Using RDF for Home Network Configuration
Total Page:16
File Type:pdf, Size:1020Kb
☞ ☞ SWAD-Europe: WP11.1: Using RDF for Home Network Configuration Project name: Semantic Web Advanced Development for Europe (SWAD-Europe) Project Number: IST-2001-34732 Workpackage name: WP 11: Distributed Trust Systems Workpackage description: ☞http://www.w3.org/2001/sw/Europe/plan/workpackages/live/esw-wp-11.html Deliverable title: Framework for Security and Trust Standards URI: Authors: ☞Graham Klyne, Ninebynine.org. ☞Brian Matthews, CCLRC. Abstract: This memo describes the use of RDF metadata in configuring Internet access from a home network. Its goal is to demonstrate the practical applicability of common semantic web technologies in a simple real-world based scenario. The work has been inspired in part by an architectural proposal for XML network configuration submitted to the IETF. Status: First draft: 2002-12-22 Deliverable release: 2004-06-15 Comments on this document should be sent to the public SWAD-Europe mailing list, ☞[email protected], ☞1. Introduction ☞1.1 Structure of this memo ☞2. Background ☞3. Vocabulary for network user access policies ☞3.1 A note about access permission logic ☞4. Vocabulary for network address configuration ☞5. Vocabulary for network device configuration ☞6. Rules for creating configuration data ☞7. Templates for creating configuration files ☞8. Conclusions ☞8.1 Some lessons learned ☞8.2 Ideas for better inference capabilities ☞8.3 Further work ☞9. Acknowledgements ☞§ References ☞§ Author's Address ☞A. Revision history ☞B. Unresolved issues 1. Introduction - This memo describes the use of RDF metadata in configuring ☞ TOC Internet access from a home network. Its goal is to illustrate the practical applicability of common semantic web technologies in a simple real-world based scenario. The work has been inspired in part by an architectural proposal ☞[6] for XML network configuration submitted to the IETF. It has also been undertaken as an experiment in manipulating access control data represented using RDF, as a continuation of some survey work described in a previous memo, ☞Framework for Security and Trust Standards[16]. 1.1 Structure of this memo This document is organized as follows: Section 2 introduces the scenario addressed by this demonstration. Sections 3-5 introduce the RDF vocabulary used to describe the scenario and the results obtained. Section 6 discusses the inference process used to create RDF data that closely matches the resulting configuration files. Section 7 describes the software used to generate the required configuration data from RDF. The remaining sections discuss some implications of this work. The files used by this demonstration can be found by following the links from ☞http://www.ninebynine.org/SWAD-E/Intro.html#HomeNetAccessDemo. In particular, the RDF/N3 (Notation3) source files used are: Network and access policy description: ☞users.n3 Access policy transformation rules: ☞configrules.n3 Configuration files generation template: ☞configfiles.n3 2. Background - The background scenario for this example use of RDF metadata ☞ TOC is a home business network connected to the Internet by a Cisco dial-on-demand ISDN router. This illustration is also available in ☞PDF format. Network access is provided by an ISP dial-up account that provides unmetered access up to a specified weekly limit. The network users are two parents who use the Internet for business, and two children who use it for play and social purposes. The working adults require occasional access at any time. The children's access has to be restricted, otherwise they would quickly exceed the total connect time allowed by the ISP. The Cisco ISDN router runs Cisco's proprietary IOS software, which has a system of IP-addressed based filters that are quite capable of restricting access at different times based on the IP address of the internal host. Creating the correct IOS configuration files for this kind of selective filtering is quite a tricky task. The router can accept an externally defined configuration via the TFTP protocol. Within the local network, machines are assigned IP addresses using DHCP. The DHCP service is provided by a Linux host running DHCPD and a local DNS service. Given all this, the goal is to use RDF to specify the access policy and device configuration requirements, and use some available RDF tools to generate the desired configuration files for the Cisco ISDN router and the Linux-based services. The general idea is illustrated thus: This illustration is also available in ☞PDF format. 