The Authentication, Authorization, Accounting services, jointly known by their acronym AAA, are important component of any network service provisioning infrastructure and can be used at different networking layers from Data layer to Network, Transport and Application layers. Typically AAA services are called out from different services via Generic Security Services Interface (GSS-API) and currently they are also integrated with the higher level messaging and applications specific protocols.
The concept of Generic AAA services was described in RFC2903 (Generic AAA architecture) and RFC2904 (Authorization Framework) developed with the direct contribution from Cees de Laat and Leon Gommans (at that time the members of the Advanced Internet Research Group at University of Amsterdam, chaired by Cees de Laat).
The research on AAA architecture, operational models, policy, attributes and trust management issues has been one of the main research areas within the SNE group. The generic AAA concepts and solutions have been developed in the framework of different projects:
- (2003 – 2005) Collaboratory.nl project;
- (2004 – 2008) AAA Authorisation framework for Grid (DATAGRID, NextGRID, and EGEE projects);
- (2004 – 2008) GigaportNG (Token Based Networking (TBN) and AAA for network access control);
- (2007 – 2009) Generic AAA framework for Network Resource Provisioning (GAAA-NRP) (Phosphorus project);
- (2010 – 1012) Generic AAA framework for Infrastructure Services provisioning on demand (GAAA-ISOD) (GEYSERS project).
As a result of the past and current research and practical developments, the basic AAA concepts and models have been extended to address multi-domain issues, on-demand security services provisioning, Security Services Lifecycle Management (SSLM), advanced authorisation and provisioning session management with security tickets and tokens, delegation and trust management mechanisms, integration with the main services delivery and service management workflow.
Current researches are focused on the following topics:
- Developing a platform for Dynamically provisioned Access Control Infrastructure (DACI) for Cloud IaaS infrastructure services provisioning (on-demand);
- Trust management in on-demand provisioned virtualised DACI;
- Access Control and Accounting Infrastructure (ACAI) for Scientific Data Infrastructure (SDI) addressing the whole scientific data lifecycle.
The research provides input towards standard bodies such as the IETF, OGF, NIST, IEEE and TeleManagement Forum.
The AAA research has been resulted in a number of publications.
GAAA Toolkit has few Open Source implementations and feature support of XACML policy language, SAML assertions, and proprietary XML based tickets and token to support SSO and extended authorisation session management in multi-domain environment.
- GAAA Toolkit for Network Resource Provisioning (GAAA-NRP profile developed in the framework of the Phosphorus project);
- Pluggable GAAA-TK Java library (download);
- GAAA Toolkit for dynamically provisioned AAI for Cloud IaaS (GAAA-ISOD profile being developed in the framework of the GEYSERS project);
- GAAA-ISOD library and OSGi bundle (download).
Generic AAA RFCs authored by SNE group members
- RFC2903 Generic AAA Architecture
- RFC2904 AAA Authorization Framework
- RFC2905 AAA Authorization Application Examples
- RFC2906 AAA Authorization Requirements
Currently running projects