Authenticated QoS Signaling

William A. (Andy) Adamson

Olga Kornievskaia

CITI, University of Michigan

• Michigan High Energy Physics Group are involved in key phases of the ATLAS project

–Video conferencing, distributed shared workspace

– Bulk data transfer

• Advances in QoS are necessary to further this research.

•Impact on University of Michigan Community– Many other projects face similar problems

– Bandwidth allocation already an issue on campus (Napster).

Motivation

• UMICH - Physics, LS&A, ITCom, OVPR

• Merit

• UCAID

• ANL

• CERN

• PSC

Participants

• Reliable high speed end to end service– Cross campus

– To external sites across high speed (Internet2) networks

• Automated access and network configuration

• Use of existing infrastructure

• Currently requires hands on at every stage

• Divide and conquer– network tuning

– security component

– automated network configuration

Vision

• Realize authenticated bandwidth reservation signaling

• Integration and extension of existing work and infrastructure

• Distributed authorization proof of concept

• Implement the architecture for demonstration, pre-production, and future research

Project Goals

• Answer all distributed authorization design questions

• Network tuning

• Aggregate traffic issues

• Multicast bandwidth reservation

• Production system

Not Project Goals

• Construct end point QoS network domains

• Use QoS features in existing routers

• Over provision connecting networks

• No change to application– QoS reservation communication via a web interface

– Routers mark packets, not application

Architecture

• Bandwidth broker

• Authorization service

• LDAP directory service

• X509 security infrastructure

• Routers with packet-marking and policing features

QoS Network Domain

CITI

Startap

Merit

ITComPhysics

Argonne

Cleveland

Abilene

CERN

UMICH

622M100M

100M

622M45M

622M

Network Path

BB

BB

BBPSC

BB

• GARA, from ANL

• Integrated with their Grid reservation system

• X509 based authentication

• Flat file access control for authorization

• No inter bandwidth broker communication

Bandwidth Broker

• Globus PKI based GSSAPI_SSLEAY

• Globus user proxy– Obviates the need for multiple password entry

– Enables remote services to act on users behalf

• No CA peering: exchange self-signed CA certificates

• UMICH Kerberos solution: KX509 - junk keys– Short term keys granted with valid kerberos identity

– Stored in kerberos ticket cache

Authentication

Authentication

Globus Client Globus

gssapi_ssleayGatekeeper

Resource Manager

Home Directory

GARA

RouterRouter

X509 long lived creds

X509 proxy creds

WS

globus-proxy-init

• limited access to private key, not mobile

• the longer you distribute a public key, the more places it is cached, and the problematic revocation becomes.

• Short-lived kx509 generated ‘junk keys’ address these problems

Problems with long lived keys

Kx509 Authentication

Globus Client Globus

gssapi_ssleayGatekeeper

Resource Manager

Home Directory

Kerberos Ticket Cache

Kerberos DB

Kerberos CA

GARA

RouterRouter

X509 junk-key creds

X509 proxy creds

WSkx509

globus-proxy-init

kinitKCAticket

• Problem: Local users, remote resources– Ideally, no copying of user or resource data

– In common case, no extra communication

• Solution we will explore:– Common LDAP namespace and schema

– Pass authorization attributes with identity

– Requires the ability to do SSL mutual authentication between remote sites

Distributed Authorization

• Akenti access control system from lbl.gov – Policy engine that can express complex policies

– User attributes, resource use-conditions

– Distributed management from many sources

• LDAP back end– Internet2 middleware working group schema

– Akenti data

Authorization Server

• LDAP schema required for users, resources, user-attributes and use-conditions

• user-attributes are assigned to users

• use-conditions are assigned to resources

• Access for a user to a resource is determined by comparing user attributes to resource use-conditions

Akenti Authorization

Local Akenti Authorization

User: aliceinternet2_bw_groupumich_staff_group10MB_bandwidth…...

Resource: subnet-1

Member umich_staff_groupnot member bad_users_groupmember internet2_bw_group10MB or less bandwidth request

Akenti LDAP back end

• Akenti policy engine receives a request:– can Alice reserver 10MB of bandwidth on subnet-1?

• All data required to make the decision is held locally in the Akenti/LDAP service

• Since Alice holds all the necessary attributes required by the resource, access is granted.

Akenti Authorization of Remote Resource

• Akenti policy engine receives a request:– can Alice reserver 10MB of bandwidth on remote subnet-1?

• User data required to make the decision is held locally

• Resource data held by remote Akenti/LDAP service

• Send user identity and appropriate attributes to the remote Akenti/LDAP service over secure channel

User: aliceinternet2_bw_groupumich_staff_group10MB_bandwidth

Resource: subnet-1Member umich_staff_groupnot member bad_users_groupmember internet2_bw_group10MB or less bandwidth request

Akenti LDAP back end Akenti LDAP back end

User attributes

Akenti Authorization of Remote Resource

• Akenti policy engine receives a request:– can Alice reserver 10MB of bandwidth on remote subnet-1?

• Remote Akenti/LDAP service compares the user attributes received off the wire to the resource use-conditions.

• Since Alice holds all the necessary attributes required by the resource, access is granted

User: aliceinternet2_bw_groupumich_staff_group10MB_bandwidth

Resource: subnet-1Member umich_staff_groupnot member bad_users_groupmember internet2_bw_group10MB or less bandwidth request

Akenti LDAP back end Akenti LDAP back end

Access granted

• Necessary to communicate distributed authorization decision parameters

• Enables minimal replication of resource and user data

• Complicates namespace administration, simplifies authorization communication

• Each authorization realm assigns local values

Common Namespace

Gatekeeper

Resource Manager

Globus Client

RouterCPU

GARA

Access FileGARA

RM

GK

Authorization_API

Akenti

LDAP

Akenti

LDAPuser attributes

• Completed kx509 integration

• Configured and tested GARA to reserve bandwidth on Cisco 7500 at UMICH

• Preparing to test with remote bandwidth reservation ANL and CERN using current functionality

• Netscape LDAP with Internet2 Eduperson schema

• Just starting work with Akenti

Status

http:/www.citi.umich.edu/projects/qos

htttp:/www.globus.org

http://www-itg.lbl.gov/security/Akenti

Questions?