8. DISEÑO DE POLITICAS DE SEGURIDAD INFORMATICA
8.4 DISEÑO DE POLITICAS
8.4.7 POLÍTICAS GENERALES DE SEGURIDAD INFORMÁTICA
8.4.7.2 POLÍTICAS DE USO DE RECURSOS INFORMÁTICOS
8.4.4.1
SLS Monitoring Description
SLS Monitoring takes its input from SLS repository and acts as a client to Ingress/Egress Monitoring and Network Monitoring. SLS Monitoring must keep track of compliance with customer SLSs by analysing performance values provided by Network and Ingress/Egress Monitoring entities. SLS monitoring gathers the combination of information for several uni-directional SLSs to derive the overall service report to the customer. SLS monitoring focuses on the network layer metric information such as one-way delay, IPDV, packet loss ratio, and throughput. Apart from having overall view on the above parameters, the monitoring framework includes link and device availability and accounting information.
Network
NM I/EM NM NM NM NM: Node Monitor I/EM: Ingress/Egress MonitorIngress/Egress Network Element
Core Network Element
I/EM NM I/EM NM
Access Edge Core Edge
A
B
The Network Monitoring provides the end-to-end performance view for SLS Monitoring. It is also essential for SLS Monitoring to use the edge node statistics via Ingress/Egress Monitoring. The customer traffic is regulated at the Ingress point where the user offered load and service usage time can be measured. At the egress point, one can observe if the performance (e.g., throughput) is being provided in the manner expected and agreed upon.
Monitoring every customer SLS is scalable and feasible provided aggregate network performance metrics are used combined with per SLS Ingress/Egress metrics. The monitoring process can be categorised based on the QoS/CoS profile of the offered services (mainly PHBs) and scope of the services (Ingress and Egress points). The Network Monitoring instructs the Node Monitoring to measure the performance parameters and then it build a network view based on each specified category. Network Monitoring collects information about network-wide view of paths for every PHBs along the paths and deduces an end-to-end performance view. SLS monitoring uses this information to build a view of the offered services to the customers. This is explained in more detail in the following sections.
8.4.4.2
Functional Architecture
The SLS Monitoring functional architecture and its components are given in Figure 1. The functions of each block in explained in the next section. Arrows show the flow direction of messages or signals among SLS monitoring components as well as SLS monitoring components with external Functional Blocks. The circled numbers shows the sequence order of information flow.
Figure 64: SLS Monitoring Components and Sequence of Actions. Performance Data
Aggregator
Performance Data Initiator/Collector
Ingress/Egress Monitoring Report Generator Customer Report Management Report Admission Control 4 1
Customer SLS & uni-directional SLSs are used for keeping track of Customer SLS and creating Service-Scope Tables. 2
SLS Monitoring is always be active and this trigger is used for initiation of the monitoring action for new Services & Scopes. 3 3 SLS Monitoring Repository SL values per customer Initiation Collection SLS Monitoring SLS Monitoring SLS Manager
(Check SL values against SLS)
2
5 6
Customer SLS & other relevant data are passed. 1
7 8
9
Action to be taken Traffic Forecast 10 11 Action to be taken SLS Subscription & SLS Repository 5 6 Network Monitoring
8.4.4.3
Functions of Components
SLS Monitoring takes its input from SLS repository (both customer SLS and resulting uni-directional SLSs). Monitoring action is triggered when a new SLS is activated by Admission Control or SLS Subscription activates an SLS on behalf of the customer. The Monitoring action is stopped for the services and scopes that no longer are used. The SLS monitoring components, shown in Figure 2, and their actions are specified as below.
• Performance and traffic data related to PHBs and scopes are collected from Network Monitoring or from Ingress/Egress Monitoring. The data collection is performed by "Performance Data Initiator/Collector".
• "Performance Data Initiator/Collector" also receives some sort of accounting information such as user offered load and usage time and received throughput from Ingress/Egress Monitoring entities on the ingress and egress nodes.
• Performance data and other related data, such as faults, link and device availability are used to compute Service Level values based on service types and scopes and subsequently to deduce customer SL values as the customer SLS indicators. These actions are performed by "Performance Data Aggregator". The PDA constructs Service Level Tables (see section 2.3.1) and also initiate the monitoring action for new services and scopes if required.
• "SLS Manager" keeps track of measured SL values. Customer SLS indicators are checked against contractual SLS values for each specific customer, in order to see the SLS conformance or to detect any violations.
• "Report Generator" provides necessary reports both to the customer and management by:
• Providing reports having enough information for the customer that the services were being provided in the manner expected and agreed upon. That is, customer SLS indicators and the results of SLS checks are reported to the customers.
