Vol. 59 n°1-2, January-February 2004
Policy-based network management
Guest editor : Guy PUJOLLE (LIP6)
Policy-based Network Management
Guy PUJOLLE*
*LIP6, University of ParisVI, 8 rue du Capitaine Scott, 75015 Paris, France
In today's highly competitive market, service and network providers must be able to satisfy the demands for new services which have various qualities of service, reliability and security requirements. At the same time, these providers need to reduce the cost of network operation and maintenance. In this context, policy-enabled networks appear as a promising approach. This issue presents a series of articles in this topic focusing on different aspects of Policy-based Management (PBM). Papers have been selected within the program of NETwork CONtrol and engineering Conference (Net-Con'2002) and the authors extended their work presented in Paris, October 2002. The three first articles analyse different aspects of PBM systems. The first one - Distributed softpolicy enforcement by swarm intelligence, by O. Wittner and E. Helvik - introduces and demonstrates how a set of antlike mobile agents can be designed to find near optimal solutions for the implementation of a set of potentially conflicting policies. The second one - Multi-domain architecture for policy management in UMTS IP multimedia subsystem, by W. Zhuang,Y.S. Gan, O. Gao, K.J. Loh and K.C. Chua, proposes a QoS policy architecture for a multi-domain, multi-operator environment, and the third one - Policy-based networking: application to firewall management, by F. Caldeira and E. Monteiro - focuses on a PBM approach to the management of network equipment and to firewalls in particular. Next, two articles are developing new components for an efficient use of PBM. T.M.T Nguyen and N. Boukhatem propose in Service level negotiation and COPS-SLS protocol, a new member of the COPS family providing an intra-, inter-, and multiple-domain service level negotiation whereas J. Farias Fidalgo, D.F.H. Sadok, J. Kelner and R.do Nascimento Fidalgo present a policy network environment ProNet, and a complete framework implementation that validates the actual use of policy-based management in a QoS network. The three last articles: Design and performance evaluation of active bandwidth brokers by K.L.E. Law and K. Wong, Actives networks: an application level server management architecture by I. Liabiotis, T. Olukemi, O. Prnjat and L. Sacks, and Authentication in wireless networks : state-of-the art and integration with smart cards by M. Loutrel, P. Urien and D. Gaïti discuss very important topics related to PBM: bandwidth brokers, server management architecture and security. The sequel of this guest editorial is devoted to an introduction of a policy-based. It describes how a policy-based approach can be applied to deal with QoS, security, access control, mobility, etc. The framework presented here is derived from IETF work in Policy Framework working group and in Resource Allocation Protocol working group.
Distributed Soft Policy Enforcement by Swarm Intelligence; Application to Loadsharing and Protection
Otto WITTNER* and Bjarne E. HELVIK*
* Centre for Quantifiable Quality of Service in Communication Systems (Q2S), Centre of Excellence, Norwegian, University of Science and Technology, NTNU, N-7491 Trondheim, Norway
Abstract: Managing complex heterogeneous computer and telecommunication systems is challenging. One promising management concept for such systems is policy based management. However, it is common to interpret policies strictly and resort to centralized decisions to resolve policy conflicts. Centralization is undesirable from a dependability point of view. Swarm intelligence based on sets of autonomous "ant-like" mobile agents, where control is distribute among the agents, has been applied to several challenging optimization and tradeoff problems with great success. This paper introduces and demonstrates how a set of such ant-like mobile agents can be designed to find near optimal solutions for the implementation of a set of potentially conflicting policies. Solutions are found in a truly distributed manner, hence an overall more dependable/robust system is obtained. The enforcement of the policies is soft in the sense that it is probabilistic and yields a kind of "best effort" implementation. To demonstrate the feasibility of the overall concept, a case study is presented where ant-like mobile agents are designed to implement load distribution and conflict free back-up policies.
Key words: Complex system, Distributed system, Artificial intelligence, Autonomous agent, Telecommunication network, Reservation, Networking, Decision rule.
Multi-domain architecture for policy management in UMTS IP multimedia subsystem
Wei ZHUANG*,**, Yung Sze GAN*, Qing GAO*, Kok Jeng LOH*, Kee Chaing CHUA*
* ICM Mobile Core R&D, Siemens Pte. Ptd., 75 Science Park Drive, #01-02 CINTECH II, Singapore 118255
** Current address: wireless communication Dpt. Shanghaï Telecommunication Co. Ltd. 8/F, N° 1465 Beijing (w) Rd, Shanghaï, 200040, P.R. China.
