150 likes | 266 Views
ESnet RADIUS Authentication Fabric. Michael Helm ESnet/LBNL GGF-12 Sec Workshop 18 Sep 2004. r. RADIUS. What Does the RAF Do?. ORNL. PNNL. OTP Service. OTP Service. r. r. anl.gov nersc.gov pnnl.gov ornl.gov. anl.gov nersc.gov pnnl.gov ornl.gov. Realms. anl.gov
 
                
                E N D
ESnet RADIUS Authentication Fabric Michael Helm ESnet/LBNL GGF-12 Sec Workshop 18 Sep 2004
r RADIUS What Does the RAF Do? ORNL PNNL OTP Service OTP Service r r • anl.gov • nersc.gov • pnnl.gov • ornl.gov • anl.gov • nersc.gov • pnnl.gov • ornl.gov Realms • anl.gov • nersc.gov • pnnl.gov • ornl.gov • es.net R ESnet RAF Federation ANL NERSC OTP Service OTP Service anl.gov nersc.gov pnnl.gov ornl.gov • anl.gov • nersc.gov • pnnl.gov • ornl.gov r • anl.gov • nersc.gov • pnnl.gov • ornl.gov r App
What Is the Grid Integrated RAF? ESnet Root CA OTP Services Sign Subordinate CA 3 OTP verification HSM Subordinate CA Engine OCSP 4 Sign Proxy 2 Ask AuthN; hint OTP ESnet Radius PAM 4. Auth OK; Namestring Manage myProxy MyProxy Credentials SIPS Auth DB 1 Log in 5 Receive Proxy Cert Proposal Apr 2004 Special case of GridLogon 7 Execute 6 (Opt) Store Proxy
RAF Benefits & Features • O(n) peering • Authorization decision controlled by site Sound familiar? • Single token per person • Interoperability on an open, standard, industry-supported AAA protocol • WAN use of RADIUS (RFC 2865) • Federation
AuthN Authority (OTP) AuthN Authority (OTP) AuthN Authority (OTP) Appli- cation 1 Appli- cation 1 Appli- cation 1 Rc Rc Rc Site 1 RADIUS Site 2 RADIUS Site n RADIUS ESnet RAF Architecture Site Repli- cation ESnet RAF RADIUS Proxy router RADIUS Proxy router RADIUS Proxy router RADIUS Proxy router VPN (IPsec) ESnet Network (IP)
RAF Current Issues • Reliability – Replication • Currently RAF issue, but also applies to site RADIUS/OTP • * Federation • * Application Integration • Where’s our “Grid Integration” solution? • PAM – more layers! • * Name management: (Fed/App Integration) • Essential issue for Grid integration • *? OTP Service Reliability • “Transit time” ; resync ; loss • * Federation • *? Integrity & Security • VPN • See later • Market research – size/scope of deployment * Grid issue Current: 6 – 18 mos
RAF Current Issues OTP/C&R Integrity/Security ORNL PNNL OTP Service OTP Service r r • anl.gov • nersc.gov • pnnl.gov • ornl.gov • anl.gov • nersc.gov • pnnl.gov • ornl.gov R Reliability/Replication Transit time ESnet RAF Federation ANL NERSC OTP Service OTP Service anl.gov nersc.gov pnnl.gov ornl.gov • anl.gov • nersc.gov • pnnl.gov • ornl.gov r • anl.gov • nersc.gov • pnnl.gov • ornl.gov r Application Integration Federation
RAF Long Term Issues • RAF support for other protocols • Kerberos • Web services • EAP/TLS • Myproxy Protocol • End to End integrity • “AuthA” protocol • Application integration • Always an issue • Architecture: fan-out/gateway • Firewalls • RADIUS * Grid issue Future: 12 – 48 mos
AuthA • An OTP-based key-exchange technology that offers protection against: • capture of the user’s password • capture of the server’s password-database • dictionary attacks on the user’s password • denial-of-service attacks • An OTP-based DH key-exchange technology that allows users to connect from an un-trusted terminal and still preserve the privacy of data transmitted on the wire: • confidentially, authenticity, and integrity of the data • mutual authentication of the user and the server • Technology publication: • M. Abdalla, O. Chevassut, and D. Pointcheval, “One-time Verifier-based Encrypted key Exchange” ,submitted for publication to the 8th International Workshop on Practice in Public-Key Cryptography, Feb 2005.
Conclusion • Successful RAF demonstration project • Engineering and User experience issues • Ready to proceed to pilot • Need Grid Integration • First step toward Auth Fabric • Support more protocols • Federation • Successor to RADIUS
Demo • http://topaz.es.net/secure/index.html • http://panda.ccs.ornl.gov/radius/index.html
Fusion Grid Firewall Issues Michael Helm ESnet/LBNL GGF-12 Sec Workshop 18 Sep 2004
Comments Each site is protected by a firewall Different firewall technology OTP is probably a feature Need single sign-on, delegation, autonomous processes….
Fusion Grid • Use case comes from Dave Schissel • Evolved from discussion of OTP • 2 of 3 labs in FusionGrid already have a SecurID infrastructure • Need direct support • Need to identify path to solution