• Producing regular and detailed reports to inform Management about SLSs status and also stating problem areas that are causing the SLS not to be met. This information may include network performance, service level, and customer SLS indicators that Management requires for follow-up on service activity and possible corrective actions.
• SLS Manager provides the Traffic Forecast entity with the current network behaviour in terms of SLS commitments and with appropriate traffic matrices in order to adjust any irregularities if some customers does not get the expected service.
• "SLS Monitoring Repository" is used to keep the observed customer SLS indicators.
8.4.4.4
Example - SLS Monitoring Based on Service Types and Scopes
As an example, two service types are requested and offered along A - B path (i.e., service type 1.a and service type 2). All customers who use these services and path are affected by traffic conditions along this path. A customer requests a service type 1.a (VLL Pipe service between A and B). Two uni- directional SLSs are constructed for this VPN by SLS Subscription entity. PDA constructs Table 1 and Table 2 which specify the observed Service Level values along the paths A to B and B to A. Information in these tables can be used for any other customer who uses these services and scopes. These SL values (Table 1& 2) are used by PDA to construct Table 3 and deduce the customer SLS indicator.
Scope 1: Ingress A to Egress B Scope 2: Ingress B to Egress A Service 1.a PHB-EF Service 2 PHB-AF Service 1.a PHB-EF Service 2 PHB-AF
Delay value Delay value IPDV value IPDV value Packet loss ratio Packet loss ratio
Availability Availability
Other other
Table 1: Service Level values for Scope 1. Table 2: Service Level values for Scope 2.
Scope: Pipe VPN between A and B
Service 1.a
Delay value IPDV value Packet loss ratio
Availability
other
Usage Time xx:xx
Table 3: Service Level values for a Pipe VPN customer using service type 1.a.
It should be noted that more intelligent decisions should be made by PDA for the services (e.g., VPN Hose and Pipe) in which much ingress and egress points are involved).
9
REFERENCES
[ABAR] draft-abarbanel-idr-bgp4-te-01.txt, Abarbanel and Venkatachalam, IETF draft
[DS-MODEL] “An Informal Model for DiffServ Routers", Y. Bernet et al., draft-ietf-diffserv-model- 04.txt, Work in Progress, May 2000
[D1.2] TEQUILA Consortium, Deliverable D1.2, Protocol and Algorithm Specification, November 2000
[DS-TERMS] "New terminology for diffserv", D. Grossman, draft-ietf-diffserv-new-terms-02.txt, work in progress
[FAUCH2000] F. Le Faucheur, L. Wu, B. Davie, S. Davari, P. Vaananen, R. Krishnan. P. Cheval, J. Heinannen, "MPLS Support of Differentiated Services," IETF Internet Draft, June 2000
[FUJITA00] N. Fujita, “Traffic Engineering Extensions to OSPF Summary LSA”, draft-fujita-ospf- te-summary-00.txt, work in progress, March 2000.
[JACQ] C. Jacquenet, “Providing Quality of Service Indication by the BGP-4 Protocol: the QOS_NLRI Attribute”, draft-jacquenet-qos-nlri-00.txt, July 2000.
[IRR] http://www.irrd.net/
[IS-DS-1] A Framework for Integrated Services Operation over DiffServ Networks - IETF IETF draft http://www.ietf.org/internet-drafts/draft-ietf-issll-diffserv-rsvp-05.txt
[IS-DS-2] Integrated Service Mappings for Differentiated Services Networks. Networks - IETF IETF draft. http://www.ietf.org/internet-drafts/draft-ietf-issll-ds-map-00.txt
[KATZ99] D. Katz et al., “Traffic Engineering Extensions to OSPF”, draft-katz-yeung-ospf- traffic-01.txt, work in progress, October 1999.
[NUSSBACHER99] H. Nussbacher et al., “Global BGP Community Values”, draft-nussbacher- global-community-values-v1-00.txt, work in progress, November 1999.
[OMP99] C. Villamizar, “OSPF Optimized Multipath (OSPF-OMP)”, draft-ietf-ospf-omp-03- preview.ps, work in progress, April 1999.
[PHBSPEC] "Domain Per Hop Behavior Specification", draft-ronc-domain-phb-set-specification- 00.txt, March 2000.
[QBONE] "Qbone Architecture (v1.0), Ben Teitelbaum (1999),
http://www.internet2.edu/qos/wg/papers/qbArch/
[RFC-791] Internet Protocol. J. Postel. Sep-01-1981.
[RFC-1519] Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy. V. Fuller, T. Li, J. Yu, K. Varadhan. September 1993.
[RFC-1583] J. Moy, “OSPF Version 2”, RFC 1583, March 1994.
