Global Lambda Integrated Facility

Subject Re: [GLIF controlplane] RE: Network Control Architecture
From Leon Gommans <lgommans@xxxxxxxxxxxxxx>
Date Thu, 19 Apr 2007 22:08:01 +0200

Hi Admela,

Thanks for your reply.

No, SIP cannot replace RSVP, but both protocols can support a
token approach. I have to look into the protocol in more in detail
and discuss it with experts I know from the IETF to be more precise,
but I imagine it could be put somewhere in the session details of
an INVITE message or in its OPTIONS.

A token is a very generic term and must be defined within a context.
Within the context describe I have defined the token as the result of
securely hashed list of service attributes together with an index.
E.g. the token could be 4 bytes taken from the HMAC-SHA-1 of
(source IP, Dest. IP, session_ID) using a key that has been
assigned to the reservation. A certificate typically implies a certain
format (X.509) and some CA signing it. A token may have
different formats and the autority may not be a third party but
the receiving domain using some symmetric key.

An access point like a Wireless router, ADSL DSLAM or modem bank
uses a protocol such as RADIUS to call a RADIUS server (via one
or more proxy RADIUS servers) such that this server can verify the
users credentials. This is because it can not verify the validity
of the credentials locally. If it would have received a key from
this server beforehand because it expects the call to happen and this
call would contain a token, the callout would not need to happen as
the key will verify the users access right.

So in pre-provisioned networks, where the network expects calls to happen
in a certain time window according to a schedule, the token approach could
save the time the verification call-out would need, if subscribed and non
subscribed users are both able to access the connection and domains want to
be sure that connections are actually given to the correct users (so they can
not be repudiated).

Hope this helps,

Kind regards .. Leon.

Admela Jukan schreef:
Hi Leon

Interesting approach.

A few questions:
a) Are you saying SIP can replace RSVP?  (I am not sure about that.)
b) Is "token" equivalent of a "Certificate"?
c) What do you mean when you say " Non token approaches tend to use call-outs (e.g. RADIUS) that may take their time as well"?

Thanks, Admela

On Apr 19, 2007, at 3:00 PM, Leon Gommans wrote:


Regarding your remark on RSVP:

In pure RSVP I tend to agree with your first observation. Reservations
are hard to do in multi-domain cases using RSVP. But this is not the point
of using RSVP in the case I am trying to point out.
RSVP, (or some signalling protocol using EAP if you do it in-band) or other any other suitable signalling protocol (SIP) for this matter, could also be used for access
control purposes to point at a specific reservation of an explicit path.

For example RSVP is able to also support a policy data object as described
in RFC2750. This policy data object could contain some form of
"token". The token in this case would be a secured index into a pre-provisioned
service instance waiting to be accessed. Brokers could have negotiated
this service using WS mechanisms in the way we are discussing now and
the steps you are refering to below. Agents can still do the work needed to
make sure the path is correctly in place when the time comes the path is
As a result of the negotiation, however, each domain would agree on a key
that allows the creation of a token.

Each domain would use this key to verify the validity of the token
when it receives a RSVP signal (PATH) at the ingress of its network.
The sender would create the token using some kind of secure HMAC
mechanism using the index and maybe some other service parameters
as digest. The token could remain the same along the way for each
domain or could be regenerated at the egress of a network dependant
on the fact if the agreed key is the same or different for each
domain. This approach does not reserve the path,
but just ensures nobody else is using a particular reservation.
This is important if a path can be publically accessed.
This approach is therefore a hybrid approach (mixing WS
style provisioning for the reservation with signalling style for
access control and usage) which will enable quick network access
without the need to go back an authority.

The token model is very successfull as authorization model in other
cases, so I am wondering why it cannot be used in networks.
The approach has at least the following advantages:

1. As the reservation processes can be slow and would involve an arbitrary
amount parties each taking their own amount of time,  separating
the reservation process from the actual access and usage of a path would be
an advantage. A token would enable instant access without the need to
go up.
2. Once the reservation is received by the user process, the reservation can
be used very flexibly. Maybe a metascheduler could assign a particular
reservation at the last minute to a particular process that can best use
the particular connection. The meta scheduler can hand the key to
the most optimal process at that moment.
3. Scheduling resources may not be enough as it provided no access
control in cases where it is needed. You need to be able to somehow
seperate the sheep from the goats (subscribers v.s. non subscribers) when they need
to be. Non token approaches tend to use call-outs (e.g. RADIUS) that may
take their time as well.

