Authenticated QoS Signaling
description
Transcript of Authenticated QoS Signaling
![Page 1: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/1.jpg)
Authenticated QoS Signaling
William A. (Andy) Adamson
Olga Kornievskaia
CITI, University of Michigan
![Page 2: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/2.jpg)
• Michigan High Energy Physics Group are involved in key phases of the ATLAS project
–Video conferencing, distributed shared workspace
– Bulk data transfer
• Advances in QoS are necessary to further this research.
•Impact on University of Michigan Community– Many other projects face similar problems
– Bandwidth allocation already an issue on campus (Napster).
Motivation
![Page 3: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/3.jpg)
• UMICH - Physics, LS&A, ITCom, OVPR
• Merit
• UCAID
• ANL
• CERN
• PSC
Participants
![Page 4: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/4.jpg)
• Reliable high speed end to end service– Cross campus
– To external sites across high speed (Internet2) networks
• Automated access and network configuration
• Use of existing infrastructure
• Currently requires hands on at every stage
• Divide and conquer– network tuning
– security component
– automated network configuration
Vision
![Page 5: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/5.jpg)
• Realize authenticated bandwidth reservation signaling
• Integration and extension of existing work and infrastructure
• Distributed authorization proof of concept
• Implement the architecture for demonstration, pre-production, and future research
Project Goals
![Page 6: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/6.jpg)
• Answer all distributed authorization design questions
• Network tuning
• Aggregate traffic issues
• Multicast bandwidth reservation
• Production system
Not Project Goals
![Page 7: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/7.jpg)
• Construct end point QoS network domains
• Use QoS features in existing routers
• Over provision connecting networks
• No change to application– QoS reservation communication via a web interface
– Routers mark packets, not application
Architecture
![Page 8: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/8.jpg)
• Bandwidth broker
• Authorization service
• LDAP directory service
• X509 security infrastructure
• Routers with packet-marking and policing features
QoS Network Domain
![Page 9: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/9.jpg)
CITI
Startap
Merit
ITComPhysics
Argonne
Cleveland
Abilene
CERN
UMICH
622M100M
100M
622M45M
622M
Network Path
BB
BB
BBPSC
BB
![Page 10: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/10.jpg)
• GARA, from ANL
• Integrated with their Grid reservation system
• X509 based authentication
• Flat file access control for authorization
• No inter bandwidth broker communication
Bandwidth Broker
![Page 11: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/11.jpg)
• Globus PKI based GSSAPI_SSLEAY
• Globus user proxy– Obviates the need for multiple password entry
– Enables remote services to act on users behalf
• No CA peering: exchange self-signed CA certificates
• UMICH Kerberos solution: KX509 - junk keys– Short term keys granted with valid kerberos identity
– Stored in kerberos ticket cache
Authentication
![Page 12: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/12.jpg)
Authentication
Globus Client Globus
gssapi_ssleayGatekeeper
Resource Manager
Home Directory
GARA
RouterRouter
X509 long lived creds
X509 proxy creds
WS
globus-proxy-init
![Page 13: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/13.jpg)
• limited access to private key, not mobile
• the longer you distribute a public key, the more places it is cached, and the problematic revocation becomes.
• Short-lived kx509 generated ‘junk keys’ address these problems
Problems with long lived keys
![Page 14: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/14.jpg)
Kx509 Authentication
Globus Client Globus
gssapi_ssleayGatekeeper
Resource Manager
Home Directory
Kerberos Ticket Cache
Kerberos DB
Kerberos CA
GARA
RouterRouter
X509 junk-key creds
X509 proxy creds
WSkx509
globus-proxy-init
kinitKCAticket
![Page 15: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/15.jpg)
• Problem: Local users, remote resources– Ideally, no copying of user or resource data
– In common case, no extra communication
• Solution we will explore:– Common LDAP namespace and schema
– Pass authorization attributes with identity
– Requires the ability to do SSL mutual authentication between remote sites
Distributed Authorization
![Page 16: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/16.jpg)
• Akenti access control system from lbl.gov – Policy engine that can express complex policies
– User attributes, resource use-conditions
– Distributed management from many sources
• LDAP back end– Internet2 middleware working group schema
– Akenti data
Authorization Server
![Page 17: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/17.jpg)
• LDAP schema required for users, resources, user-attributes and use-conditions
• user-attributes are assigned to users
• use-conditions are assigned to resources
• Access for a user to a resource is determined by comparing user attributes to resource use-conditions
Akenti Authorization
![Page 18: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/18.jpg)
Local Akenti Authorization
User: aliceinternet2_bw_groupumich_staff_group10MB_bandwidth…...
Resource: subnet-1
Member umich_staff_groupnot member bad_users_groupmember internet2_bw_group10MB or less bandwidth request
Akenti LDAP back end
• Akenti policy engine receives a request:– can Alice reserver 10MB of bandwidth on subnet-1?
• All data required to make the decision is held locally in the Akenti/LDAP service
• Since Alice holds all the necessary attributes required by the resource, access is granted.
![Page 19: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/19.jpg)
Akenti Authorization of Remote Resource
• Akenti policy engine receives a request:– can Alice reserver 10MB of bandwidth on remote subnet-1?
• User data required to make the decision is held locally
• Resource data held by remote Akenti/LDAP service
• Send user identity and appropriate attributes to the remote Akenti/LDAP service over secure channel
User: aliceinternet2_bw_groupumich_staff_group10MB_bandwidth
Resource: subnet-1Member umich_staff_groupnot member bad_users_groupmember internet2_bw_group10MB or less bandwidth request
Akenti LDAP back end Akenti LDAP back end
User attributes
![Page 20: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/20.jpg)
Akenti Authorization of Remote Resource
• Akenti policy engine receives a request:– can Alice reserver 10MB of bandwidth on remote subnet-1?
• Remote Akenti/LDAP service compares the user attributes received off the wire to the resource use-conditions.
• Since Alice holds all the necessary attributes required by the resource, access is granted
User: aliceinternet2_bw_groupumich_staff_group10MB_bandwidth
Resource: subnet-1Member umich_staff_groupnot member bad_users_groupmember internet2_bw_group10MB or less bandwidth request
Akenti LDAP back end Akenti LDAP back end
Access granted
![Page 21: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/21.jpg)
• Necessary to communicate distributed authorization decision parameters
• Enables minimal replication of resource and user data
• Complicates namespace administration, simplifies authorization communication
• Each authorization realm assigns local values
Common Namespace
![Page 22: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/22.jpg)
Gatekeeper
Resource Manager
Globus Client
RouterCPU
GARA
Access FileGARA
RM
GK
Authorization_API
Akenti
LDAP
Akenti
LDAPuser attributes
![Page 23: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/23.jpg)
• Completed kx509 integration
• Configured and tested GARA to reserve bandwidth on Cisco 7500 at UMICH
• Preparing to test with remote bandwidth reservation ANL and CERN using current functionality
• Netscape LDAP with Internet2 Eduperson schema
• Just starting work with Akenti
Status
![Page 24: Authenticated QoS Signaling](https://reader036.fdocuments.net/reader036/viewer/2022062305/56814ab3550346895db7c741/html5/thumbnails/24.jpg)
http:/www.citi.umich.edu/projects/qos
htttp:/www.globus.org
http://www-itg.lbl.gov/security/Akenti
Questions?