1 / 13

Authenticated QoS Project Overview

Authenticated QoS Project Overview. Andy Adamson Research Investigator Center for Information Technology Integration University of Michigan Ann Arbor. Collaborators. Shawn McKee , University of Michigan

hilda
Download Presentation

Authenticated QoS Project Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authenticated QoS Project Overview Andy Adamson Research Investigator Center for Information Technology Integration University of Michigan Ann Arbor

  2. Collaborators • Shawn McKee, University of Michigan • Olivier Martin, Daniel Davids, and Martin Fluckiger, Jean-Philippe Martin-Flatin, CERN • University of Michigan Department of Physics; University of Michigan College of Literature, Science, and the Arts; University of Michigan Office of the Vice President for Research; Merit; University Corporation for Advanced Internet Development (UCAID); European Organization for Nuclear Research (CERN); Argonne National Laboratory; The Globus Project; EU DataGrid; EU DataTAG

  3. End to End Performance • Reliable high-speed end to end network services are important to scientific collaborators • Video, audio, large data transfers • Long haul networks demonstrate good performance due to overprovisioning • The last-mile is often a network bottleneck

  4. End to End Pragmatics • Reliable end-to-end network service is achieved by reserving network resources within end-point institution networks, coupled with the good performance of overprovisioned long haul networks.

  5. Automated Reservation • QoS functionality is a common feature in network hardware. • QoS configuration is currently done by hand. • We address the need for an automated network reservation system. • Security of all communications is vital. • Difficult security problem due to cross-domain nature of end-to-end network resource allocation.

  6. Based on Globus GARA • GRID network reservation service • GSI: PKI based cross-domain authentication • Requires user PK credentials • Our contributions: • Fine-grained cross-domain authorization • PK credentials based on Kerberos identity • Secure web interface

  7. Cross-domain Authorization • Use existing local group services • Avoid replicating data and management tasks • Group name-space shared by domains • Local administrators manage group membership as usual • KeyNote Policy Engine makes authorization decision

  8. Cross-domain Authorization • KeyNote Policy Engine makes authorization decision • Fine-grained authorization expressed in KeyNote policy rules • Group membership • Amount of bandwidth allowed • Time/duration of reservation

  9. Local Authorization • Local GARA queries local service to learn the user’s group memberships. • Memberships passed into KeyNote along with reservation request parameters. • KeyNote compares input parameters to rules. • If authorized the local GARA: • Package username and group membership. • Sign the package with a private PK key. • Add to the reservation request forwarded to the remote GARA.

  10. Remote Authorization • Remote GARA verifies signature, then accepts the user name/group membership from the wire. • Group membership is passed into KeyNote along with reservation request parameters. • KeyNote compares input parameters to the rules to make authorization decision.

  11. DemonstrationUMICH iGrid 2002 CERN Reservation fails if: • User not in correct group • Bandwidth request out of bounds • Time of day request out of bounds

  12. CITI.UMICH.EDU KCT/KDC KINIT KCA KX509 IGRID2002 KX509 Web Server GARA Client Browser SSL GSI GARA Service TELNET GSI ATLAS.UMICH.EDU Cisco 7206 AFS PTS Group Service GARA Service MJpeg Host RX SSH Cisco 6506 Video Conference MJpeg Host

  13. any questions? http://www.citi.umich.edu/

More Related