ESnet RADIUS Authentication Fabric
description
Transcript of ESnet RADIUS Authentication Fabric
![Page 1: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/1.jpg)
ESnet RADIUS Authentication Fabric
Michael HelmESnet/LBNL
Cybersecurity Summit27 Sep 2004
![Page 2: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/2.jpg)
TWC
JGISNLL
LBNL
SLAC
YUCCA MT
BECHTEL
PNNLLIGO
INEEL
LANL
SNLAAlliedSignal
PANTEX
ARM
KCP
NOAA
OSTIORAU
SRS
ORNLJLAB
PPPL
ANL-DCINEEL-DCORAU-DC
LLNL/LANL-DC
MIT
ANL
BNL
FNALAMES
4xLAB-DCNERSC
NR
EL
ALBHUB
LLNL
GA DOE-ALB
SDSC
Japan
GTN&NNSA
International (high speed)OC192 (10G/s optical)OC48 (2.5 Gb/s optical)Gigabit Ethernet (1 Gb/s)OC12 ATM (622 Mb/s)OC12 OC3 (155 Mb/s)T3 (45 Mb/s)T1-T3T1 (1 Mb/s)
Office Of Science Sponsored (22)NNSA Sponsored (12)Joint Sponsored (3)
Other Sponsored (NSF LIGO, NOAA)Laboratory Sponsored (6)
QWESTATM
42 end user sites
ESnet mid-2004
SInet (Japan)Japan – Russia(BINP)
CA*net4MRENNetherlandsRussiaStarTapTaiwan (ASCC)
CA*net4KDDI (Japan)FranceSwitzerlandTaiwan (TANet2)
AustraliaCA*net4Taiwan (TANet2)Singaren
ESnet core: Packet over SONET Optical Ring and
Hubs
ELP HUB
SNV HUB CHI HUB
ATL HUB
DC HUB
peering points
MAE-E
Fix-W
PAIX-W
MAE-W
NY-NAP
PAIX-E
Euqinix
PN
WG
SEA HUB
ESnet Provides Full Internet Serviceto DOE Facilities and Collaborators with High-Speed Access to
Major Science Collaborators
hubs SNV HUB
Ab
ilene
Abilene high-speed peering points
Abilene
Ab
ilen
e MA
N L
AN
Abi
lene
CERN(DOE link)
GEANT - Germany, France, Italy, UK, etc
NYC HUB
StarlightChi NAP
![Page 3: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/3.jpg)
GEANT (Europe)
Asia-Pacific
ESnetIP Core
New York(AOA)
Chicago (CHI)
Sunnyvale(SNV)
Washington, DC (DC)
El Paso (ELP)
DOE/OSC Labs
New hubs
Existing hubs
ESnetScience Data
Network(2nd Core)
A New ESnet Architecture:Science Data Network + IP Core
Possible new hubs
Atlanta (ATL)
MetropolitanAreaRings
CERN
![Page 4: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/4.jpg)
ESnet ATF ProjectAuthentication, Trust & Federation Services for DOE Office of Science • Certification Authorities
– ESnet Root CA– DOEGrids CA– NERSC CA – NERSC’s “myProxy-NIM” integration– ESnet SSL Server CA – soon to expand
• Scope – X.509/PKIX certificates for Office of Science supported research and collaborations– Grids ; TLS ; Experimental uses
• Rigorous security – Industry best practices – Hardware Security Modules (HSM)
• Services– People, host, and service certificates– Key lifecycle management– User interface development and automation– Grid integration
![Page 5: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/5.jpg)
Offline Vaulted Root CA
HSM
Secure Data Center
Building Security
LBNL Site security
Hardware Security Modules
Access controlled racks
PKI Systems
Internet
Fire Wall
Intrusion Detection
Grid User
DOEGrids Security
![Page 6: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/6.jpg)
ESnet PKI Project (2)• Federation and Standards
– DOEGrids supports 15 distinct “Registration Authorities”• Two are in progress for addition (LCG and EPA-NCC)
– Regional peering – “Americas” PMA, TERENA, Asia-Pacific
– Global Grid Forum • CAOPS (TG chair)
• PGP Key server
New Initiatives:• GIRAF – Grid Integrated RADIUS Authentication Fabric• Fusion Grid PKI – support “myProxy” integration• Remote Hardware Security Module operation
– Response to ESnet’s challenge to provide redundant CA services
• Mozilla browser integration• SIRS – Security Incident Response Services
![Page 7: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/7.jpg)
What Does the RAF Do?
NERSC
r
ANL
r
OTP Service
ORNL
r
PNNL
OTP Service
OTP Service
OTP Service
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
• es.net
Realms
R
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
r• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
ESnet RAF Federation
anl.gov
nersc.gov
pnnl.gov
ornl.gov
r RADIUS
App
![Page 8: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/8.jpg)
ESnet Radius
AuthDB
ESnet Root CA
MyProxyCredentials
PAM
1 Log in
2 Ask AuthN; hint
OTP
5 Receive Proxy Cert
Manage myProxy
6 (Opt) Store Proxy
7 Execute
OTPServices
OCSP
HSM
Subordinate CA
Engine
4. Auth OK;
Namestring
3 OTP verification
4 Sign Proxy
Sign Subordinate
CA
SIPS
What Is the Grid Integrated RAF?