Anyway, I demonstrated the token approach at SC|06 using the DRAGON
GMPLS code and as a result we will start testing this approach more as
part of the Phosphorus project in collaboration with Internet2 and the DRAGON

Kind regards .. Leon.

Harvey Newman schreef:

This is a limited view that will run into the same problems as are well-known
from RSVP. One will never get to reserve a multi-domain path this way.

Operational steps in a services-oriented architecture:
(reservations are stateful, time-dependent, and responsive to
capability to use the allocated resource):

(1) AAA, with priority schemes and policy expressed by each VO.
(2) Inter-VO allocations according to quotas; coupled to tracking of
       what has been used during a specified time period
(3) Service to verify end-system capability and load as being
       consistent with the request
(4) Agents to build the path and verify its state (up, down,
       which segment(s) are down or impaired) also agents to
       verify end-system capability (hardware, system and kernel
       config., network interface and settings); verification
       of end-to-end  capability with an active probe (viz.
       FDT); build or tear down circuits in parallel in a
      time < the TCP timeout.
(5) Tracking of capability (if relevant, as in large scale data
(6) Adjustment of channel capability if allowed, according to
       performance end-to-end. For example with LCAS
     [allocation of a non-adjustable channel takes longer,
       and becomes an economic question.]
(7) Adjustments driven by (a) entry of higher priority
      allocation-requests; these could affect many or even
      all channels or (b) re-routing of certain flows if better
      paths become available (c) optimization of workflow according
      to deadline scheduling for certain flows

Except for the higher-level "strategic" parts above (policy and
quotas; which need to come from the VOs), many of the technical pieces
above exist, and will be hard to match.


Steve Thorpe wrote:
Hello Bert, everyone,

The point Bert made "...if the pre-reservation of resources is not an atomic action..." is very important.

My belief is the pre-reservation of resources, or Phase 1 of a 2-phase commit protocol, *must* be atomic. That is, there must be a guarantee that at most one requestor will ever be granted a pre-reservation of a given resource. Then, the requestor should come back with a subsequent "Yes, commit the pre-reservation", or "No, I release the pre-reservation". In the case where the requestor does not come back within a certain amount of time, then the pre-reservation could expire and some other requestor could then begin the 2-phase commit process on the given resource.

There may be situations where a resource broker can not get the desired resource reservation(s) booked. But, I don't see deadlocking here - where both resources can *never* be booked. Unless of course, a resource broker books them once and is allowed on to them forever.

The atomicity of the pre-reservation (phase 1) stage of the 2-phase commit process is a very critical part for this to work.


PS I have also added Jon MacLaren to this thread, as I'm not sure he's on the GLIF email list(s).

Bert Andree wrote:
Hi Gigi,

What exactly dou you mean with one RB per request.
Suppose there are two independant RB's,RB-A and RB-B and two resources, RS-1 and RS-2. Suppose that there is a request to RB-A to book both resources and a request to RB-B to do the same. Now, if the pre-reservation of resources is not an atomic action, two different strategies may introduce specific problems.

Stategy 1: an availibility request does not reserve the resource:
RB-A asks for RS-1 (available)
RB-B asks for RS-2 (available)
RB-A asks for RS-2 (available)
RB-B asks for RS-1 (available)

RB-A confirms RS-1 (success)
RB-B confirms RS-2 (success)
RB-A confirms RS-2 (fail)
RB-B confirms RS-1 (fail)

The obvious solution would be to free all resources and try again. In complex systems there is a fair chance that both resources can never be booked (deadlock).

Stategy 2: an availibility request reserves the resource:
RB-A asks for RS-1 (available)
RB-B asks for RS-2 (available)
RB-A asks for RS-2 (not available)
RB-B asks for RS-1 (not available)

RB-A and RB-B free all resources and try again. In complex systems there is a fair chance that both resources can never be booked (deadlock).

The only way to prevent is, is to have some queing of requests and even then "individual starvation", e.g. RB-A can never book any resources is possible in complex systems.

Best regards,

Gigi Karmous-Edwards wrote:

Hi Admela,

I agree, there are two phases, 1) check availability from xRM, and 2) If all xRMs give an ack. then go th second phase of commit, 2') if one or more xRM gives a nack, then do not proceed to the phase two commit. In the architecture sent out, the responsibility of coordinating and administering the two phases is in ONE RB per request. Each xRM will rely on the RB to tell them whether to proceed to a commit or not. If they get a commit from an RB, it then becomes the xRM's responsibility to make the reservation and allocation in the actual resources. I think if for example RB-A talks to an xRM in domain "B", then it may be the responsibility of the xRM-B to tell its own RB-B of its interaction with RB-A. Is this in line with your thoughts?