Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.

Published byMarcelo Taft Modified over 9 years ago

Similar presentations

Presentation on theme: "Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan."— Presentation transcript:

1 Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan

2 Michigan High Energy Physics Group are involved in key phases of the ATLAS project –Video conferencing, distributed shared workspace – Bulk data transfer Advances in QoS are necessary to further this research. Impact on University of Michigan Community – Many other projects face similar problems – Bandwidth allocation already an issue on campus (Napster). Motivation

3 UMICH - Physics, LS&A, ITCom, OVPR Merit UCAID ANL CERN PSC Participants

4 Reliable high speed end to end service – Cross campus – To external sites across high speed (Internet2) networks Automated access and network configuration Use of existing infrastructure Currently requires hands on at every stage Divide and conquer – network tuning – security component – automated network configuration Vision

5 Realize authenticated bandwidth reservation signaling Integration and extension of existing work and infrastructure Distributed authorization proof of concept Implement the architecture for demonstration, pre-production, and future research Project Goals

6 Answer all distributed authorization design questions Network tuning Aggregate traffic issues Multicast bandwidth reservation Production system Not Project Goals

7 Construct end point QoS network domains Use QoS features in existing routers Over provision connecting networks No change to application – QoS reservation communication via a web interface – Routers mark packets, not application Architecture

8 Bandwidth broker Authorization service LDAP directory service X509 security infrastructure Routers with packet-marking and policing features QoS Network Domain

9 CITI Startap Merit ITCom Physics Argonne Cleveland Abilene CERN UMICH 622M 100M 622M 45M 622M Network Path BB PSC BB

10 GARA, from ANL Integrated with their Grid reservation system X509 based authentication Flat file access control for authorization No inter bandwidth broker communication Bandwidth Broker

11 Globus PKI based GSSAPI_SSLEAY Globus user proxy – Obviates the need for multiple password entry – Enables remote services to act on users behalf No CA peering: exchange self-signed CA certificates UMICH Kerberos solution: KX509 - junk keys – Short term keys granted with valid kerberos identity – Stored in kerberos ticket cache Authentication

12 Globus Client Globus gssapi_ssleay Gatekeeper Resource Manager Home Directory GARA Router X509 long lived creds X509 proxy creds WS globus-proxy-init

13 limited access to private key, not mobile the longer you distribute a public key, the more places it is cached, and the problematic revocation becomes. Short-lived kx509 generated ‘junk keys’ address these problems Problems with long lived keys

14 Kx509 Authentication Globus Client Globus gssapi_ssleay Gatekeeper Resource Manager Home Directory Kerberos Ticket Cache Kerberos DB Kerberos CA GARA Router X509 junk-key creds X509 proxy creds WS kx509 globus-proxy-init kinit KCA ticket

15 Problem: Local users, remote resources – Ideally, no copying of user or resource data – In common case, no extra communication Solution we will explore: – Common LDAP namespace and schema – Pass authorization attributes with identity – Requires the ability to do SSL mutual authentication between remote sites Distributed Authorization

16 Akenti access control system from lbl.gov – Policy engine that can express complex policies – User attributes, resource use-conditions – Distributed management from many sources LDAP back end – Internet2 middleware working group schema – Akenti data Authorization Server

17 LDAP schema required for users, resources, user- attributes and use-conditions user-attributes are assigned to users use-conditions are assigned to resources Access for a user to a resource is determined by comparing user attributes to resource use-conditions Akenti Authorization

18 Local Akenti Authorization User: alice internet2_bw_group umich_staff_group 10MB_bandwidth …... Resource: subnet-1 Member umich_staff_group not member bad_users_group member internet2_bw_group 10MB or less bandwidth request Akenti LDAP back end Akenti policy engine receives a request: – can Alice reserver 10MB of bandwidth on subnet-1? All data required to make the decision is held locally in the Akenti/LDAP service Since Alice holds all the necessary attributes required by the resource, access is granted.

19 Akenti Authorization of Remote Resource Akenti policy engine receives a request: – can Alice reserver 10MB of bandwidth on remote subnet-1? User data required to make the decision is held locally Resource data held by remote Akenti/LDAP service Send user identity and appropriate attributes to the remote Akenti/LDAP service over secure channel User: alice internet2_bw_group umich_staff_group 10MB_bandwidth Resource: subnet-1 Member umich_staff_group not member bad_users_group member internet2_bw_group 10MB or less bandwidth request Akenti LDAP back end User attributes

20 Akenti Authorization of Remote Resource Akenti policy engine receives a request: – can Alice reserver 10MB of bandwidth on remote subnet-1? Remote Akenti/LDAP service compares the user attributes received off the wire to the resource use- conditions. Since Alice holds all the necessary attributes required by the resource, access is granted User: alice internet2_bw_group umich_staff_group 10MB_bandwidth Resource: subnet-1 Member umich_staff_group not member bad_users_group member internet2_bw_group 10MB or less bandwidth request Akenti LDAP back end Access granted

21 Necessary to communicate distributed authorization decision parameters Enables minimal replication of resource and user data Complicates namespace administration, simplifies authorization communication Each authorization realm assigns local values Common Namespace

22 Gatekeeper Resource Manager Globus Client RouterCPU GARA Access File GARA RM GK Authorization_API Akenti LDAP Akenti LDAP user attributes

23 Completed kx509 integration Configured and tested GARA to reserve bandwidth on Cisco 7500 at UMICH Preparing to test with remote bandwidth reservation ANL and CERN using current functionality Netscape LDAP with Internet2 Eduperson schema Just starting work with Akenti Status

24 http:/www.citi.umich.edu/projects/qos htttp:/www.globus.org http://www-itg.lbl.gov/security/Akenti Questions?

Download ppt "Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan."

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.

Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.

Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005.

Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005.
Secure Network Performance Testing using SeRIF Dr. Charles J. Antonelli Center for Information Technology Integration University of Michigan Winter 2006.

Secure Network Performance Testing using SeRIF Dr. Charles J. Antonelli Center for Information Technology Integration University of Michigan Winter 2006.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Similar presentations

Ads by Google