Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authenticated QoS Project Overview Andy Adamson Research Investigator Center for Information Technology Integration University of Michigan Ann Arbor.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Authenticated QoS Project Overview Andy Adamson Research Investigator Center for Information Technology Integration University of Michigan Ann Arbor."— Presentation transcript:

1 Authenticated QoS Project Overview Andy Adamson Research Investigator Center for Information Technology Integration University of Michigan Ann Arbor

2 Collaborators Shawn McKee, University of Michigan Olivier Martin, Daniel Davids, and Martin Fluckiger, Jean-Philippe Martin-Flatin, CERN University of Michigan Department of Physics; University of Michigan College of Literature, Science, and the Arts; University of Michigan Office of the Vice President for Research; Merit; University Corporation for Advanced Internet Development (UCAID); European Organization for Nuclear Research (CERN); Argonne National Laboratory; The Globus Project; EU DataGrid; EU DataTAG

3 End to End Performance Reliable high-speed end to end network services are important to scientific collaborators –Video, audio, large data transfers Long haul networks demonstrate good performance due to overprovisioning The last-mile is often a network bottleneck

4 End to End Pragmatics Reliable end-to-end network service is achieved by reserving network resources within end-point institution networks, coupled with the good performance of overprovisioned long haul networks.

5 Automated Reservation QoS functionality is a common feature in network hardware. QoS configuration is currently done by hand. We address the need for an automated network reservation system. Security of all communications is vital. Difficult security problem due to cross-domain nature of end-to-end network resource allocation.

6 Based on Globus GARA GRID network reservation service GSI: PKI based cross-domain authentication –Requires user PK credentials Our contributions: –Fine-grained cross-domain authorization –PK credentials based on Kerberos identity –Secure web interface

7 Cross-domain Authorization Use existing local group services –Avoid replicating data and management tasks Group name-space shared by domains –Local administrators manage group membership as usual KeyNote Policy Engine makes authorization decision

8 Cross-domain Authorization KeyNote Policy Engine makes authorization decision Fine-grained authorization expressed in KeyNote policy rules –Group membership –Amount of bandwidth allowed –Time/duration of reservation

9 Local Authorization Local GARA queries local service to learn the user’s group memberships. Memberships passed into KeyNote along with reservation request parameters. KeyNote compares input parameters to rules. If authorized the local GARA: –Package username and group membership. –Sign the package with a private PK key. –Add to the reservation request forwarded to the remote GARA.

10 Remote Authorization Remote GARA verifies signature, then accepts the user name/group membership from the wire. Group membership is passed into KeyNote along with reservation request parameters. KeyNote compares input parameters to the rules to make authorization decision.

11 Demonstration UMICH i Grid 2002 CERN Reservation fails if: –User not in correct group –Bandwidth request out of bounds –Time of day request out of bounds

12 Cisco 6506 GARA Service AFS PTS Group Service Web Server GARA Client KCA KCT/KDC Browser CITI.UMICH.EDU ATLAS.UMICH.EDU IGRID2002 GARA Service Cisco 7206 KINIT KX509 SSL RX GSI TELNET SSH MJpeg Host Video Conference

13 any questions? http://www.citi.umich.edu/

Download ppt "Authenticated QoS Project Overview Andy Adamson Research Investigator Center for Information Technology Integration University of Michigan Ann Arbor."

Similar presentations

The Access Grid Ivan R. Judson 5/25/2004.

The Access Grid Ivan R. Judson 5/25/2004.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
© S.J. Coles 2006 Usability WS, NeSC Jan 06 Experiences in deploying a useable Grid-enabled service for the National Crystallography Service Simon J. Coles.

© S.J. Coles 2006 Usability WS, NeSC Jan 06 Experiences in deploying a useable Grid-enabled service for the National Crystallography Service Simon J. Coles.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Secure Network Performance Testing using SeRIF Dr. Charles J. Antonelli Center for Information Technology Integration University of Michigan Winter 2006.

Secure Network Performance Testing using SeRIF Dr. Charles J. Antonelli Center for Information Technology Integration University of Michigan Winter 2006.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.

Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.

Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Similar presentations

Ads by Google