Скачать презентацию Authenticated Qo S Signaling William A Andy Adamson Скачать презентацию Authenticated Qo S Signaling William A Andy Adamson

6c17f2f1dc840c7f3d12c56fdf532841.ppt

  • Количество слайдов: 24

Authenticated Qo. S Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan Authenticated Qo. S Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan

Motivation • Michigan High Energy Physics Group are involved in key phases of the Motivation • Michigan High Energy Physics Group are involved in key phases of the ATLAS project –Video conferencing, distributed shared workspace – Bulk data transfer • Advances in Qo. S are necessary to further this research. • Impact on University of Michigan Community – Many other projects face similar problems – Bandwidth allocation already an issue on campus (Napster).

Participants • UMICH - Physics, LS&A, ITCom, OVPR • Merit • UCAID • ANL Participants • UMICH - Physics, LS&A, ITCom, OVPR • Merit • UCAID • ANL • CERN • PSC

Vision • Reliable high speed end to end service – Cross campus – To Vision • Reliable high speed end to end service – Cross campus – To external sites across high speed (Internet 2) networks • Automated access and network configuration • Use of existing infrastructure • Currently requires hands on at every stage • Divide and conquer – network tuning – security component – automated network configuration

Project Goals • Realize authenticated bandwidth reservation signaling • Integration and extension of existing Project Goals • Realize authenticated bandwidth reservation signaling • Integration and extension of existing work and infrastructure • Distributed authorization proof of concept • Implement the architecture for demonstration, pre-production, and future research

Not Project Goals • Answer all distributed authorization design questions • Network tuning • Not Project Goals • Answer all distributed authorization design questions • Network tuning • Aggregate traffic issues • Multicast bandwidth reservation • Production system

Architecture • Construct end point Qo. S network domains • Use Qo. S features Architecture • Construct end point Qo. S network domains • Use Qo. S features in existing routers • Over provision connecting networks • No change to application – Qo. S reservation communication via a web interface – Routers mark packets, not application

Qo. S Network Domain • Bandwidth broker • Authorization service • LDAP directory service Qo. S Network Domain • Bandwidth broker • Authorization service • LDAP directory service • X 509 security infrastructure • Routers with packet-marking and policing features

Network Path ITCom Physics 100 M BB UMICH CITI 622 M Merit 622 M Network Path ITCom Physics 100 M BB UMICH CITI 622 M Merit 622 M 100 M Cleveland Startap Argonne PSC BB 45 M BB 622 M CERN Abilene BB

Bandwidth Broker • GARA, from ANL • Integrated with their Grid reservation system • Bandwidth Broker • GARA, from ANL • Integrated with their Grid reservation system • X 509 based authentication • Flat file access control for authorization • No inter bandwidth broker communication

Authentication • Globus PKI based GSSAPI_SSLEAY • Globus user proxy – Obviates the need Authentication • Globus PKI based GSSAPI_SSLEAY • Globus user proxy – Obviates the need for multiple password entry – Enables remote services to act on users behalf • No CA peering: exchange self-signed CA certificates • UMICH Kerberos solution: KX 509 - junk keys – Short term keys granted with valid kerberos identity – Stored in kerberos ticket cache

Authentication Globus Client Globus gssapi_ssleay globus-proxy-init Home Directory X 509 long lived creds X Authentication Globus Client Globus gssapi_ssleay globus-proxy-init Home Directory X 509 long lived creds X 509 proxy creds Gatekeeper Resource Manager GARA WS Router

Problems with long lived keys • limited access to private key, not mobile • Problems with long lived keys • limited access to private key, not mobile • the longer you distribute a public key, the more places it is cached, and the problematic revocation becomes. • Short-lived kx 509 generated ‘junk keys’ address these problems

Kx 509 Authentication Kerberos DB KCA kinit ticket Globus Client Globus gssapi_ssleay globus-proxy-init Resource Kx 509 Authentication Kerberos DB KCA kinit ticket Globus Client Globus gssapi_ssleay globus-proxy-init Resource Manager Home Directory X 509 proxy creds kx 509 WS Kerberos CA Gatekeeper GARA Kerberos Ticket Cache X 509 junk-key creds Router

