M A S T E R O F S C I E N C E T H E S I S Telia ProSoft AB Directory Enabled Networks, DEN by Per-Erik Andersson ([email protected]) Stockholm, February 2000 Supervisor: Examiner and Supervisor: Arne Lindgren and Rune Wahlgren Gunnar Karlsson Telia Prosoft AB KTH Teleinformatics Vitsandsgatan 9, 12386 Farsta Electrum 204, 16440 Kista E-mail: [email protected] E-mail: [email protected] [email protected] Directory Enabled Networks, Per-Erik Andersson DEN 2000-05-21 Telia Prosoft AB Abstract A directory is a special purpose database that contains information about the nodes, or devices, attached to a network. Directories offer a potentially powerful tool in helping to simplify and automate many of the complex tasks involved in managing a large network. At the Microsoft Professional Developers Conference in September 1997, Cisco Systems Inc. and Microsoft Corp. announced the Directory Enabled Networks initiative (DEN-initiative). It is based on the Common Information Model (CIM) and X.500 and uses LDAP as core access protocol. One important part of the DEN-initiative is the directory support for Policy-Powered-Networking, which makes it possible to manage the network with certain rules (i.e. policies). This thesis gives you an overview of the DEN-initiative and its protocols. Policy-powered-networking and the protocols, which should become standard for policy transactions are topics that are thoroughly discussed. The thesis ends up in a proposal for how Telia could design their network based on the DEN-initiative. Directory Enabled Networks, Per-Erik Andersson DEN 2000-05-21 Telia Prosoft AB Table of Contents 1. Introduction....................................................................................1 1.1. Background..................................................................................1 1.2. Goal..............................................................................................1 1.3. Outline..........................................................................................1 2. X.500................................................................................................3 2.1. Components of the X.500 directory service.................................3 2.1.1. Data model...........................................................................3 2.1.2. Functional model..................................................................4 3. The DEN initiative..........................................................................7 3.1. Common Information Model, CIM..............................................7 3.2. DEN Base Schema.......................................................................7 3.2.1. Overview of Base Classes derived from X.500....................8 3.2.2. Overview of Base Classes derived from CIM.......................8 3.2.3. New DEN Classes.................................................................9 3.3. Important Classes.........................................................................9 3.3.1. ManagedSystemElement.....................................................10 3.3.2. Profile.................................................................................12 3.4. Benefits of DEN.........................................................................12 3.4.1. Economy.............................................................................13 3.5. History........................................................................................14 4. The Lightweight Directory Access Protocol, LDAP.................15 4.1. Benefits of LDAP.......................................................................15 4.2. Specification...............................................................................17 4.3. Replication requirements............................................................18 4.3.1. Extranetwork example........................................................18 4.3.2. Enterprise directory replication mesh................................18 4.4. Defining your directory..............................................................19 5. Directory support for policy-powered networking...................21 5.1. Roles in a policy-powered network, PPN..................................21 5.2. Policy Transaction Protocols......................................................23 5.2.1. Simple Network Management Protocol, SNMP.................24 5.2.2. Common Open Policy Service (COPS) protocol................24 5.3. A comparison of COPS and SNMP...........................................27 5.4. Redundancy and High Availability............................................29 5.5. Types of Policy-Enforcement Devices.......................................29 5.6. QoS policies...............................................................................30 5.6.1. Policy example...................................................................31 6. Summary theory...........................................................................33 i Directory Enabled Networks, Per-Erik Andersson DEN 2000-05-21 Telia Prosoft AB 7. Definition of the problem............................................................35 8. Telianet..........................................................................................37 9. New services..................................................................................39 9.1. Internet roaming.........................................................................39 9.2. ISP selection...............................................................................40 9.3. Pay-Per-View.............................................................................41 10. Telianet based on the DEN initiative..........................................43 10.1. Proposal of a LDAP-directory structure................................45 10.1.1. Core schema encoding example.........................................45 11. Conclusions...................................................................................50 11.1. DEN in Telia..........................................................................50 11.2. Policy-Powered Networking..................................................50 11.3. Products..................................................................................51 