Policy Provisioning System Architecture in ...

Policy Provisioning System Architecture in Broadband convergence Network TaeHyun Kwon, Eun-Young Cho, Byungjoon Lee, InSang Choi, Seung-Hyun Yoon, Hyung-Seok Chung, and YouHyeon Jeong Network Research Department, ETRI {thkwon, eycho, bjlee, ischoi, shpyoon, chunghs, yhjeong}@etri.re.kr

Abstract - Network administrator needs a simple and consistent policy management to reduce OPEXICAPEX and potential error from manual operations. In our system, minimum click provision function contributes to reduce provisioning overhead and control emergency with high reliability. This paper shows how to satisfy customers by bulk provision capability that applies to networks with thousands of routers. The architecture of policy provisioning system introduces to give a reliable and efficient provision of QoS profile and emergency control in Broadband convergence Network. Keywords - Policy Provisioning System, Policy Management, Bulk Provision, BcN (Broadband convergence Network)

1. Introduction Information technology is being usefully used at the area of communication, electronic appliance, finance, medical, vessel, flight, robot and national defense. The importance of that is also continuously increased. Therefore, it is essential part to construct flow Quality of Service (QoS) router [1] based Broadband convergence Network (BcN) and provide efficiency and consistency to dynamic resource management such as traffic QoS profile management, emergency control, Virtual Private Network (VPN) [2] management and policy control. It is possible to build an efficient policy applying structure cooperating with other systems which consists BcN network by providing northbound and southbound interface to observe and control the status of network resources according to predefined policy. In this paper, we introduce a high-performance policy provisioning system which provides more convenience for policy enforcement and supports interoperation between diverse protocols such as Simple Network Management Protocol (SNMP) [3], Command Line Interface (CLI), Simple Object Access Protocol (SOAP) [4] and eXtensible Markup Language (XML) [5] in a network composed of thousands of nodes.

systems and emergency security control function is based on rapid setup, reliability, user convenience and cost effectiveness.

2.1 Functional Requirements The POPS consists of network QoS profile management function, selective network VPN management function, emergency control function, V ser Interface (VI) function and cooperates with unified wired-wireless authentication system, Service Quality Manager (SQM), NMS/Element Management System (EMS) and Network Element (NE) system. The POPS should provide policy management and control, information protection scheme, real-time threat detection and protection scheme co-work with EMSINMS, Authentication, Authorization and Accounting (AAA) server, Business Service Platform-Network Control Platform (BSP-NCP) and SQM. To provide QoS management, VPN management, emergency control in BcN network which needs availability, performance, flexibility, security and user convenience should provide unified policy management function by linkage between a managed system and authentication server, SQM and NMS. The function needs database management, policy enforcement and retrieval and synchronization in several network elements system environment to manage all components as a unified way as shown in Figure 1.

2. Design of Policy Provisioning System Architecture The purpose of Policy Provisioning System (POPS) which provides integrated network control/provisioning function, unified policy provisioning function between Operation Support System (OSS) /Network Management System (NMS)

ISBN 978-89-5519-139-4

-832-

When aservice is added Enforce access urva prof'" concUl1'Htly

/4AA: Authentication. Authorization. and Accounting BSP: Business 5eMce Platform NCP: Networtc Control Platform SaM: 5erYice Cualy Managet

Figure 1. Interoperation and Profile Provisioing

Feb. 15-18, 20091CACT 2009

2.2 Quality Attributes The POPS requires five quality attributes that are availability, performance, flexibility, security and usability. First, for the availability which is most important property in general communication system, it should keep high-availability and high-survivability according to duplexing and triplexing. Second, the performance property should be accomplished in few minutes for thousands of routers. Third, the POPS should support out-of-control situation according to node failure and enable enforce/ withdraw per each node or profile and manage the information about it. Forth, for the security, each user should be classified according to security level and operation information should be recorded and managed per level. Lastly, the POPS in user's aspect can provide minimum-click on the progress of 10 and profile creation/modification/deletion rapidly and easily. Also, the emergency control should be protected quickly. The structure and UI of POPS is designed to meet those properties. Figure 2 shows the process structure of POPS considering performance and flexibility. To interact with a number of systems through CLI needs group management scheme. Well associated physical structure and logical group enable to meet the requirement of user and performance. Each adapter is allocated as a distributed way for operational convenience and rapid and consistent policy enforcement.

