRequest.ServiceData.Bandwith &&Request.BandwidthRequest.ServiceData.Bandwidth >= 10 ) then (if ( Request.Bandwidthif( Request. ServiceData.Bandwidth <= 500 )then (...) else ( Reply.Answer.Messagethen(...) else(Reply.Answer.Message = "Requested bandwidth too large" ) )else (else( Reply.Answer.Message = "Requested bandwidth too small" )The grammar also allows Policies nested inside Conditions. There are advantages4. Data Objects anddisadvantages to this. Take for exampleMessage Types This section describes thefollowing Policy which tries to send a packet throughneed for afirewall if both firewall and packet are ready: if ( if ( firewallready() ) then ( openfirewall() ) else ( Reply.Answer.Message = "Firewall not ready" ) && if ( packetready() ) then ( sendpacket() ) else ( closefirewall(); Reply.Answer.Message = "Packet not ready" ) ) then ( closefirewall() ) else (...) Note the fact that the FunctionCall closefirewall() has to appear twice in this Policy, and the fact that the second sub-expression (where the packet is sent if it is ready) now has the responsibilí ityspecification ofclosingthefirewall if there is a problem. Now take this functionally equivalent Policy, where the nesting is done inside A. Taal et al. Expires: June 2002 [Page 17] Internet Draft Grammar for Policies in Generic AAA November 2001 Actions insteadmessage types and ofConditions: if ( firewallready() ) then ( openfirewall(); if ( packetready() ) then ( sendpacket() ) else ( Reply.Answer.Message = "Packet not ready" ); closefirewall() ) else ( Reply.Answer.Message = "Firewall not ready" ) If one wants to refer to an object tree returned by different Proí cedures it is not recommendedtop level objects touse these Proceduresbe carried in asingle Condition.future AAA protocol. Forexample: if ( X = Call1(...) && Y = Call2(...) ) then (...) else (...) In this example several Actions are required in the else-part to determine whether the Condition became false due to the left or right operandeach message type there should be a corresponding Driving Policy. Message types occur as a Request Reply couple. Such a list ofthe AND-expression. Only then it is clear which objects are available. Itmessage types should certainly contain: a) Service Request/Reply b) Authorization Request/Reply c) Authentication Request/Reply d) Policy Request/Reply e) Policy Evaluation Request/Reply For instance, a Policy Request isbettersent torewrite thisan AAA Server to obtain a remote policy. It would contain a data object, PolicyinReference. The corresponding Reply would contain a Policy data object. Once these message types and data object are defined, UML Use Cases can be defined, describing by which an AAA server may be used by one of thefollowing more deterministic way: if( X = Call1(...) ) then ( if( Y = Call2(...) ) then(...) else(...) ) else(...)AAA Actors. Asholds for any programming language, the writer has the responsií bility to express his policies inaclear way, such that at releí vant places in the Policy, annotationsresult pre- and postconditions can beadded aboutabstracted to guide thestateconstruction of theevaluation. 3.5.corresponding Driving Policies. 5. Example Policy In this section we present a Driving Policy to deal with an AAAA. Taal et al. Expires: June 2002 [Page 18] Internet Draft Grammar for Policies in Generic AAA November 2001Authenticationrequest [OBJMSG].request. A user issues an Authentication request containing the following objects: an Identity object and an AuthenticationDataobject [OBJMSG].object. The AAAServerserver recognizes the request A. Taal et al. Expires: September 2002 [Page 15] Internet Draft Grammar for Policies in Generic AAA March 2002 as an Authentication request and draws the corresponding Driving Policy from the PR. Assume, the AAAServerserver acts as a Key Distribution Center (KDC) for the Kerberos authentication protocol. The Kerberos protocol is comprised of threesub-protocols: a.subprotocols: a) Authentication Service Exchange; the client sends aKerí berosKerberos Authentication Service Request(KRB_AS_REQ) b.(KRB_AS_REQ ) b) Ticket-Granting Service Exchange; the client sends aKerí berosKerberos Ticket-Granting Service Request(KRB_TGS_REQ) c.