Appendix A: Acronyms and Abbreviations......................................52 Appendix B: Organizations.................................................................54 References.............................................................................................56 ii Directory Enabled Networks, Per-Erik Andersson DEN 2000-05-21 Telia Prosoft AB 1. Introduction 1.1. Background A directory is a certain type of database that contains information about nodes, users, clients and addresses belonging to one or more networks. For a long time, directory services were considered in the realm of electronic mail, as finding the email address for a person. This was perhaps the most obvious application of a directory. The role of a directory has expanded over the last years to encompass many more functions than simply mapping a name to an email address. There is a strong need among Telia and other telecommunication operators to be able to integrate directories and network components to enhance the standard in their networks according to security, quality of service (QoS) and reservation of resources. There is also a strong interest of exchanging information for making new services possible. Several big vendors, with Microsoft in the lead have since 1997, tried to make a useful global directory structure starting from X.500. They have developed a simplified access protocol named lightweight directory access protocol (LDAP) and are now trying to replace X.500's directory structure with something called directory enabled networks (DEN). Telia ProSoft wanted to investigate were the Distributed Management Task Force (DMTF) and the Internet Engineering Task Force (IETF), (Appendix B) stands in the standardisation progress and the result is this thesis. 1.2. Goal The goal of the project is to give an overview of the DEN-initiative and its core access protocol LDAP, and to investigate if DEN could be a solution for future services, like pay-per view. The thesis shall also result in a proposal for how Telia should position itself with respect to the initiative. 1.3. Outline Chapters 2 to 6 serve as overview of the background to why the DEN initiative was announced and its functions. It ends with a summary. 1 Directory Enabled Networks, Per-Erik Andersson DEN 2000-05-21 Telia Prosoft AB Chapters 7 to10 describe the problem part where requirements on new services and missing functionalities in Telia's net are defined and solved based on the DEN-initiative. Chapter 11 contains the conclusions where I give my personal view of the forthcoming work with DEN inside and outside Telia. Appendix: Appendix A contains useful acronyms and abbreviations. Appendix B presents the different organizations that are, or have been working with the development of DEN and LDAP. 2 Directory Enabled Networks, Per-Erik Andersson DEN 2000-05-21 Telia Prosoft AB 2. X.500 A directory is a special purpose database that contains information about the nodes, or devices, attached to an enterprise network. Directories offer a potentially powerful tool in helping to simplify and automate many of the complex tasks involved in managing a large corporate network. Directory services are optimized for storing information that is frequently read, but are weak at managing data that are constantly changing [10]. In 1988 the International Telecommunication Union- Telecommunication Standardisation Sector (ITU-T) released a specification of how information can be stored and accessed in a global directory. It is called X.500 [9]. An updated version came in 1993. The focus is on the communication between a server and a client and the structure of that information. X.500 was meant to serve as a universal, standards-based directory service, but it proved overly complicated and ran only on high-powered Unix machines. This resulted in X.500 never gaining any market shares. 2.1. Components of the X.500 directory service The standards contain the following components, which any global directory service is required to support: • The hierarchical namespace, which determines how information is referenced and organized. • The information model, which describes the format and structure, called the schema, of information maintained in the directory. • The functional model, which specifies the directory access protocol and specific operations in the directory (e.g. read, write and authenticate). • The distributed operation model, which determines how data is distributed and the operations that must be performed to synchronize and maintain the global directory across thousands of servers. 2.1.1. Data model Figure 2.1 shows a possible directory information tree for an X.500 directory service. 3 Directory Enabled Networks, Per-Erik Andersson DEN 2000-05-21 Telia Prosoft AB se telia ericsson ... Research ProSoft ... cn:Arne Lindgren Herbit sn:Lindgren objectClass:Router mail:[email protected] objectClass:person Figure 2.1 An X.500 directory information tree, DIT The tree is made up from entries. Each element in the directory information tree (DIT) has a globally unique name, called distinguished name (DN). For example Arne Lindgren's DN would be "telia; ProSoft; Arne Lindgren". DN provides access to a unique object in the global directory. The DN written as strings of dotted decimal numbers are called Object Identifiers (OID). For example, all the user attribute types defined by the X.500 standards begin with 2.5.4. Each object is represented by an entry in the DIT and contains a set of attributes. The attributes hold the information stored for each object. An example of an attribute is "mail." Each entry must have an objectClass attribute. The objectClass identifies the type of entry (e.g. person, switch, router, etc.) and determines which subsequent attributes are required and which are optional. The collection of attribute type definitions, objectClass definitions and other information is known as the object's schema. 2.1.2. Functional model The X.500 directory is maintained by a set of directory system agents, DSAs. Each DSA holds information for only a part of the complete directory information base, DIB. A given DSA can either respond or forward the user requests (Figure 2.2). This is what ties together the X.500 distributed directory service. 4
Description: