authenticated qos signaling
DESCRIPTION
Authenticated QoS Signaling. William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan. Motivation. Michigan High Energy Physics Group are involved in key phases of the ATLAS project Video conferencing, distributed shared workspace Bulk data transfer - PowerPoint PPT PresentationTRANSCRIPT
Authenticated QoS Signaling
William A. (Andy) Adamson
Olga Kornievskaia
CITI, University of Michigan
• Michigan High Energy Physics Group are involved in key phases of the ATLAS project
–Video conferencing, distributed shared workspace
– Bulk data transfer
• Advances in QoS are necessary to further this research.
•Impact on University of Michigan Community– Many other projects face similar problems
– Bandwidth allocation already an issue on campus (Napster).
Motivation
• UMICH - Physics, LS&A, ITCom, OVPR
• Merit
• UCAID
• ANL
• CERN
• PSC
Participants
• Reliable high speed end to end service– Cross campus
– To external sites across high speed (Internet2) networks
• Automated access and network configuration
• Use of existing infrastructure
• Currently requires hands on at every stage
• Divide and conquer– network tuning
– security component
– automated network configuration
Vision
• Realize authenticated bandwidth reservation signaling
• Integration and extension of existing work and infrastructure
• Distributed authorization proof of concept
• Implement the architecture for demonstration, pre-production, and future research
Project Goals
• Answer all distributed authorization design questions
• Network tuning
• Aggregate traffic issues
• Multicast bandwidth reservation
• Production system
Not Project Goals
• Construct end point QoS network domains
• Use QoS features in existing routers
• Over provision connecting networks
• No change to application– QoS reservation communication via a web interface
– Routers mark packets, not application
Architecture
• Bandwidth broker
• Authorization service
• LDAP directory service
• X509 security infrastructure
• Routers with packet-marking and policing features
QoS Network Domain
CITI
Startap
Merit
ITComPhysics
Argonne
Cleveland
Abilene
CERN
UMICH
622M100M
100M
622M45M
622M
Network Path
BB
BB
BBPSC
BB
• GARA, from ANL
• Integrated with their Grid reservation system
• X509 based authentication
• Flat file access control for authorization
• No inter bandwidth broker communication
Bandwidth Broker
• Globus PKI based GSSAPI_SSLEAY
• Globus user proxy– Obviates the need for multiple password entry
– Enables remote services to act on users behalf
• No CA peering: exchange self-signed CA certificates
• UMICH Kerberos solution: KX509 - junk keys– Short term keys granted with valid kerberos identity
– Stored in kerberos ticket cache
Authentication
Authentication
Globus Client Globus
gssapi_ssleayGatekeeper
Resource Manager
Home Directory
GARA
RouterRouter
X509 long lived creds
X509 proxy creds
WS
globus-proxy-init
• limited access to private key, not mobile
• the longer you distribute a public key, the more places it is cached, and the problematic revocation becomes.
• Short-lived kx509 generated ‘junk keys’ address these problems
Problems with long lived keys
Kx509 Authentication
Globus Client Globus
gssapi_ssleayGatekeeper
Resource Manager
Home Directory
Kerberos Ticket Cache
Kerberos DB
Kerberos CA
GARA
RouterRouter
X509 junk-key creds
X509 proxy creds
WSkx509
globus-proxy-init
kinitKCAticket
• Problem: Local users, remote resources– Ideally, no copying of user or resource data
– In common case, no extra communication
• Solution we will explore:– Common LDAP namespace and schema
– Pass authorization attributes with identity
– Requires the ability to do SSL mutual authentication between remote sites
Distributed Authorization
• Akenti access control system from lbl.gov – Policy engine that can express complex policies
– User attributes, resource use-conditions
– Distributed management from many sources
• LDAP back end– Internet2 middleware working group schema
– Akenti data
Authorization Server
• LDAP schema required for users, resources, user-attributes and use-conditions
• user-attributes are assigned to users
• use-conditions are assigned to resources
• Access for a user to a resource is determined by comparing user attributes to resource use-conditions
Akenti Authorization
Local Akenti Authorization
User: aliceinternet2_bw_groupumich_staff_group10MB_bandwidth…...
Resource: subnet-1
Member umich_staff_groupnot member bad_users_groupmember internet2_bw_group10MB or less bandwidth request
Akenti LDAP back end
• Akenti policy engine receives a request:– can Alice reserver 10MB of bandwidth on subnet-1?
• All data required to make the decision is held locally in the Akenti/LDAP service
• Since Alice holds all the necessary attributes required by the resource, access is granted.
Akenti Authorization of Remote Resource
• Akenti policy engine receives a request:– can Alice reserver 10MB of bandwidth on remote subnet-1?
• User data required to make the decision is held locally
• Resource data held by remote Akenti/LDAP service
• Send user identity and appropriate attributes to the remote Akenti/LDAP service over secure channel
User: aliceinternet2_bw_groupumich_staff_group10MB_bandwidth
Resource: subnet-1Member umich_staff_groupnot member bad_users_groupmember internet2_bw_group10MB or less bandwidth request
Akenti LDAP back end Akenti LDAP back end
User attributes
Akenti Authorization of Remote Resource
• Akenti policy engine receives a request:– can Alice reserver 10MB of bandwidth on remote subnet-1?
• Remote Akenti/LDAP service compares the user attributes received off the wire to the resource use-conditions.
• Since Alice holds all the necessary attributes required by the resource, access is granted
User: aliceinternet2_bw_groupumich_staff_group10MB_bandwidth
Resource: subnet-1Member umich_staff_groupnot member bad_users_groupmember internet2_bw_group10MB or less bandwidth request
Akenti LDAP back end Akenti LDAP back end
Access granted
• Necessary to communicate distributed authorization decision parameters
• Enables minimal replication of resource and user data
• Complicates namespace administration, simplifies authorization communication
• Each authorization realm assigns local values
Common Namespace
Gatekeeper
Resource Manager
Globus Client
RouterCPU
GARA
Access FileGARA
RM
GK
Authorization_API
Akenti
LDAP
Akenti
LDAPuser attributes
• Completed kx509 integration
• Configured and tested GARA to reserve bandwidth on Cisco 7500 at UMICH
• Preparing to test with remote bandwidth reservation ANL and CERN using current functionality
• Netscape LDAP with Internet2 Eduperson schema
• Just starting work with Akenti
Status
http:/www.citi.umich.edu/projects/qos
htttp:/www.globus.org
http://www-itg.lbl.gov/security/Akenti
Questions?