Proposal Apr 2004
Special case of GridLogon
![Page 9: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/9.jpg)
RAF Benefits & Features
• O(n) peering
• Authorization decision controlled by siteSound familiar?
• Single token per person
• Interoperability on an open, standard, industry-supported AAA protocol
• WAN use of RADIUS (RFC 2865)
• Federation
![Page 10: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/10.jpg)
Repli-cation
ESnet RAF Architecture
Network (IP)
VPN (IPsec)
RADIUSProxy router
AuthNAuthority
(OTP)
Appli-cation
1Rc
Site nRADIUS
AuthNAuthority
(OTP)
Appli-cation
1Rc
Site 1RADIUS
AuthNAuthority
(OTP)
Appli-cation
1Rc
Site 2RADIUS
RADIUSProxy router
RADIUSProxy router
RADIUSProxy router
ESnet
RAF
Site
ESnet
![Page 11: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/11.jpg)
RAF Current Issues• Reliability – Replication
– Currently RAF issue, but also applies to site RADIUS/OTP • * Federation• * Application Integration
– Where’s our “Grid Integration” solution?– PAM – more layers!
• * Name management: (Fed/App Integration)– Essential issue for Grid integration
• *? OTP Service Reliability– “Transit time” ; resync ; loss
• * Federation• *? Integrity & Security
– VPN – See later
• Market research – size/scope of deployment* Grid issue Current: 6 – 18 mos
![Page 12: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/12.jpg)
RAF Current Issues
NERSC
r
ANL
r
OTP Service
ORNL
r
PNNL
OTP Service
OTP Service
OTP Service
R
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
r• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
ESnet RAF Federation
anl.gov
nersc.gov
pnnl.gov
ornl.gov
Reliability/Replication
Integrity/Security
OTP/C&R
Federation
Transit time
Application Integration
![Page 13: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/13.jpg)
RAF Long Term* Issues• RAF support for other protocols
– Kerberos– Web services– EAP/TLS
• Myproxy Protocol• End to End integrity
– “AuthA” protocol– Session hijacking (client)
• Application integration– Always an issue– Architecture: fan-out/gateway– Firewalls
• RADIUS* 12 – 48 mos
![Page 14: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/14.jpg)
AuthAAn OTP-based key-exchange technology that offers protection against:
capture of the user’s password capture of the server’s password-databasedictionary attacks on the user’s passworddenial-of-service attacks
An OTP-based DH key-exchange technology that allows users to connect from an un-trusted terminal and still preserve the privacy of data transmitted on the wire:
confidentially, authenticity, and integrity of the datamutual authentication of the user and the server
Technology publication:M. Abdalla, O. Chevassut, and D. Pointcheval, “One-time Verifier-based Encrypted key Exchange” ,submitted for publication to the 8th International Workshop on Practice in Public-Key Cryptography, Feb 2005.
![Page 15: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/15.jpg)
EduROAM• TERENA Mobility TF
http://www.terena.nl/tech/task-forces/tf-mobility
• Initiative to support _roaming_– Hence, 802.1x support– Wireless
• Motivation is a little different– Roaming vs Collaboration
• Architecture is similar– Key difference: DOE lab OTP
• Beginning interoperability discussion
![Page 16: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/16.jpg)
Cross-domain 802.1X with VLAN assignment
RADIUS server
Institution B
RADIUS server
Institution A
Internet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
Guest
piet@institution_b.nl
StudentVLAN
GuestVLAN
EmployeeVLAN
data
signalling
![Page 17: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/17.jpg)
Conclusion• Successful RAF demonstration project• Engineering and User experience issues• Ready to proceed to pilot• Need Grid Integration• European Liaison possible• First step toward Auth Fabric
– Support more protocols– Federation– Successor to RADIUS
• http://www.es.net/raf• http://www.doegrids.org
![Page 18: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/18.jpg)
Demo
• http://topaz.es.net/secure/index.html
• http://panda.ccs.ornl.gov/radius/index.html
![Page 19: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/19.jpg)
Fusion Grid Firewall Issues
Michael HelmESnet/LBNL
GGF-12 Sec Workshop18 Sep 2004
![Page 20: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/20.jpg)
FusionGrid Use Case
![Page 21: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/21.jpg)
Comments
Each site is protected by a firewall
Different firewall technology
OTP is probably a feature
Need single sign-on, delegation, autonomous processes….
![Page 22: ESnet RADIUS Authentication Fabric](https://reader035.fdocuments.net/reader035/viewer/2022062304/56814651550346895db36488/html5/thumbnails/22.jpg)
Fusion Grid
• Use case comes from Dave Schissel
• Evolved from discussion of OTP– 2 of 3 labs in FusionGrid already have a
SecurID infrastructure
• Need direct support
• Need to identify path to solution