1 / 24

Authenticated QoS Signaling

Authenticated QoS Signaling. William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan. Motivation. Michigan High Energy Physics Group are involved in key phases of the ATLAS project Video conferencing, distributed shared workspace Bulk data transfer

hoai
Download Presentation

Authenticated QoS Signaling

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan

  2. Motivation Michigan High Energy Physics Group are involved in key phases of the ATLAS project Video conferencing, distributed shared workspace Bulk data transfer Advances in QoS are necessary to further this research. Impact on University of Michigan Community Many other projects face similar problems Bandwidth allocation already an issue on campus (Napster).

  3. Participants UMICH - Physics, LS&A, ITCom, OVPR Merit UCAID ANL CERN PSC

  4. Vision Reliable high speed end to end service Cross campus To external sites across high speed (Internet2) networks Automated access and network configuration Use of existing infrastructure Currently requires hands on at every stage Divide and conquer network tuning security component automated network configuration

  5. Project Goals Realize authenticated bandwidth reservation signaling Integration and extension of existing work and infrastructure Distributed authorization proof of concept Implement the architecture for demonstration, pre-production, and future research

  6. Not Project Goals Answer all distributed authorization design questions Network tuning Aggregate traffic issues Multicast bandwidth reservation Production system

  7. Architecture Construct end point QoS network domains Use QoS features in existing routers Over provision connecting networks No change to application QoS reservation communication via a web interface Routers mark packets, not application

  8. QoS Network Domain Bandwidth broker Authorization service LDAP directory service X509 security infrastructure Routers with packet-marking and policing features

  9. Network Path ITCom Physics 100M BB UMICH Merit CITI 622M 622M 100M Cleveland Startap 622M 45M Argonne BB CERN PSC BB BB Abilene

  10. Bandwidth Broker GARA, from ANL Integrated with their Grid reservation system X509 based authentication Flat file access control for authorization No inter bandwidth broker communication

  11. Authentication Globus PKI based GSSAPI_SSLEAY Globus user proxy Obviates the need for multiple password entry Enables remote services to act on users behalf No CA peering: exchange self-signed CA certificates UMICH Kerberos solution: KX509 - junk keys Short term keys granted with valid kerberos identity Stored in kerberos ticket cache

  12. Authentication Globus Client Globus gssapi_ssleay globus-proxy-init Gatekeeper Resource Manager Home Directory X509 long lived creds X509 proxy creds GARA WS Router Router

  13. Problems with long lived keys limited access to private key, not mobile the longer you distribute a public key, the more places it is cached, and the problematic revocation becomes. Short-lived kx509 generated ‘junk keys’ address these problems

  14. Kx509 Authentication Kerberos DB KCA ticket Globus Client kinit Globus gssapi_ssleay Gatekeeper globus-proxy-init Resource Manager Home Directory X509 proxy creds GARA kx509 Kerberos Ticket Cache WS X509 junk-key creds Kerberos CA Router Router

  15. Distributed Authorization Problem: Local users, remote resources Ideally, no copying of user or resource data In common case, no extra communication Solution we will explore: Common LDAP namespace and schema Pass authorization attributes with identity Requires the ability to do SSL mutual authentication between remote sites

  16. Authorization Server Akenti access control system from lbl.gov Policy engine that can express complex policies User attributes, resource use-conditions Distributed management from many sources LDAP back end Internet2 middleware working group schema Akenti data

  17. Akenti Authorization LDAP schema required for users, resources, user-attributes and use-conditions user-attributes are assigned to users use-conditions are assigned to resources Access for a user to a resource is determined by comparing user attributes to resource use-conditions

  18. Local Akenti Authorization Akenti policy engine receives a request: can Alice reserver 10MB of bandwidth on subnet-1? All data required to make the decision is held locally in the Akenti/LDAP service Since Alice holds all the necessary attributes required by the resource, access is granted. Akenti LDAP back end Resource: subnet-1 User: alice internet2_bw_group umich_staff_group 10MB_bandwidth …... Member umich_staff_group not member bad_users_group member internet2_bw_group 10MB or less bandwidth request

  19. Akenti Authorization of Remote Resource Akenti policy engine receives a request: can Alice reserver 10MB of bandwidth on remote subnet-1? User data required to make the decision is held locally Resource data held by remote Akenti/LDAP service Send user identity and appropriate attributes to the remote Akenti/LDAP service over secure channel Akenti LDAP back end Akenti LDAP back end Resource: subnet-1 User: alice User attributes Member umich_staff_group not member bad_users_group member internet2_bw_group 10MB or less bandwidth request internet2_bw_group umich_staff_group 10MB_bandwidth

  20. Akenti Authorization of Remote Resource Akenti policy engine receives a request: can Alice reserver 10MB of bandwidth on remote subnet-1? Remote Akenti/LDAP service compares the user attributes received off the wire to the resource use-conditions. Since Alice holds all the necessary attributes required by the resource, access is granted Akenti LDAP back end Akenti LDAP back end Resource: subnet-1 User: alice Access granted Member umich_staff_group not member bad_users_group member internet2_bw_group 10MB or less bandwidth request internet2_bw_group umich_staff_group 10MB_bandwidth

  21. Common Namespace Necessary to communicate distributed authorization decision parameters Enables minimal replication of resource and user data Complicates namespace administration, simplifies authorization communication Each authorization realm assigns local values

  22. Globus Client GARA GARA Access File GK Gatekeeper RM Authorization_API Akenti user attributes LDAP Resource Manager Akenti LDAP CPU Router

  23. Status Completed kx509 integration Configured and tested GARA to reserve bandwidth on Cisco 7500 at UMICH Preparing to test with remote bandwidth reservation ANL and CERN using current functionality Netscape LDAP with Internet2 Eduperson schema Just starting work with Akenti

  24. Questions? http:/www.citi.umich.edu/projects/qos htttp:/www.globus.org http://www-itg.lbl.gov/security/Akenti

More Related