Directory Enabled Networks


December 3, 1998

Xinzhong Yu
Department of Computer Science and Engineering
Helsinki University of Technology
xyu@cc.hut.fi

Abstract

DEN, Directory Enabled Networks, are networks where users and applications interact in a controlled way with network elements and network services to provide predictable and repeatable services to users, while also strengthening security and simplifying provisioning and management of network resources. Initiated by Cisco and Microsoft, DEN initiative is supported widely in the industry area by many companies. The information model and base schema of DEN are derived from CIM and X.500, plus some new concepts. The model structure is object-oriented modeling. DEN uses LDAP to access, manage, and manipulate directory information.


1. Introduction

As Internet develops, it is getting more and more complex to manage a network. The information about the nodes, or devices, attached to a network is stored in a special purpose database called directory. Directory service is the physically distributed, logically centralized repository of infrequently changing data that is used to manage a computing environment.

Networks are becoming increasingly complex. There are different types of network elements, each running a potentially different set of protocols and services over possibly different media. As a result, a network has too many different directory services for network administrators to successfully manage. For example, there are operating system directories, RADIUS directories, DNS directories, DHCP directories, etc. Administrating all of these directories might be a big headache and time consuming, because of their different user interfaces, incompatible data formats, and many other problems. [4]

In May 7 1997, Microsoft and Cisco announced a letter of intent in which Cisco will license Active Directory from Microsoft for use in managing network infrastructure and to provide richer network services. Both parts will jointly develop extensions to Active Directory to integrate advanced management of network elements and services [2]. In September 24 1997, Cisco and Microsoft announced an initiative and draft specification for directory enabled networks. This open, industry-wide initiative intents to help customers develop rich network application that will work with offerings from a variety of network and directory vendors [1]. It will also allow service providers to simplify service delivery and provide new sets of services for their customers.


2. What Is a Directory Enabled Network?

In a short explanation, a directory enabled network is a network where user profiles, applications and network services are integrated through a common information model that stores network state and exposes network information. This information then enables bandwidth utilization to be optimized; it enables policy-based management; it provides a single point of administration of all network resources; and all this serves to lower total cost of ownership, and improves the services that end-users can rely on regardless of their physical location. [1]

2.1 Directory Services

A directory is a special purpose database that contains information about the various resources available on a network. A directory service is quite different from a general DBMS in that directory information is attribute-based more descriptive in nature. These attributes give specific information about various objects to the clients of the directory service. [4]

Directory services are optimized to store information that is frequently read, but not frequently written. So, directories are aiming at maintaining static information, such as user name, email address, passwords, device configuration parameters.

Rapid Internet growth over past years has created the need for more robust, scalable and secure directory services. DEN provides a new paradigm for using directory services where the directory is an authoritative, distributed, intelligent repository of information for services and applications.

2.2 Profiles

In DEN, users, applications, and services can be abstracted through profiles. A profile is a template of attributes and behaviors that describe an object or a set of objects. Profiles provide a higher level of abstraction for important system components, while still providing the ability to model and operate on the fundamental objects. Profiles just tell the system what needs to be done, not the specific steps necessary to do it. [1]

2.3 Policies

In a distributed networking environment, simply managing individual devices is no longer sufficient. Network administrators need to define and manage policies to control the network and its resources in a distributed, yet logically centralized, manner. Directories are simply databases; they are not designed to collect information from multiple sources and then make a policy decision.

In general, policies define what resources a given resource consumer can use in the context of a given application or service. Technically, a policy is a rule that instructs a network node on how to manage requests for network resources. It is essentially a mechanism for encoding business objectives concerning the proper use of scarce resources. [4]

2.4 DEN Specification

DEN specification defines schema and an information model for representing network element and service information and relationships gathered from the network using existing protocols and other sources of network information. An access protocol is also included to store and retrieve information.

It develops a robust directory service for storing network element and service information. It also defines an extensible information model representing the structural, behavioral and functional relationships between objects in the schema. And finally LDAP access protocol is used to access, manage and manipulate directory information. [3]


3. DEN Information Model

An information model is an abstraction of knowledge. It structures the knowledge about users, applications, networks, and how they interact into multiple knowledge domains to enable different people to use it. This structure is object-oriented modeling.

