Network Computingwww.networkcomputing.com

RSVP
With RSVP (Resource Reservation Protocol), every router between the source host and destination host keeps track of how much bandwidth each application uses, how much total bandwidth is available and how much bandwidth is allotted to an application. The router also permits or denies application flows across the network based on the available bandwidth and network policy.

Additionally, the RSVP specification provides a mechanism for applications to signal their QoS (Quality of Service) requirements. Enterprise routers then allocate bandwidth, but only within policies dictated by the policy-management system.

Such detailed application accounting is problematic. As flows move from the edge of the network toward the core, each router must track more of them exponentially. Therefore, it is neither practical nor cost-effective to provide per-flow accountability at every router.

Microsoft Corp. has embraced a new form of RSVP, called RSVP+, in its forthcoming Windows 2000. Using RSVP+, an application can signal for network-bandwidth parameters and a DiffServ code point to be used for the application flow. RSVP+ lets network administrators provision application flows into classes of service, rather than doing per-flow accounting, making it more reasonable for core routers to implement tracking of the protocol.

COPS vs. SNMP
The COPS (Common Open Policy Server) protocol originally let routers and switches signal their bandwidth requirements to a policy server or bandwidth broker. Today, the term COPS refers to two versions of the protocol: COPS for dynamic QoS and COPS for device provisioning (also known as COPS-PR). Nearly all the PBNM vendors that visited our labs were in favor of supporting COPS for device configuration and management. As such, COPS is becoming the protocol of choice over SNMP, which offers reasonable device-monitoring capabilities, but poorly documented device-configuration functionality.

COPS also benefits from active participation by the devices under management (as compared to SNMP's polling) and a sophisticated abstraction model. The protocol was designed to specify conditions, actions and roles that the device vendor can implement. Because COPS has a well-defined parameter set, implementing multivendor support is much easier. Regardless of which switch or router a policy server is speaking to, it should be able to send one set of common commands that provision QoS.

COPS for dynamic QoS signaling is a standard. COPS-PR for provisioning--a superset of COPS--has not yet been ratified. For the next year, vendors will have to depend on proprietary solutions or prestandard COPS-PR implementations.

Spectrum Management and other vendors have committed to using SNMP for configuring their network devices. However, Spectrum says it will implement a COPS-enabled PBNM server. And though both COPS and SNMP are capable (given the right SNMP MIB objects), we think COPS and COPS-PR will dominate the market in the long term.

Telnet
Many vendors use telnet to access command-line interfaces in their version 1.0 products. However, we believe COPS will replace telnet within 12 months. For provisioning, telnet is as simple as they come--just stuff some commands into the router. But this simplicity comes with a liability: Products must be regression-tested on every version of the switch or router software. For Cisco users, that could mean testing dozens of versions of its IOS (Internetwork Operating System) on dozens of different Cisco router platforms. Furthermore, if the hardware vendor changes even one command syntax between software revisions, the PBNM manufacturer must account for those changes.

Telnet output is also difficult to deal with. Vendors that implement policies on a Cisco router, for example, must parse the "show running-config" command to determine router version, access-control lists, interfaces and other parameters of interest to the PBNM platform. Because it is almost impossible to reverse-engineer existing policies without access to the original policy networking configuration, vendors can provide only "add-on" functionality. They cannot read existing access-control list entries to build a more complete PBNM picture.

SNMP and COPS can alleviate these difficulties because they provide a more defined schema. Cisco has been dedicated to the COPS protocol, and has implemented it on some of its router platforms starting with IOS 12.0.5(T).

LDAP Version 3
LDAP version 3 grants access to X.500-style directory trees, such as Microsoft's Active Directory, Netscape's Directory Server and Novell's NDS. LDAP is the most common way vendors access stored user and resource data, and store policy information in these proprietary directories, though its application differs by vendor.

Other vendors plan to use the LDAP directory as a distribution and/or interoperability mechanism. Most notably, Extreme Networks says it feels that if a common directory format can be realized, then sharing policies between multiple products (policy managers and other network management tools) would be simplified. But developing such a common directory format will take time.

Lucent has taken the concept of the directory-enabled policy solution a step further. Rather than rely on COPS or SNMP for device configuration, it has embedded LDAP agents on its Cajun line of switches and plans to extend that agent to WAN equipment and voice switching hardware. Other vendors are quick to point out LDAP's flaws, such as slow writes to the directory. But Lucent argues that LDAP's scalability and fault tolerance make it the best protocol for directory-enabled policy-based networks.

And then there is Microsoft, whose LDAP-enabled Active Directory has inspired much speculation. Most vendors say they plan to take advantage of the user and account information the Active Directory tree is expected to store. However, none could provide a sampling of an Active Directory-enabled PBNM application.

IEEE 802.1X
The 802.1X standard enables a switch to deny access to network resources until authentication between the end workstation, the switch and a central repository for access control has been completed.

When a new user logs into a workstation, the workstation sends out a special multicast packet to the switch to identify the user, IP address, MAC (Media Access Control) address and other vital statistics. The switch forwards the packet to the policy manager, which can then make an intelligent decision about that user. The policy manager then replies to enable or deny access for that user on that port. 802.1X adds security to a network by preventing users from attempting denial-of-service attacks or other malicious actions while the network is trying to determine whether a DHCP lease should be given to the user.