Andrew McNab - HTTP/HTTPS extensions HTTP/HTTPS as Grid data transport 6 March 2003 Andrew McNab, University of Manchester

Slides:

Advertisements

Similar presentations

Encrypting Wireless Data with VPN Techniques

Advertisements

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

Security middleware Andrew McNab University of Manchester.

Andrew McNabTestbed / HTTPS, GridPP6, 30 Jan 2003Slide 1 UK Testbed Status Andrew McNab High Energy Physics University of Manchester.

Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Lecture 23 Internet Authentication Applications

GridFTP: File Transfer Protocol in Grid Computing Networks

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

The GridSite Security Framework Andrew McNab University of Manchester.

GridFTP Introduction – Page 1Grid Forum 5 GridFTP Steve Tuecke Argonne National Laboratory.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Distributed components

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

Lecture 22 Internet Security Protocols and Standards

11 DICOM Image Communication in Globus-Based Medical Grids Michal Vossberg, Thomas Tolxdorff, Associate Member, IEEE, and Dagmar Krefting Ting-Wei, Chen.

Computer Network Architecture and Programming

Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .

Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING AND.

10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Chapter 6: Packet Filtering

Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.

Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester

Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester

Andrew McNab - GridSite/G-HTTPS - 17 Feb 2003 GridSite and G-HTTPS update Andrew McNab, University of Manchester

Grid Security work in 2006 Andrew McNab Grid Security Research Fellow University of Manchester.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

The GridSite Security System Andrew McNab and Shiv Kaushal University of Manchester.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

CYBERINFRASTRUCTURE FOR THE GEOSCIENCES Data Replication Service Sandeep Chandra GEON Systems Group San Diego Supercomputer Center.

Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 1 Firewall issues for Globus 2 and EDG Andrew McNab High Energy Physics University of Manchester.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved RPC Tanenbaum.

SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.

Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

1 Seminar on Service Oriented Architecture Principles of REST.

Andrew McNab - Grid HTTP/HTTPS extensions Grid HTTP/HTTPS extensions 18 November 2002 Andrew McNab, University of Manchester

GridSite Web Servers for bulk file transfers & storage Andrew McNab Grid Security Research Fellow University of Manchester, UK.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

2007cs Servers on the Web. The World-Wide Web 2007 cs CSS JS HTML Server Browser JS CSS HTML Transfer of resources using HTTP.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

Kemal Baykal Rasim Ismayilov

Owen Synge and Shaun De Witt HTTP as a better file transfer protocol default for SRM Slide 1 HTTP as a better file transfer protocol default for SRM By.

Andrew McNabGrid in 2002, Manchester HEP, 7 Jan 2003Slide 1 Grid Work in 2002 Andrew McNab High Energy Physics University of Manchester.

Grid Security work in 2004 Andrew McNab Grid Security Research Fellow University of Manchester.

Security Middleware 3 June 2004 Security Middleware Current Status – GridSite deployments – Architecture GridPP2 – Web services.

Security Middleware Andrew McNab University of Manchester.

AFS/OSD Project R.Belloni, L.Giammarino, A.Maslennikov, G.Palumbo, H.Reuter, R.Toebbicke.

A Sneak Peak of What’s New in Globus GridFTP John Bresnahan Michael Link Raj Kettimuthu (Presenting) Argonne National Laboratory and The University of.

Andrew McNabSlashGrid/GFS BOF, GGF9, 7 Oct 2003Slide 1 SlashGrid = “/grid” Andrew McNab High Energy Physics University of Manchester

DISTRIBUTED FILE SYSTEM- ENHANCEMENT AND FURTHER DEVELOPMENT BY:- PALLAWI(10BIT0033)

National College of Science & Information Technology.

Third Party Transfers & Attribute URI ideas

Securing the Network Perimeter with ISA 2004

Cryptography and Network Security Chapter 16

COMP3220 Web Infrastructure COMP6218 Web Architecture

Processes The most important processes used in Web-based systems and their internal organization.

Information Retrieval and Web Design

Presentation transcript:

Andrew McNab - HTTP/HTTPS extensions HTTP/HTTPS as Grid data transport 6 March 2003 Andrew McNab, University of Manchester

Andrew McNab - HTTP/HTTPS extensions - 6 Mar 2003 Overview u EDG Motivations u Why use HTTP(S) for data transport u What needs promoting/agreeing? u Example: multistream HTTP u Extensions to HTTP(S) u Example: delegation over HTTPS u HTTP(S) vs alternatives

Andrew McNab - HTTP/HTTPS extensions - 6 Mar 2003 Background: EDG Motivations u EU DataGrid is interested in large High Energy Physics, Earth Observation and Bio/Medical datasets. u Currently using GridFTP and HEP-specific RFIO protocol for bulk data transfer n EDG has modular “Storage Element” fileservers which can support additional transfer protocol front-ends. n Looking at adding support for HTTP(S) to Storage Elements n Widespread availability and quality of HTTP clients discussed later. u Interest in remote filesystems using GSI credentials n (cf Kerberos and AFS) n need protocol with low overhead, reuse of connections etc. u Also interest in delegation extensions for some aspects of information services