(KRB_TGS_REQ ) c) Client/Server Exchange; the client sends the server aKerí berosKerberos Application Request (KRB_AP_REQ) The following policy might be a Driving Policy for an incoming Authentication request: if ( if( exists Request.AuthenticationData.Protocol.Name ) then() else ()else( Reply.Answer.Type =MISSING_DATA;MISSING_DATA , Reply.Answer.Message = "Missing Protocol.Name" ) && if( Request.AuthenticationData.Protocol.Name == "Kerberos" ) then( )else (else( Reply = Authentication@131.211.32.73( Identity =Request.Identity,Request.Identity , AuthenticationData = Request.AuthenticationData ))&& if( exists Request.AuthenticationData.Protocol.MsgType ) then() else ()else( Reply.Answer.Type =MISSING_DATA;MISSING_DATA , Reply.Answer.Message = "Missing Protocol.MsgType" ) && if( Request.AuthenticationData.Protocol.MsgType == KRB_AS_REQ )A. Taal et al. Expires: June 2002 [Page 19] Internet Draft Grammar for Policies in Generic AAA November 2001then( )else (else( Reply.Answer.Type =UNKNOWN_DATA;UNKNOWN_DATA , Reply.Answer.Message = "Unknown MsgType" ) ) then ( // Action 1 if ( exists Request.Identity.UserName && exists Request.AuthenticationData.ServerName && exists Request.AuthenticationData.PreAuthentication ) A. Taal et al. Expires: September 2002 [Page 16] Internet Draft Grammar for Policies in Generic AAA March 2002 then ( // Action 1.1 KRBReply = authenticate( username = Request.Identity.UserName, servername = Request.AuthenticationData.ServerName, preauthentication = Request.AuthenticationData.PreAuthentication);) ; // Action 1.2 Reply.Answer.AuthenticationData.SessionKey =KRBReply.SessionKey;KRBReply.SessionKey ; // Action 1.3 Reply.Answer.AuthenticationData.TGT = KRBReply.TGT )else (else( Reply.Answer.Type =MISSING_DATA;MISSING_DATA, Reply.Answer.Message = "AuthenticationData incomplete");) ; ... ) else ( ... ) In the above Driving Policy a Condition of four ANDed Policies is evaluated. Here we assume the following precondition: a proper AAA Authentication request containing an Identity object and anAuthení ticationData object, furthermore,AuthenticationData object. Furthermore, it is assumed that the last object contains a Protocol object.No additional assumptions are made aboutAbout the contents of theseobjects.objects no additional assumptions are made. The first literal of theA. Taal et al. Expires: June 2002 [Page 20] Internet Draft Grammar for Policies in Generic AAA November 2001Boolean expression (Condition), a Policy, checks if the Protocol object contains a variable called Name. If so the second literal will be evaluated because the then-part of the first literal has an empty ActionList. If not, the Actions in the else-part of the first literal are executed. These Actions add data to theReply object [OBJMSG],reply object, by setting the variables Type and Message of the object Answer. The first Action might be interpreted as assigning the variable Type to apredeí finedpredefined integer calledMISSING_DATA to the leaf node named Type of the Reply object.MISSING_DATA. In case the first literal is found to be false, the Condition is false and the Actions in the else-part of the Driving Policy are executed. The second literal has a reference to a remote policy (PolicyRef) as an Action. This Action is executed if the authentication protocol requested differs from the Kerberos protocol. It entails an AAARequestrequest issued to another AAA Server (131.211.32.73). Information about what kind of AAARequestrequest has to be send, is provided by the name-part of the PolicyRef, which equals one of the message types defined. Two arguments are passed to the policy reference, the Identity and the AuthenticationData object form the original request. The assignment indicates that the response from the remote reference becomes the reply to the request. Both remaining literals are similar to the first literal. One Action is given in the then-part of the Driving Policy. This Action is a Policy which Condition checks for the existence of some A. Taal et al. Expires: September 2002 [Page 17] Internet Draft Grammar for Policies in Generic AAA March 2002 variables (objects), like UserName, ServerName, andPreAuthenticaí tion.PreAuthentication. As this Action is a Policy, it has an ActionList of its own. Of the three Actions in this list, the first might be interpreted as a call to an ASM. The remaining Actions transport objects from the return tree to theReply. 3.6. Pushing Policies Pushing policies between AAA Servers might pose some problems. We've identified a couple of situations where it is not desirablereply. 6. Ponder policy language The language according topush policies: 1. Policies might contradict each other, possibly resultingthe presented grammar describes policies that can be implemented inunwanted behavior.for instance the Ponder policy language [PONDER]. Driving Policies should be implemented as obligation policies. In Ponder an obligation policy specifies thecase of pushed policiesactions that must be performed by managers within theproblem is more urgent than insystem when certain events occur. In the context of Driving Policies, an event is an AAA request issued by an user. In case oflocal policies coní tradicting each other (whicha nested Driving Policy, i.e. a Policy occurs as a literal in a Condition, or as an Action in an ActionList, a composite policy in Ponder should be used. The best choice is to use afault of the local adminisí trators). A pushedrole, a composite policydoesn'tin which all the policies haveknowledge aboutthelocal policies. 