Abstract: The Universal Mobile Telecommunications System (UMTS) offers IP-based multimedia applications and services with end-to-end Quality of Service (QoS) guarantee. The key component providing these services is the IP Multimedia Subsystem (IMS) that uses Service-Based Local Policy (SBLP) management for QoS control. To support end-to-end QoS, the UMTS IMS network should be scalable, reliable and flexible in policy deployment and enforcement, characteristics that are not found in single-domain policy architecture. A hybrid policy architecture is proposed, in which a hierarchical architecture is applied to the multi-domain environment in a single operator UMTS IMS network, while a peering architecture is employed in a multi-operator UMTS IMS network. The proposed multi-domain policy architecture potentially minimizes the session setup delay and policy exchange traffic while maximizing network scalability.
Key words: Networking, UMTS, Quality of service, Multimedia service, Network architecture, Peer to peer networking, Hierarchical system, Decision rule.
Policy-based networking: applications to firewall management
Filipe CALDEIRA*, Edmundo MONTEIRO**
* Polytechnic Institute of Viseu, estv, Department of Informatics, Campus Politécnico de Repeses, 3504-510 Viseu, Portugal,
**University of Coimbra, cisuc/dei, Laboratory of Communications and Telematics, Polo II, Pinhal de Marrocos, 3030-290 Coimbra, Portugal.
Abstract: This paper describes a policy-based approach to firewall management. The Policy-Based Networking (PBN) architecture proposed by the Policy Framework Group of Internet Engineering Task Force (IETF) is analysed, together with the communication protocols, policy specification languages, and the necessary information models. An overview of policy specification languages applicability to PBN architecture is presented paying particular attention to the specification of security policies through Security Policy Specification Language (SPSL). The Common Open Policy Service protocol (COPS) and its variant, COPS for Policy provisioning (COPS-PR), both used for the transport of policy information, are also presented. The paper continues with a description of an application of the PBN architecture to firewall management. The proposed architecture is presented and its implementation issues are analysed with some usage examples. The paper concludes with the evaluation of the policybased approach to firewall management.
Key words: Networking, Computer security, Firewall, Network architecture, Specification language, Transmission protocol, Decision rule.
Service Level Negotiation and COPS-SLS Protocol
Thi Mai Trang NGUYEN*,**, Nadia BOUKHATEM*
* GET/Télécom Paris - 46, rue Barrault - 75634 Paris Cedex 13, France.
** LIP6, Université Paris VI, 8, rue du Capitaine Scott, 75015, Paris, France.
Abstract: The Internet is a set of interconnected domains in which different QoS technologies can be deployed. The dynamic provision of end-to-end QoS over heterogeneous IP networks assumes the negotiation of mutually acceptable SLA. This paper presents the concept of intra-, inter- and multiple-domain service level negotiation using the COPS-SLS protocol. The negotiation process gives different parties in the negotiation the ability to agree upon the service level that a data stream can obtain, along with the permissible pricing of the service.
Key words: Networking, Network architecture, Quality of Service, Transmission protocol, Internet, Inhomogeneity, Information exchange.
ProNet: A policy network environment
Joseane FARIAS FIDALGO*, Djamel Fawzi HADJ SADOK*, Judith KELNER*, Robson DO NASCIMENTO FIDALGO*
* Informatic Center - Federal University of Pernambuco - UFPE, P.O. Box: 7851, ZIP: 50732-970, Recife - PE - Brasil
Abstract: Network and business management convergence is seen as the next step towards harmonizing information technology resource allocation with target business goals. This paper proposes a management platform that starts at the specification of business targets in the form of policies and goes all the way to enforcing them in a next generation Quality of Service aware network. We specified both a policy language and a parser and also implemented procedures for mapping policies into underlying network mechanisms. Furthermore, case studies presented in this paper show performance results of network services controlled by such policies.
Key words: Networking, Telecommunication network, Network management, Quality of Service, Decision rule, Description language, Programming environment, Case study.
Design and performance evaluation of active bandwidth brokers
K.L. Eddie LAW*, Kason WONG*
* Pinium Research Inc.302-3181 Bayview Avenue, Toronto, Ontario, Canada M2K 2Y2.