QoS Management Function (QMF) is applied to an access network and core network respectively as shown in Figure 3. For guaranteeing QoS, network node and QMF provide the following functions. The access router is a Service Edge Router (SER) which performs Broadband Remote Access Server (BRAS) function and it supports policy based user access control. For the policy based user access control, QMF provides access service policy management and provisioning function and access profile provisioning function per user. The edge router, flow based router located in a core network, performs detailed QoS control per flow for the incoming or outgoing traffic of core network. For the per flow QoS control, QMF provides QoS profile management and provisioning function to guarantee minimal bandwidth of fixed IP user, per user grade or service grade QoS profile management and provisioning function and the DFI/DPI profile management and provisioning function. QMF also provides DiffServ [6] profile management and provisioning function to support that the core router guarantees transit service QoS through Diffserv based CoS (Class of Service).

Figure 3. QMF Function for Network Node

3.2 VPN Management Function

Figure 2. Process Structure

3. Design of POPS Main Functions POPS provides QoS management, VPN management and emergency control function in BcN. QoS management function provides the QoS profile management and provisioning function. The VPN Management Function (VMF) controls VPN configuration information and related Label Switching Path (LSP) information. The Emergency Control (EC) function provides emergency provisioning management function for abnormal traffic control. Therefore, it supports urgent modification and recovery of specific user's access level and user profile information. Also, it provides retrieval and protection of access status and keeping function for the record of profile retrieval and modification.

3.1 QoS Management Function

ISBN 978-89-5519-139-4

-833-

POPS provides VPN Management Function (VMF) which manages network VPN configuration information and associated LSP information. The function is optional and composed of eight blocks. VPN/LSP management block exports management functionality including VPN/LSP creation/retrieval/update/deletion. VPN/LSP repository block provides persistent storage for VPN/LSP information. Node info repository manages nodes information which is used for LSP creation. The block interacts with external system to gather nodes information. Optionally, it is possible to configure the block to collect the nodes information from the network by itself. User Interface Function (UIF) queries the repository to select nodes which are needed for a LSP creation. The information of the selected nodes is passed to LSP manager. The manager is in charge of creating the requested LSP. Configuration Adapter block has functions for enforcing network device configuration to network devices and withdrawing the configuration from the devices. The block interacts with adapter blocks such as BSP10 Adapter and S240 adapter to implement enforce/withdraw function because the actual format of configuration and the syntax of CLI commands vary according to the device type. The adapter

Feb. 15-18, 20091CACT 2009

blocks handle the actual interoperation procedures with BSPIO or S240 devices. We chose to deploy the blocks as separate system, called Provisioning Agent to provide reasonable performance, reliability and scalability. Figure 4 show the sequence diagram for VMF to verify the consistency between an LSP and the actual configuration enforced to devices.

Y: ,

Requelilcheck

I

Retrieve

Inio

I

opt

3.4 Usability Function The strength of POPS is that users can provision policy profiles with ease and enforce the profiles to a large-scale network quickly. Therefore, the user interface function of POPS is also designed to provide maximum efficiency and performance: VI components are aligned to enable minimum-click configuration. The policy provisioning is done by selecting a set ofpredefined templates and filling them. The provisioned policies are enforced to network devices concurrently by user request. V sers can query the result of enforcement easily, and the summary information of the result is also provided to enable network administrators to diagnose problems effectively. We also provide quick links for most-frequently-accessed functions.

,

: check if no previous elTOr ,

pfenfon:e

Pj proce96 check action

mar1