2.same subject. In our case the subject is an automated component called RBE. Apushed policy can contain `unwanted actions', resulting in a (possibly major) security risk. This can result inrole is also theserver wasting processing time, bandwidth and other resources, leaving itchoice if the Driving Policy is not nested, but has an non-empty ActionList insuchthe then-part. Take for instance the following Driving Policy: if( Query = getPassWord( userid = Request.UserID ) && Request.PassW = Query.PassW ) then( action11( ) ; action12( ) ) else( action21( ) ; action22( ) ) In Ponder this may look like: type role authentication( Request req, Reply rep, Domain T ) { inst oblig authentication1 { on authentication_request( ); target T->select( t0, t11, t12 | true ); do t12.action11( )->t2.action12( ); when req.PassW = t0.getPassW( req.UserID ); } oblig authentication2 { on authentication_request( ); target T->select( t0, t21, t22 | true ); do t21.action21( )->t22.action22( ); when req.PassW <> t0.getPassW( req.UserID ); } } inst role astate that it can't process other requests.= authentication( /Request, /Reply, . . . ) @ /RBE A. Taal et al. Expires:JuneSeptember 2002 [Page21]18] Internet Draft Grammar for Policies in Generic AAANovember 2001 3. An AAA Server might run on a machine with limited computí ing power and/or bandwidth The machine could easily be swamped when policies are pushed from other machines. That said,March 2002 In general apolicynested Driving Policy can always bepushed by storing itwritten as a set of simple Policies, i.e. a non-nested Policy with an empty ActionList in the then-part. For example, aRequest object.Policy as a literal: if( Aspecial message type should be used&& if( B ) then( b11 ) else( b21 ) ) then( a11 ) else( a22 ) is equivalent toindicatethe following set of Policies: 1) if( A && B ) then( b11 ; a11 ) 2) if( A && !B ) then( b21 ; a21 ) 3) if( !A ) then( a21 ) Here it is assumed that the evaluation of apushed policy hasCondition is stopped as soon its truth-value is determined. Therefore, if A turns out to beprocessed. The Driving Policy for this request can decide whether the pushed policyfalse, B isaccepted or not. If it is, the object containingnot evaluated. Each of thepushed policy couldsimple Policies can bepassed toimplemented as aspecial FunctionCall which in turn extracts the policy and feeds it to theseparate obligation policyevaluation mechanism of the AAA Server. This way, no special provisions are neededinthe policy language itself to allow pushed policies.a role, as outlined above. A. Taal et al. Expires: September 2002 [Page 19] Internet Draft Grammar for Policies in Generic AAA March 2002 References [RFC2903] C. de Laat, L. Gommans, G. Gross, D. Spence and J.VollíVoll- brecht, "Generic AAA Architecture", RFC 2903, August 2000[OBJMSG] D. Spence, "Data Objects and Message Types in the Generic AAA Architecture", draft-spence-aaaarch-objmsg-00.txt, January 2001 [AAAGEN] C. de Laat, J. Vollbrecht and D. Spence, "Structure of a Generic AAA Server", draft-irtf-aaaarch-generic-struct-00.txt, February 2001 [AAAPOL] J. Salowey, G. Sliepen, A. Taal and D. Spence, "Policies in AAA", draft-irtf-aaaarch-aaa-pol-01.txt, February 2001[PONDER] http://www-dse.doc.ic.ac.uk/research/policies/ponder.html Authors' Addresses Arie Taal Faculty of Science, InformaticsInstituteInstitute, University of Amsterdam Kruislaan 403 1098 SJ Amsterdam The Netherlands Phone: +31 20 5257590 Fax: +31 20 5257490 Email: taal@science.uva.nl Guus Sliepen Physics and Astronomy department Utrecht UniversityA. Taal et al. Expires: June 2002 [Page 22] Internet Draft Grammar for Policies in Generic AAA November 2001Princetonplein 5 3584 CC Utrecht The Netherlands Phone: +31 30 2537724 Fax: +31 30 2537555 Email: G.Sliepen@phys.uu.nlArmijn Hemel Institute of Information and Computing Sciences Utrecht University Padualaan 14 3584 CH Utrecht The Netherlands Email: aehemel@cs.uu.nlCees de Laat Faculty of Science, InformaticsInstituteInstitute, University of Amsterdam Kruislaan 403 1098 SJ Amsterdam The Netherlands Phone: +31 20 5257590 Fax: +31 20 5257490 Email: delaat@science.uva.nl A. Taal et al. Expires:JuneSeptember 2002 [Page23]20] ----