Abstract: With the arrivals of critical data transactions and multimedia applications, the needs of network services with different Quality of Service (QoS) guarantees increase rapidly. In order to ensure the delivery of information with a desired quality at the application layer, policy-based management (PBM) systems should be deployed at network service providers for configuring network devices properly. A policy-based management system is capable of resolving and enforcing policy rules in realizing end-to-end QoS for all kinds of network connections. In this paper, a novel design of policy-based management system based on active networks is proposed. Active network technology empowers network routers the ability to execute and move data and program code as needed. It is used in the proposed design (Active Bandwidth Broker architecture) to achieve the goals of system scalability and reliability. Moreover, policy control operations can be distributed among different active nodes. Thus, the architecture reduces the aggregate amount of policy control traffic in networks and expedites the response times on policy requests. Furthermore, the Policy Decision Point is a mobile agent that moves and avoids encountering network congestion situations. A system prototype has been constructed to implement the designed architecture. It has successfully demonstrated that the new design framework offers architecture flexibility, improves system reliability, and provides system scalability in handling a large number of service requests.
Key words: Networking, Network management, Decision rule, Active telecommunication network, Quality of Service, Transmission protocol, Autonomous agent, Internet.
Application level active network (ALAN) server management architecture
Ioannis LIABOTIS*, Temitope OLUKEMI*, Ognjen PRNJAT*, Lionel SACKS*
* University College London, Torrington Place, London WC1E 7JE, England.
Abstract: This paper presents the details of the policy-based security and resource management architecture for Application Level Active Network (ALAN) servers. ALAN is an active network architecture which enables deployment of user-customised processes (proxylets), which enhance the existing services or introduce new services to the end-user, on the select group of servers in an IP network. The issues of security and resource management in this scenario are of crucial importance so as to efficiently facilitate and control the resource consumption of user-specified processes on the active servers, as well as to protect the server platforms from unauthorised proxylet deployment or malevolent behaviour. The architecture allowing efficient resource and security control is presented in this paper, including detailed UML diagrams capturing the management functionality, as well as a set of concrete management policies for the ALAN scenario. The example XML policies are also given, and the deployment of this architecture in real-life trials is described. This development forms a part of a larger management architecture for ALAN-enabled networks developed in the context of the IST project ANDROID (Active Network DistRibuted Open Infrastructure Development).
Key words: Networking, Active telecommunication network, Network architecture, Resource management, Telecommunication service management, Computer security, Internet, Computer application.
Authentication in wireless networks: state of the art and integration with smart card
Marc LOUTREL*,***, Pascal URIEN**, Dominique GAÏTI***
* SchlumbergerSema, Smart Card Division, France, 36-38, rue de la Princesse-BP45-78431 Louveciennes Cedex.
** GET/Télécom Paris, 46 rue Barrault, 75013 Paris, France.
*** LIP6 4, place Mussieu 75252 Paris Cedex 05, France and Université de Technologie de Troyes (UTT) 12, rue Marie Curie - BP 2060 - 10010 Troyes Cedex, France
Abstract: Wireless LAN have spread very quickly over the past few years. Demand for wireless access to LANs has raised due to new mobile computing devices, such as laptops and personal digital assistants, and a desire for seamless and permanent connections to networks. Nevertheless a lot of security issues remain and stop its deployment in corporations. One of the most important issues is the authentication of a terminal to an Access Point. We propose an interface to integrate the Extensible Authentication Protocol into smart cards and will show that smart cards could constitute the de-facto device for authentication in Wireless LAN as they are for GSM and will be for UMTS (Universal Mobile Telecommunication System).
Key words: Mobile radiocommunication, Wireless LAN, Authentication, Smart card, State of the art, Cryptography, UMTS.
The mille feuilles: routing algorithm for packet network and connected network
Matthieu ROMBAUT*,**, Gérard HEBUTERNE**, Michel PRIEM*
* STERIA, 12 rue Paul Dautier, 78140 Velizy, France.
** INT - Evry, 9 rue Charles Fourier, 91011 Evry, France.
Abstract: We present in this paper an innovating routing method on constrained capacity based on the actual link load ratio. This method is used during the data network or switching network design step. Its goal is to use all the free capacity of the network, by splitting the flow along several paths, and lowering the maximal link load on the network. We present a routing method and a non additive metric on the network components for the computation of the paths. We compare this multi-routings method to disjoint multi-routing methods and show the interest of this method. It provides the network higher resistance to flow increase, and higher resistance to single link failure.