3. Vocabulary for network user access policies - This section presents the ☞ TOC metadata used to describe the network users and access policies. Vocabularies used: rdf: ☞RDF core vocabulary[1]: essential RDF terms. Namespace ☞http://www.w3.org/1999/02/22-rdf-syntax-ns#. rdfs: ☞RDF schema[2]: RDF schema (vocabulary description) terms. Namespace ☞http://www.w3.org/2000/01/rdf-schema#. foaf: ☞friend-of-a-friend[9]: for describing basic information about people. Namespace ☞http://xmlns.com/foaf/0.1/. ical: ☞RDF schema for iCalendar[10]: for describing Internet access schedules. Namespace ☞http://www.ilrt.bris.ac.uk/discovery/2001/06/schemas/ical- full/hybrid.rdf#. icalutil: ☞iCalendar ancillary terms[10]: Some additional vocabulary defining for use in conjunction with some of the ical: terms. There are two namespace URIs in circulation. Namespace ☞http://ilrt.org/discovery/2001/06/schemas/ical-util# or ☞http://ilrt.org/discovery/2001/06/schemas/swws/index.rdf#. The demonstration code described here uses the former value. user: a new vocabulary for describing network user characteristics. Namespace ☞http://id.ninebynine.org/wip/2002/user/. homenet: a new namespace for components and devices on the local network that is the target of this demonstration. Namespace ☞http://id.ninebynine.org/wip/2002/user/. Describing network users and access policies: Class foaf:Person Describes a network user with the following properties: foaf:name Name of user. foaf:mbox Email address of user (mailto: URI). user:usesHost A user:HostSystem resource that corresponds to a network host that is commonly used by this person. The user's access rights are applied to this host. This property may be repeated if the person described commonly uses more than one network host. user:accessType A user:AccessPolicy resource that represents the person's access rights. Class user:HostSystem Describes a network host system with the following properties: rdfs:label A brief descriptive label for this machine. rdfs:comment A description of this machine. user:hostName Local name of machine (prepend to network domain to get FQDN). user:localNet A user:LocalNetwork resource that represents the local network, and to which network-wide information is attached. user:hostIP IP address of this machine on local network, as "x.x.x.x", where each x is a 0-255 numeral. user:hostMAC MAC (Ethernet) hardware address of this machine, as "hh:hh:hh:hh:hh:hh", where each hh is a 2-digit hexadecimal numeral. user:systemAdmin A foaf:Person resource that indicates the person who is generally responsible for administration of this system. user:accessType A user:AccessPolicy resource that represents the access rights to be allowed for this host. This may be specified directly, or inferred from properties of any declared user. user:usedBy A foaf:Person resource that represents a person who generally uses this host, and whose access permissions should be applied to this host. This may be specified directly, or inferred. user:usedByName The name (i.e. foaf:name property) of a person who generally uses this host (cf. user:usedBy). Class user:LocalNetwork Describes network-wide characteristics of the local network, with the following properties: rdfs:label A brief descriptive label for this network. rdfs:comment A description of this network. user:dhcpHostName Local name of machine that provides DHCP and other host configuration services for this network (prepend to network domain to get FQDN). user:netbiosServer Local name of machine that provides netbios name services for this network (prepend to network domain to get FQDN). user:networkDomain The DNS domain name for this network, without leading or trailing '.' characters. user:networkAddr The IP subnet address for this network, as "x.x.x.x". user:networkMask The IP subnet mask for this network, as "x.x.x.x". user:broadcastAddr The IP local net broadcast address for this network, as "x.x.x.x". user:defaultGateway A user:HostSystem resource that represents the default gateway (IP router) for the current network. user:defaultDNS A list of IP addresses of DNS servers that are available to hosts on the current network. user:dhcpPoolStart The first IP address in the pool of addresses allocated by DHCP for hosts on this network, as "x.x.x.x". user:dhcpPoolEnd The first IP address in the pool of addresses allocated by DHCP for hosts on this network, as "x.x.x.x". user:addressPool The range of IP addresses allocated by DHCP for hosts on this network, as "x.x.x.x y.y.y.y". (This information duplicates user:dhcpPoolStart and user:dhcpPoolEnd, and should be eliminated, but has been defined here to simplify some internal processing. There is a general issue here that address values are not easily manipulated by general RDF tools like cwm, so additional inputs may be provided as a way to avoid having to define difficult and complex inference rules.) user:defaultAccess A user:AccessPolicy resource that represents the access rights to be allowed for hosts that do not otherwise have any access rights defined. (This is not currently used, as it represents a kind of default reasoning that doesn't sit comfortably in RDF.) Class user:AccessPolicy Describes an access policy that may be applied to a network user or host. Ultimately it is enforced on a per-host basis. An access policy is described using the following properties: rdfs:label Display name for this access policy.