[RFC-1657] Definitions of Managed Objects for the Fourth Version of the Border Gateway Protocol (BGP-4) using SMIv2. S. Willis, J. Burruss, J. Chu, Editor. July 1994. [RFC 1661] "The Point-to-Point Protocol (PPP)",
W.Simpson,tp://www.ietf.org/rfc/rfc1661.txt?number=1661
[RFC-1771] A Border Gateway Protocol 4 (BGP-4). Y. Rekhter, T. Li. March 1995. [RFC-1997] BGP Communities Attribute. R. Chandra, P. Traina & T. Li. August 1996.
[RFC-1998] An Application of the BGP Community Attribute in Multi-home Routing. E. Chen, T. Bates. August 1996.
[RFC 2205] "Resource ReSerVation Protocol (RSVP)- Version 1 Functional Specification", R. Braden et al. http://www.ietf.org/rfc/rfc2205.txt?number=2205
[RFC-2328] OSPF Version 2. J. Moy. April 1998.
[RFC-2370] R. Coltun, “The OSPF Opaque LSA Option”, RFC 2370, July 1998.
[RFC-2386] A Framework for QoS-based Routing in the Internet, E. Crawley, R. Nair, B. Rajagopalan, H. Sandick, August 1998.
[RFC-2453] RIP Version 2. G. Malkin. November 1998.
[RFC-2461] Neighbor Discovery for IP Version 6 (IPv6), T. Narten, E. Nordmark, W. Simpson, December 1998.
[RFC 2474] "Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers", K.Nichols, S. Blake, F. Baker, D. Black, www.ietf.org/rfc/rfc2474.txt [RFC-2475] "An Architecture for Differentiated Services", S. Blake, D. Black,
M.Carlson,E.Davies,Z.Wang,W.Weiss, www.ietf.org/rfc/rfc2475.txt
[RFC-2519] A Framework for Inter-Domain Route Aggregation. E. Chen, J. Stewart. February 1999.
[RFC 2597] "Assured Forwarding PHB Group", F. Baker, J. Heinanen, W. Weiss, J. Wroclawski,
www.ietf.org/rfc/rfc2597.txt
[RFC 2598] "An Expedited Forwarding PHB", V.Jacobson, K.Nichols, K.Poduri,
www.ietf.org/rfc/rfc2598.txt
[RFC-2622] Routing Policy Specification Language, C. Alaettinoglu, C. Villamizar, E. Gerich, D. Kessens, D. Meyer, T. Bates, D. Karrenberg, M. Terpstra, June 1999.
[RFC-2676] QoS Routing Mechanisms and OSPF Extensions, G. Apostolopoulos, D. Williams, S. Kamat, R. Guerin, A. Orda, T. Przygienda, August 1999.
[RFC 2676] RFC 2676: QoS routing mechanisms and OSPF extensions
[RFC-2702] D. Awduche, J. Malcolm, J. Agogbua, M. O'Dell and J. McManus “Requirements for Traffic Engineering Over MPLS”, RFC 2702, September 1999.
[RFC-2748] D. Durham et al., “The COPS (Common Open Policy Service) Protocol”, RFC 2748, January 2000.
[RSVP-1] Inside the Internet’s Resource reSerVation Protocol David Durham, Ray Yavatkar (1999). ISBN 0-471-32214-8 Press. J. Wiley & Sons.
[TEQUILA-1] Service Level Specification Semantics, Parameters and negotiation requirements. Internet Draft < http://search.ietf.org/internet-drafts/draft-tequila-diffserv-sls-00.txt>, July 2000, Danny Goderis, Yves T’joens, Christian Jacquenet, George Memenios, George Pavlou, Richard Egan, David Griffin, Panos Georgatsos, Leonidas Georgiadis [TWOBIT] "A Two-bit Differentiated Services Architecture for the Internet",
10
ACRONYMS AND ABBREVIATIONS
AAA Authentication, Authorisation and Accounting (IETF WG) AC Admission Control
ADSL Asymmetric Digital Subscriber Line AF Assured Forwarding
AFG Assured Forwarding Group
API Application Programming Interface ARP Address Resolution Protocol
ARPANET Advanced Research Projects Agency Network AS Autonomous System
ATM Asynchronous Transfer Mode ATMARP ATM ARP
AVP Active Virtual Pipe BA Behaviour-Aggregate BAN Boundary Access Node
BB Bandwidth Broker
BCIT British Columbia Institute of Technology BD Bandwidth Distribution
BE Best Effort
BGP Border Gateway Protocol BRI Basic Rate Interface
CAC Connection Admission Control CAR Committed Access Rate CBQ Class Based Queuing CBR Constant Bit Rate
CBWFQ Class-Based Weighted Fair Queuing CIM Common Information Model
CL Connectionless
CLI Command Line Interface CLIP Classical IP over ATM
CMIP Common Management Information Protocol CMIS Common Management Information Service
CO Connection Oriented
COPS Common Open Policy Service
CORBA Common Object Request Broker Architecture CoS Class of Service
CPE Customer Premises Equipment CPN Customer Premises Network CPU Central Processing Unit