The information model consists of three parts: [3]

  • Six base class hierarchies that form the basic framework that represents network elements and services;
  • An extensible schema based on inheritance and aggregation for modeling application-specific properties and information;
  • Simple mechanisms for establishing relationships among object instances.
The primary purpose of DEN is to separate the specification and representation of network elements and services from implementation details. A secondary purpose is to provide an extensible framework to represent vendor-specific functionality and implementation mechanisms by vendor-specific subclasses. [3]

3.1 CIM and X.500

The DEN schema incorporates concepts from both CIM and X.500. [3]

The Common Information Model (CIM) is an object-oriented conceptual model for the information required to manage many common aspects of complex computer systems defined by the DMTF. CIM provides a rich framework, including representation of products, systems, applications, and components that can be managed. The concepts defined by CIM are used for supporting the network element and services modeling in DEN.

X.500 is the name given to a series of standards developed by the ISO/ITU-T that specify how information can be stored and accessed in a global directory service. The X.500 specification proposes basic definitions to represent Person and Application. DEN will assume an X.500-based model of Person and Application to use in developing the representation of network elements and services and their binding to users and applications [3].

3.2 Information Model for Network Elements and Services

Six base class hierarchies form the root for DEN's representation of network elements and services. These are Network Device, Network Protocol, Network Media, Profile, Policy, and Network Service classes. Application-specific needs are accommodated by refining the DEN classes into more specific subclasses to represent the desired additional functionality. [3]

3.3 Exchanging Model Information

Once network elements are bootstrapped into the system, they will then exchange a set of queries and responses with information about themselves. Four different types of information are necessary to model the structural information of network elements and services: [3]
  • Intrinsic. Information essential to representing a particular element or service.
  • Configurable. Information that controls the operation of a device, or helps determine how that device or service operates.
  • Operational. Information that controls how a device or service interacts with its surrounding environment.
  • Contextual. Information defining how the device or service relates to other components in a larger, network-wide context.

3.4 Relationships

The DEN information model consists of both a data model and a relationship model. The data model is represented by the schema. The relationship model describes how different objects in the schema are related to one another.

There are three main types of relationships: links, associations, and aggregations. [3]

A link is physical or conceptual relationship between two object instances. The relationship can be defined as an ordered tuple. A link is an instance of an association.

An association is a group of links with a common structure and set of semantics. An association can be modeled as a class with its own attributes and methods.

An aggregation is a special type of association. It represents a relationship where some objects are "a-part-of" another object. Aggregation has additional semantics, such as transitivity, anti-symmetricity, separability, and property propagation.


4. DEN Base Schema

The schema of a directory defines the set of objects that can be created in that directory and the set of attributes that can be used to describe those objects.

The DEN schema consists of abstract base classes from which all other network-specific classes are derived. The base classes are refined by specialization from the basic model for representing network elements, services, consumers, etc. Figure 1 shows the functional structure of the DEN base classes, with key classes defined by CIM, X.500, and DEN listed separately.


Figure 1. Functional structure of the DEN base classes. [3]

DEN is the aggregation of concepts from the currently released version of the CIM specification (2.0), the currently released versions of the X.500 specification (1993 version), and a collection of new ideas. The new ideas build on the framework provided by CIM and X.500 in order to model network elements and services.

The details of the class hierarchy is beyond the content of this essay. Interested readers should refer to [3] for more details. Following is just a list of short descriptions of the base classes.

4.1 Overview of Base Classes Derived from X.500

  • Top: Root of the directory tree.
  • Person: Generic concept of a person, an employee, a person with a residence. DEN uses it as a client to bind network services to, or as owner/administrator of a device or a service.
  • Group: Providing grouping constructs for users as well as devices.
  • Organization: Business entity to which devices and services belong.
  • Application: X.500 defines the ApplicationProcess and ApplicationEntity classes. DEN adds information so that these classes can be associated with network elements and services.
  • Alias, DSA: Necessary entities for proper directory operation.

4.2 Overview of Base Classes Derived from CIM

  • Product, FRU, etc: A collection of classes that represent a product and replaceable parts of a product. Included for completeness.
  • ManagedSystemElement: Base class for any system or system component that should be managed.
  • Configuration: Modeling the configuration and provisioning of network elements and services.
  • Service: Definition, management and delivery of network services.
  • Software: General notation of software.
  • System: Realizing the concept of a logical network element.
  • Location: Specifying the address and location of a physical element.
  • Check and Action: Used by DEN to augment notions of configuration and reboot of network devices.
  • Application: CIM adds the concept that an application is used to support a particular business function.

