Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013

Sponsored by the National Science Foundation 2 GEC16: March 19, 2013 What is it? The clearinghouse is a set of services to track: –experimenters, –projects, –slices, and –authorization The portal is a web-based user interface for experimenters to access the clearinghouse services and GENI aggregates –Accounts used in three tutorials at this GEC: Getting Started with GENI, Advanced Networking, OpenFlow Who operates it? –Currently, the GPO

Sponsored by the National Science Foundation 3 GEC16: March 19, 2013 Risk: Policies The policies are the same between the portal/clearinghouse and the GPO run ProtoGENI (pgeni.gpolab.bbn.com): –Who can be approved to be a project lead –Project leads are trusted to make their own decisions about who gets added to their projects

Sponsored by the National Science Foundation 4 GEC16: March 19, 2013 Current GPO Project Lead Policies Projects organize research in GENI –Projects contain both people and their experiments –A project is led by a single responsible individual: the project lead –Who can be a project lead? Academic Faculty Senior technical staff in non- academic environments Project Lead Members Slice

Sponsored by the National Science Foundation 5 GEC16: March 19, 2013 Risk: Security The security risks are similar between the clearinghouse and pgeni.gpolab.bbn.com. In each case: the host could be compromised certificates and keys could be stolen and used to allocate resources using the GENI AM API upon detection, the root certificate can be removed from the trusted bundle so that the stolen certificates/keys are no longer useful

Sponsored by the National Science Foundation 6 GEC16: March 19, 2013 Risk: Bugs The portal/clearinghouse is new, and it is possible that there are bugs. We have a team actively working on the portal and we'll fix critical bugs as quickly as possible. While it is possible that the portal/ch could allow erroneous requests to be issued to rack aggregates, that's a path that has had significant testing thus far, and appears to work accurately.

Sponsored by the National Science Foundation 7 GEC16: March 19, 2013 Recommendations Trust the recommended GENI trust anchors: –Utah ProtoGENI –PlanetLab –GPO ProtoGENI aka pgeni.gpolab.bbn.com (legacy) –GENI Clearinghouse (NEW) Campus owner/operators have ultimate authority, and can modify the trust bundle if necessary If you agree, we would like to make this the standard recommendation for new GENI racks

Sponsored by the National Science Foundation 8 GEC16: March 19, 2013 The Portal Trusts InCommon For many experimenters: no new passwords familiar login screens Portal needs certain attributes (more in minute) The GENI Portal leverages InCommon for single sign-on authentication Experimenters from 288 educational and research institutions have InCommon accounts

Sponsored by the National Science Foundation 9 GEC16: March 19, 2013 How to access the portal? GENI Portal trusts both: –InCommon institutions –GPO Identity Provider (IdP) Anyone with an account at a supported identity provider can log in, but they will have no privileges If an experimenter does not have an account through an InCommon institution, the GPO will create an account on the GPO IdP –Once you have an account, you must be a member of a project to do anything interesting

Sponsored by the National Science Foundation 10 GEC16: March 19, 2013 What can you do? The GENI Portal gives access to real resources Therefore, we need to be able to contact experimenters if something goes wrong GENI Portal requires: –eppn (eduPersonPrincipalName) – address GENI Portal prefers to receive: –affiliation –given name –surname InCommon members can easily share these attributes by enabling the Research & Scholarship (R&S) category R&S:

Sponsored by the National Science Foundation 11 GEC16: March 19, 2013 Try logging in Want to know if your institution is an InCommon member which shares the needed attributes? The GENI Portal is at: Click “Use GENI” Pick your institution from the list Login using your usual username and password Does this work? You’re done If not, –We will contact the appropriate person at your institution

Sponsored by the National Science Foundation 12 GEC16: March 19, 2013 Looking forward: Policy Support Currently –policy is that racks should accept anyone with a valid GENI credential on a first come first serve basis –no mechanism to enforce other policies Two cases: 1.access to resources IN the rack 2.access to campus resources that connect through the rack (specifically the OpenFlow local campus resources port) What other campus policies are relevant to access the GENI racks in these two cases?

Sponsored by the National Science Foundation 13 GEC16: March 19, 2013 Looking forward: Operational portal/CH In the long run the operational GENI portal/CH won’t be operated by the GPO. That means two important things: 1)The policies have to be ok now and after the handoff 2)Are there requirements on who can implement these policies? The GPO portal/CH team is making sure we address this while we are implement. And we want your input.