Andrew McNab - HTTP/HTTPS extensions - 6 Mar 2003 Why use HTTP(S) for data transport? (1) u HTTP(S) are interesting and important protocols for several reasons: n HTTPS is by far the most widely deployed secure protocol n HTTP(S) has a large amount of high quality software that we can leverage n has excellent interaction with Firewalls, Network Address Translation and Application Proxies n HTTP is the basis for most Web and Grid Services work u HTTPS consists of HTTP/1.1 over an SSL connection n security done by SSL layer, using X509 certificates (including GSI) u HTTP/1.1 (rfc2616) and extensions like WebDAV (rfc2518) have a rich set of methods (GET, PUT, DELETE, COPY, LOCK etc), headers (“Expires:” etc) and Errors (“413 Request Entity Too Large”) n so a standard way exists already for many data transfer operations

Andrew McNab - HTTP/HTTPS extensions - 6 Mar 2003 Why use HTTP(S) for data transport? (2) u HTTP includes mechanisms for redirection and for offering multiple versions and letting the client choose. u HTTP’s Range header allows partial GET and PUT operations n this makes it possible to implement multi-stream HTTP, with multiple TCP streams coming from one server, or striped across multiple servers. u In practice, HTTP can be as fast as other TCP-based protocols n eg multistream copying of 300MB files across Europe by HTTP or GridFTP u A very large amount of effort goes into producing HTTP(S) servers and clients with particular robustness or efficiency properties n eg Kernel-based “zero-copy” HTTP servers like tux are very efficient

Andrew McNab - HTTP/HTTPS extensions - 6 Mar 2003 What needs promoting/agreeing to use this? u “Informational” n eg What can be achieved using HTTP(S) n eg performance of HTTP(S) vs other protocols for given context u “Best Practice” n eg How existing standards should be used to achieve particular performance / functionality. u Standards n eg Which part of existing standards should go from “MAY” to “SHOULD” or “MUST” in a Grid data transport context. n eg What extensions or new standards do we need to achieve particular functionality or performance.

Andrew McNab - HTTP/HTTPS extensions - 6 Mar 2003 Best practice example: multistream HTTP u HTTP can support application-level multiple streams and striping by using the standard Range header from RFC 2616 (HTTP/1.1) to set up many partial fetches. n This mechanism is supported by almost all modern web servers n eg Apache and RedHat’s tux kernel httpd u Multiple streams implemented by client splitting into threads n Each thread requests a block of the file from the server n As each request completes, thread finds next unfetched block and requests it u For this, it is essential that servers support Range header, and yet this is a relatively obscure feature in Web contexts, which many developers are not aware of. u So best practice statement would be “support the Range header”

Andrew McNab - HTTP/HTTPS extensions - 6 Mar 2003 Extensions to HTTP(S) u HTTPS/HTTP already have most of the functionality we need for Grid information/control/data transport n some of these come from several sources (eg the WebDAV RFC2518 not just HTTP/1.1 itself) and can be done different ways n frequently “MAY” -> “SHOULD” / “MUST” n so want to specify a sufficient subset for interoperability u However, can identify some extensions that are also valuable: n delegation over HTTPS n some way of returning access control information along with data n may want to specify TCP parameters for bulk data tranfer n so want to specify new HTTP headers and methods for the above u (My feeling is that we should retain backwards and “pass through” compatibility with existing HTTP(S) implementations.)

Andrew McNab - HTTP/HTTPS extensions - 6 Mar 2003 Example: delegation over HTTPS u Client issues GET-PROXY-REQ request. n server generates a key and a certificate request, returns this in the response message body. u Client signs the cert request, and returns it in body of PUT-PROXY- CERT request. u Need a Delegation-ID header in the above exchanges so can keep track of the delegation session n may want to maintain delegation sessions for the same user at one server, but with different amounts of delegation n subsequent GET, PUT etc actions carry on using the Delegation-ID u Most clients and servers can pass through unknown methods/headers n Delegation-unaware server responds with “501 Method not implemented” u (Demonstration implementation of this in GridSite)

Andrew McNab - HTTP/HTTPS extensions - 6 Mar 2003 (Extended) HTTP(S) vs alternatives u Could use existing protocols: GridFTP etc n HTTP(S) motivated for reasons given at start n Some environments (eg NAT) better suited to HTTP(S) u Could use ad-hoc conventions for some things n eg always use “POST /cgi-bin/delegation.cgi” for delegation n messy to implement, difficult to agree / standardize n difficult to implement transparently (eg for Trusted Caches) u Could do it all in SOAP, Web Services etc n worried about efficiency of encoding, set up time of transfers etc: what if we want to grab a large number of small files say? n only works for SOAP- or WS- applications. u So HTTP(S) appears to address Grid data transport in some contexts better than other protocols.

Andrew McNab - HTTP/HTTPS extensions - 6 Mar 2003 Summary u HTTP(S) interesting because n widespread adoption, widespread support by multiple languages/platforms n coexists well with NAT etc n HTTPS naturally interoperates with GSI-based security n protocol has many features (eg Range header) which are very useful for data transport u Scope for doing informational, best practice and standardisation activities n how much (other) interest is there in doing this in GGF?