CR Constraint-Based Routing CRC Cyclic Redundancy Check
CR-LDP Constraint-Based Routing using LDP DBMS Database Management System
DNS Domain Name System
DrSM Dynamic Resource Management DRtM Dynamic Route Management
DS Differentiated Services
DSC Differentiated Services Classifier DSCP Differentiated Services Code Point
DSR Differentiated Services Router (model) DTD Document Type Definition
E2E End to End
eBGP Exterior Border Gateway Protocol ECMP Equal Cost Multi-Path
ECN Explicit Congestion Notification EF Expedited Forwarding
EGP Exterior Gateway Protocol
EIGRP Enhanced Interior Gateway Routing Protocol FB Functional Block
FIB Forwarding Information Base FIFO First In First Out
FM Functional Model FQ Fair Queuing
FSM Finite State Machine FTP File Transfer Protocol GoS Grade of Service GTS Generic Traffic Shaping
GUI Graphical User Interface HDLC High-Level Data Link Control HTML Hypertext Markup Language
HTTP Hypertext Transfer Protocol iBGP Interior Border Gateway Protocol
I-D Internet Draft
IETF Internet Engineering Task Force IGMP Internet Group Management Protocol
IGP Interior gateway protocol
IGRP Interior Gateway Routing Protocol
ISSLL Integrated Services Support over different Link Layers (IETF WG) IP Internet Protocol
IPPM IP Performance Metrics IPSec IP Security Protocol
IS Integrated Services
ISDN Integrated Services Digital Network ISP Internet Service Provider
L3 Layer 3 (IP)
LAN Local Area Network LANE LAN Emulation
LDAP Lightweight Data Access Protocol LDP Label Distribution Protocol
LER Label Edge Router LSA Link State Advertisement LSDB Link State Data Base
LSP Label Switched Path LSR Label Switched Router MAC Media Access Control MAN Metropolitan Area Network
MDT Mean Down Time (per year) MF Multi-Field
MIB Management Information Base MPLS Multi-Protocol Label Switching
MSC Message Sequence Chart MTU Maximum Transfer Unit
NAT Network Address Translator NE Network Element
NFS Network File System NIC Network interface card NM Network management
NN Network Node NP Network Planning
NRM Network Resource Monitoring NW Network
OAM Operations, Administration and Maintenance OMP Optimised Multi-Path
OO Object Oriented ORB Object Request Broker OSPF Open Shortest Path First
PCI Protocol Control Information PDP Policy Decision Point PDU Protocol Data Unit
PE Provider Edge
PEP Policy Enforcement Point PFQ Packet Fair Queuing PHB Per Hop Behaviour
PIB Policy Information Base PPP Point-to-Point Protocol
PQ Priority Queuing PS Premium Service
PVC Permanent Virtual Channel QoS Quality of Service
RADIUS Remote Authentication Dial-In User Service RAR Resource allocation request
RDBMS Relational database management system RED Random Early Detection
RIB Routing Information Base
RIO Random Early Drop with In/Out bit RIP Routing Information Protocol RPC Remote Procedure Call
RSVP Resource Reservation Protocol RT Real Time
SBM Subnet Bandwidth Manager/Solaris Bandwidth Manager SDH Synchronous Digital Hierarchy
SDL Specification and Description Language SFQ Stochastic Fair Queuing
SLA Service Level Agreement SLIP Serial Line Internet Protocol
SLS Service Level Specification SNA System Network Architecture
SNMP Simple Network Management Protocol SoA State of the Art
SONET Synchronous Optical Network SPF Shortest Path First
SQL Structured Query Language SSL Secure Sockets Layer STM Synchronous Transfer Mode
SVC Switched Virtual Channel TC Traffic Conditioning
TCP Transmission Control Protocol TE Traffic Engineering
TLV Type Length Value
TMN Telecommunications Management Network ToS Type of Service
TQ TEQUILA TTL Time to Live TTR Time to Repear
UDP User Datagram Protocol UML Unified Modelling Language
UNI User Network Interface VBR Variable Bit Rate
VC Virtual Channel VLAN Virtual LAN
VLL Virtual Leased Line VoD Video on Demand VoIP Voice over IP
VP Virtual Path
VPC Virtual Path Connection VPN Virtual Private Network WAN Wide Area Network
WFQ Weighted Fair Queuing WG Work Group
WRED Weighted Random Early Detection WP Work Package