Key words: Telecommunication switching, Routing, Packet switching, Circuit switching, Switched network, Data communication network, Telecommunication network planning, System design, Core network, Optimization, Teletraffic, Fault tolerant system.
An evaluation of TCP with explicit congestion notification
Kostas PENTIKOUSIS*, Hussein BADR*
* Department of Computer Science, Stony Brook University, Stony Brook, NY 11794-4400 USA.
Abstract: We study the effect of Explicit Congestion Notification (ECN) on TCP for relatively large but finite file transfers in IP networks, and compare it to other congestion avoidance mechanisms, namely Drop Tail (DT) and Random Early Detection (RED). We use simulation to measure TCP performance for transfers initiated by a varying number of end hosts. In contrast to previous work, we focus on situations in which all nodes in the network operate uniformly under the same mechanism (DT or RED or ECN). Our results show that under such uniform conditions ECN does not necessarily lead to significant improvement in TCP goodput, although in no case does it lead to an actual degradation in performance. Our results also show that, with ECN, TCP flows benefit from lower overhead for unsuccessful transmissions. Furthermore, lockouts are largely avoided. In other words, in an all-ECN network resources are shared more fairly. Finally, we show that global synchronization is no longer an issue, and argue that current TCP versions have essentially solved the problem, regardless of the queue management scheme employed.
Key words: Transmission protocol, Internet protocol, TCP/IP, Telecommunication traffic control, Congestion control, File transfer, Downloading, Simulation, Experimental result.
Extraction of lesions in cerebral images of scanner for a tele-diagnosis system
Nadia LASSOUAOUI*, Latifa HAMAMI*,**, Nadia NOUALI*, Belaïd AÏT ABDELKADER***
* Centre de Recherche sur l'Information Scientifique et Technique, CERIST, rue des 3 frères Aïssou Ben Aknoun BP
143 Alger 16030, Algérie
** École Nationale Polytechnique, Laboratoire Signal et Communications, 10 av. Hassen Badi, El Harrach, Alger,
Algérie
*** CHU CPMC Mustapha, Service de biochimie métabolique, DZ-16000 Alger, Algérie.
Abstract: Cancer is one of the most widespread diseases in the world. Researchers thought of carrying out systems that will be the assistance tools for the decision and diagnosis to the doctors. The setting on network of such systems permits to have an application of tele-diagnosis, the goal is to bring « a second opinion » by a distant specialist to validate or invalidate the diagnosis established by the local expert, or to help this latter in making a correct diagnosis. To design such systems, several aspects are to dealt with. One of the most significant aspects is the problem of the big size of the medical images compared to the transmission flow. For that, in the case of the cerebral cancer, we propose to design a stage for extracting the lesions, its role is extracting the lesion with the respect of its size, its shape and its position. Since, the size of images to be sent decreases, because they are in two grey levels (black and white). The second goal of this stage is to simplify the image for the doctor with preserve all morphological characteristics of the lesions. For that, we can proceed by two manners, by extracting the edges of the lesion, or extracted all its areas. We use algorithms based on mathematical morphology operators, promising results were obtained, that permits to the doctor to begin the diagnosis step in a sure manner in local or distant areas. In this paper, we present mainly our tele-diagnosis system and the various algorithms used for designing the stage of lesion extraction.
Key words : Tele-medicine, Medical diagnostic, Brain, Tomography, Mathematical morphology, Medical imagery, Image segmentation, Relaxation method, Computer aid, Image processing.
The local indistinguishability in multiserver (multilink) queueing networks
Pierre LE GALL*
* Ingénieur en Chef honoraire des Télécommunications, 4, Parc de la Bérengère, F-92210 Saint-Cloud, France.
Abstract: As previously for single link queueing networks, now it is proved, for multiserver (multilink) queueing networks, that the local queues are defined by indistinguishable local arrivals (after having crossed two or three stages), corresponding (in buffers) to some agglutinations of short service times behind long service times, possibly leading (in the input buffers) to very long congestion times (even for low traffic intensities) when the service times are highly varying. In that case, traditional queueing theories (mainly influenced by the loads) are not appropriate for input buffer dimensioning.
Key words : Queue, Theoretical study, Queueing network, Buffer storage, Overload, Service time.