Secure Network Performance Testing using SeRIF
description
Transcript of Secure Network Performance Testing using SeRIF
Secure Network Performance
Testing using SeRIF
Dr. Charles J. AntonelliCenter for Information Technology Integration
University of Michigan
Winter 2006 CSG
http://www.albinoblacksheep.com/flash/nintendogs.php
U-M Contributors• CITI
– Andy Adamson– Charles Antonelli– Nathan Gallaher– Olga Kornievskaia– David Richter
• ITCom• MGRID
Work supported by OVPR and ITCom
SeRIF• SeRIF : Secure Remote Invocation
Framework• Purpose : provide a secure and
extensible remote process invocation service, with strong authentication and flexible authorization
• Based on Globus 2.4, GARA 1.2.2• Leverages existing user credentials
– Kerberos (via kx509)
• Adds fine-grained authorization– Walden
SeRIF• Central portal host
– Authentication– Control (invocation, parameters, results)– Databases (LDAP)
• Dedicated remote nodes– Gatekeeper– Local scheduler for execution and cleanup– Provides status and output redirection– Fine grained authorization at resource
SeRIF Architecture
mod ssl
mod kx509
mod kct
Apache
Tomcat
KCT
GateKeeper
Resource
Grid Resource
KCA
kx509
kinit
User Workstation
KDC
Kerberos V5
SSL – Client Certificate required
GSI
Kerberos
Kerberos
SASL
Portal
1
2
3
4
5
6
7
Authorization
Resource Mgr
SASL
8WALDEN
AuthorizationWALDEN
libpkcs11
Browser
mod php
mod jk
CHEF
LDAP
NW Topology
Output
NTAP• NTAP : Network Testing and
Performance
• Purpose : provide a secure and extensible network testing and performance tool invocation service at U-M
• Uses SeRIF framework• Runs on portal host and Performance
Measurement Platforms (PMPs) attached to routers in a VLAN environment
NTAP Architecture
Portal
Router 1
Host A
Router 2 Router 3
Host B
PMP 1 PMP 2 PMP 3
GSI GSI GSI
Attribute Callout
AFS PTS
Flat File
Walden (XACML)
Mapping and Reporting• Segment mapping
– Use traceroute to obtain packet routing path
– Use network topology database to map each router to its associated PMP
– Execute pairwise performance tests along path
• Reporting tool– Output hop-by-hop matrix display– Color-coded test history– Click through cells for detailed views
• Links to most recent tests
Host Endpoint Testing• Solution to first mile problem
– Leverages Network Diagnostic Tester
• Authenticated user clicks first-mile link– Portal runs traceroute back to client
– Portal determines client’s first-hop router and attached PMP (running NDT server) from path and network topology database
– Portal displays link to first-hop PMP
– Client downloads NDT app from PMP as usual
– Client runs NDT test and displays results as usual
– NDT server sends results to NTAP database
Router 1
Host A
Automated Testing
• Need repetitive, automated testing– … but with secure authentication and
authorization
• Solution: renewable credentials– User obtains long-term credentials
– Portal schedules repetitive testing
– Prior to a test cycle, portal validates long-term credential and derives from it a short-term credential
– Rest of SeRIF architecture unchanged
Future Work• Post-processed statistics, graphs• Measurement database reorganization
– Scalability improvements
• Alternatives to topology database– Active infrastructure probing
• Automated tools a la NDT– Tune TCP stack– Detect conditions, e.g. duplex mismatches
• Cross-domain testing
Cross-Domain Testing
Portal
Router 1
Host A
Router 2 Router 3
Host B
PMP 1 PMP 2 PMP 3
GSI GSI
Portal
GSIDomain 1
Domain 2
Cross-Domain Testing• Goals
– Extend test path across administrative domains
– Address larger end-to-end performance issues
– Leverage SeRIF’s strong security and fine-grained authorization model
– Promote SeRIF at other institutions– Share performance data among institutions
Cross-Domain Testing
• Approach– Retain portal within each domain
– Originating portal runs traceroute• Determines sequence of domains
• Verfies permissions for test
• Or “chunked” by domain
– Each portal tests and stores local results• Independently, or synchronized
– Test data available via local SeRIF controls
– Boundary-crossing segments• Need cross-domain trust
– Transit segments
Merit Measurement Infrastructure
Cross-Domain Testing• Seeking
– Large network testbed– Independent administrative domains
– Partners– Funding
– Proposal
SeRIF Resources
• SeRIF & NTAP home page– http://www.citi.umich.edu/projects/ntap
– FAQ & documentation
– Download NTAP code & installation instructions
• Tools– iperf http://dast.nlanr.net/Projects/Iperf/– ndt http://e2epi.internet2.edu/ndt/
– owamp http://e2epi.internet2.edu/owamp/
Any Questions?http://www.citi.umich.edu