4.3 New DEN Classes

Enhanced and extended concepts defined by DEN:
  • NetworkService: Root of the network service hierarchy.
  • NetworkProtocol: Root of all network protocol classes.
  • Enhancements to PhysicalPackage and Card: Extensions and enhancements to include the functionality required by network devices.
  • NetworkElement: Logical aspects of a network element.
New concepts defined by DEN:
  • Policy: Rule instructing a network node on how to manage requests for network resources.
  • Profile: Template of attributes and behaviors that describe an object or a set of objects.
  • NetworkMedia: Associating the particular media of a given interface with services that are running on it.
  • LinkedContainer: Container class implementing a forward link.
Note that "Network Device" in the Figure 1 is not an actual class, but rather the abstraction of changes made to existing CIM classes to realize the physical characteristics of network devices. [3]


5. LDAP

The access protocol for DEN information is LDAP version 3. LDAP was designed to provide the most important functions of X.500 DAP, while making them much easier to implement in servers, and especially in clients. LDAP is specifically targeted at management applications and browser applications that provide read/write interactive access to directories. For detailed information about LDAP, please refer to RFC 2251 and other related RFCs (RFC 2252 - 2256).


6. Conclusions

The DEN initiative, launched in September 1997 by Cisco and Microsoft, intents to promote consistent modeling of network elements and services across heterogeneous directories. Driven by two major parties, and supported by many other big companies, DEN will shape the future of network management and application developing.




Abbreviations

CIM Common Information Model
DAP Directory Access Protocol
DBMS Database Management System
DEN Directory Enabled Networks
DHCP Dynamic Host Configuration Protocol
DMTF Desktop Management Task Force
DNS Domain Name Service
DSA Directory Server Agent
ISO International Standards Organization
ITU-T International Telecommunication Union - Telecommunication Standardization Sector
LDAP Lightweight Directory Access Protocol
RADIUS Remote Authorization Dial-In User Service


References

[1] Cisco Systems, Inc., Directory Enabled Networks (DEN) --Frequently Asked Questions, 4.11.1997 [referred 27.9.1998]
<http://www.cisco.com/warp/public/734/den/drsrv_qp.htm>
[2] Cisco Systems, Inc., Microsoft and Cisco Collaborate to Establish Directory Services Standard, 7.5.1997 [referred 27.9.1998]
<http://192.31.7.130/warp/public/146/1870.html>
[3] Judd, Steven & Strassner, John, Directory Enabled Networks - Information Model and Base Schema (Version 3.0c), 21.7.1998 [referred 27.9.1998]
<http://murchiso.com/den/specifications/directory-enabled-networks-v3-lastcall.pdf>
[4] Semeria, Chuck & Fuller, Frank, Directory-Enabled Networks and 3Com's Framework for Policy-Powered Networking, 23.6.1998 [referred 27.9.1998]
<http://www.3com.com/technology/tech_net/white_papers/500665.html>
<http://www.3com.com/technology/tech_net/white_papers/pdf/50066501a.pdf>


Further Information

3Com's Framework For Policy-Based Networking
A document outlining a common framework, which provides a common model for discussing policy issues within the context of DEN, DMTF, and the industry in general.

Cisco Networking Services Enable New Class of Network-Aware Applications
Cisco's News release.

Cisco Networking Services for Active Directory
Cisco's statement of direction about CNS/AD.

Cisco Networking Services for Active Directory (Questions and Answers)
Questions and Answers about CNS/AD.

Cisco Networking Services for Active Directory Enabling the Power of the Network
Cisco's data sheet about Cisco Networking Services for Active Directory (CNS/AD).

Customer Requirements section for Directory-enabled Networks Spec
An email concerning the DEN specification.

DEN Base Schema: Attributes
A list of attributes for all the classes in the hierarchy.

Device Class Hierarchy
The specification about Device class hierarchy.

DHCP Implementation Schema for DEN
DEN specification for DHCP.

Directory Services Collaboration - Frequently Asked Questions (FAQ)
Cisco's news release about Cisco and Microsoft's directory service collaboration.

IPSec DEN Specification
DEN specification for IPSec.

Meta IP for NT - DHCP, DDNS and IP Management for NT
Meta IP 4.0, a network management product.

Network-Aware Business Solutions
Cisco's white paper about Cisco Networking Services.

Novell Directory Services: DEN and NDS - Enabling Intelligent Networks
Novell's role in DEN.

Novell Directory Services: How Does Netscape Directory Server Stack Up?
Novell's competitive information analysis.

Policy-Powered Networking and the Role of Directories
An overview of how 3Com will use directories as part of its strategy for policy- powered networks.