Distributed Authorization • Problem: Local users, remote resources – Ideally, no copying of user Distributed Authorization • Problem: Local users, remote resources – Ideally, no copying of user or resource data – In common case, no extra communication • Solution we will explore: – Common LDAP namespace and schema – Pass authorization attributes with identity – Requires the ability to do SSL mutual authentication between remote sites

Authorization Server • Akenti access control system from lbl. gov – Policy engine that Authorization Server • Akenti access control system from lbl. gov – Policy engine that can express complex policies – User attributes, resource use-conditions – Distributed management from many sources • LDAP back end – Internet 2 middleware working group schema – Akenti data

Akenti Authorization • LDAP schema required for users, resources, userattributes and use-conditions • user-attributes Akenti Authorization • LDAP schema required for users, resources, userattributes and use-conditions • user-attributes are assigned to users • use-conditions are assigned to resources • Access for a user to a resource is determined by comparing user attributes to resource use-conditions

Local Akenti Authorization • Akenti policy engine receives a request: – can Alice reserver Local Akenti Authorization • Akenti policy engine receives a request: – can Alice reserver 10 MB of bandwidth on subnet-1? • All data required to make the decision is held locally in the Akenti/LDAP service • Since Alice holds all the necessary attributes required by the resource, access is granted. Akenti LDAP back end User: alice internet 2_bw_group umich_staff_group 10 MB_bandwidth …. . . Resource: subnet-1 Member umich_staff_group not member bad_users_group member internet 2_bw_group 10 MB or less bandwidth request

Akenti Authorization of Remote Resource • Akenti policy engine receives a request: – can Akenti Authorization of Remote Resource • Akenti policy engine receives a request: – can Alice reserver 10 MB of bandwidth on remote subnet-1? • User data required to make the decision is held locally • Resource data held by remote Akenti/LDAP service • Send user identity and appropriate attributes to the remote Akenti/LDAP service over secure channel Akenti LDAP back end User: alice internet 2_bw_group umich_staff_group 10 MB_bandwidth Resource: subnet-1 User attributes Member umich_staff_group not member bad_users_group member internet 2_bw_group 10 MB or less bandwidth request

Akenti Authorization of Remote Resource • Akenti policy engine receives a request: – can Akenti Authorization of Remote Resource • Akenti policy engine receives a request: – can Alice reserver 10 MB of bandwidth on remote subnet-1? • Remote Akenti/LDAP service compares the user attributes received off the wire to the resource useconditions. • Since Alice holds all the necessary attributes required by the resource, access is granted Akenti LDAP back end User: alice internet 2_bw_group umich_staff_group 10 MB_bandwidth Resource: subnet-1 Access granted Member umich_staff_group not member bad_users_group member internet 2_bw_group 10 MB or less bandwidth request

Common Namespace • Necessary to communicate distributed authorization decision parameters • Enables minimal replication Common Namespace • Necessary to communicate distributed authorization decision parameters • Enables minimal replication of resource and user data • Complicates namespace administration, simplifies authorization communication • Each authorization realm assigns local values

Globus Client GARA Access File Gatekeeper Resource Manager GK Authorization_API user Akenti tes ribu Globus Client GARA Access File Gatekeeper Resource Manager GK Authorization_API user Akenti tes ribu t at LDAP Akenti LDAP CPU Router RM

Status • Completed kx 509 integration • Configured and tested GARA to reserve bandwidth Status • Completed kx 509 integration • Configured and tested GARA to reserve bandwidth on Cisco 7500 at UMICH • Preparing to test with remote bandwidth reservation ANL and CERN using current functionality • Netscape LDAP with Internet 2 Eduperson schema • Just starting work with Akenti

Questions? http: /www. citi. umich. edu/projects/qos htttp: /www. globus. org http: //www-itg. lbl. gov/security/Akenti Questions? http: /www. citi. umich. edu/projects/qos htttp: /www. globus. org http: //www-itg. lbl. gov/security/Akenti