Protocol to boost Quality of Service

COPS policy information protocol would provide better applications access for end users regardless of logon location

By Stephen Lawton

Another piece of the Quality of Service puzzle may soon be in place.

A protocol that makes it possible for any enabled network node such as a router, switch, or gateway to obtain user rights and privileges from an external policy server or network directory could be finalized by the IETF as early as this summer.

The COPS (Common Open Policy Service) protocol could deliver another component to establishing QoS for network applications. By using a combination of COPS-based modules in the network node and policy server and tying them to the network's directory, IT managers could provide end users with greater access to their applications and data, regardless of where they log on to the network.

Proprietary offerings from CLASS Data Systems Inc., IP Highway, Novell, 3Com, and others are available for some policy management. However, said Lionel Gibbons, director of TranscendWare product management at 3Com in Santa Clara, COPS could extend policy management well beyond the "existing knobs in devices," such as 802.1Q and SNMP.

Although 3Com's CoreBuilder 3500 and 9000 switches use a proprietary scheme to make local Yes/No decisions, Gibbons said the company will support COPS once it gains IETF's blessing.

The decision to approve COPS can't come soon enough for Merrill Lynch & Co. Inc.'s Alok Kapoor, manager of the Enterprise Architecture Group who is responsible for supervising multiple networks at the brokerage house in New York. Currently, Kapoor said, he must use the "least common denominator" for network privileges or have users dial in to specific subnets because there is no protocol for moving policy information around the network.

If a stock trader is traveling and logs on to a local network in a different Merrill Lynch office, Kapoor said, the trader will have only the rights granted by that subnet, rather than the rights the trader has on his or her own subnet. In some cases, that could limit trader access to corporate data, he noted. The alternative, Kapoor said, is to have the trader dial in to his or her own subnet, assuming that the subnet has remote access available.

COPS could move user policy data around the network, between subnets, to eliminate such problems. Kapoor's goal is to provide users with access to the same set of services regardless of where they log on to the system.

Rather than being tailored for a specific directory, whether standard or proprietary, COPS will support any directory format, according to Mary Petrosky, senior analyst at The Burton Group, a technology consultancy in San Mateo, Calif. These could include LDAP (Light weight Directory Access Protocol), a protocol that lets directories query one another for user data or emerging standards, such as those included in the DEN (Directory Enabled Networks) initiative, which has been proposed for directories such as Novell NDS (Novell Directory Services) and Microsoft's forthcoming Active Directory. Policies housed in a DEN-compliant directory will work in multivendor environments, Petrosky noted, with COPS being the protocol that delivers those policies to the network devices.

The protocol requires code in the network node called a PEP (Policy Enforcement Point) and a corresponding component in the policy server called the PDP (Policy Decision Point). The policy server can sit on a separate piece of hardware or on the same server as the directory, depending on the network's design.

A query is initiated b y the PEP in the network node when a data flow starts. The PEP sends a message through COPS to the PDP in the policy server, which then communicates to the system's directory server using LDAP to obtain the policies. If the policy server is in the same server as the directory, COPS communicates with the directory itself and the LDAP protocol is not required.

Policies are transferred from the directory and stored in the policy server. This way, a single change to the directory could be propagated throughout the network without making changes to any of the attached devices.

A LEP (Local Enforcement Point) also resides in the network node and can be programmed to make basic Yes/No decisions, such as whether to accept a data flow from a given subnet.

Fault tolerance is maintained by having the remote node and policy serve r constantly verify their connection to each other through keep-alive messages. If the link is lost, the policy server can request that the policies downloaded to the remote node be resynchronized.

Persistence pays off
COPS is designed to offer a fault-tolerant and secure operation using persistent TCP connections, the IPsec protocol between the PEP and PDP for authentication and securing a channel between the remote node and the policy server, and recovery of connections with state-based resynchronization.

To distinguish between different kinds of clients, the client is identified in each message. The IETF draft document states that each client type is expected to have a corresponding extension specified in the standards document that describes its interaction with the policy protocol.

COPS will be embedded into network devices through software, such as Cisco Systems' IOS (Internetwork Operating System). However, to access COPS, the end stations or proxy servers must be running an RSVP stack because COPS is an RSVP overlay protocol. Users can acquire an RSVP stack in the public domain, or through commercial vendors such as CLASS Data Systems. Microsoft Windows 98 and Windows NT 5.0 are slated to offer an RSVP stack as well.

The draft protocol was the product of two earlier IETF drafts that were merged: OOPS (Open Outsourcing Policy Services), proposed by IBM and IP Highway, a Jerusalem-based company with U.S. headquarters in San Jose; and PEPCI (Protocol for Exchange of PoliCy Information), proposed by Intel, MCI Corp., CLASS Data Systems, and Cisco.

A preliminary COPS interoperability test was conducted as a proof of concept, with Intel, CLASS Data Systems, Cisco, and IP Highway participating, said Ron Cohen, CTO at CLASS Data Systems in Cupertino and a COPS co-author.

Directory vendors are hopeful that COPS will supplement the movement to promote standards for directory information, which will be necessary to establish QoS on large corporate networks.

"[COPS] is very close to what we've been promoting," said Michael Simpson, director of marketing at Novell's Network Services Group in Provo, Utah. Novell sees COPS and DEN as complementary technologies that users will need for full policy-based networks, said Simpson.


Copyright 2001- 2002
All trademarks are the property of their respective companies.