ESnet RADIUS Authentication Fabric
Michael HelmESnet/LBNL
Cybersecurity Summit27 Sep 2004
TWC
JGISNLL
LBNL
SLAC
YUCCA MT
BECHTEL
PNNLLIGO
INEEL
LANL
SNLAAlliedSignal
PANTEX
ARM
KCP
NOAA
OSTIORAU
SRS
ORNLJLAB
PPPL
ANL-DCINEEL-DCORAU-DC
LLNL/LANL-DC
MIT
ANL
BNL
FNALAMES
4xLAB-DCNERSC
NR
EL
ALBHUB
LLNL
GA DOE-ALB
SDSC
Japan
GTN&NNSA
International (high speed)OC192 (10G/s optical)OC48 (2.5 Gb/s optical)Gigabit Ethernet (1 Gb/s)OC12 ATM (622 Mb/s)OC12 OC3 (155 Mb/s)T3 (45 Mb/s)T1-T3T1 (1 Mb/s)
Office Of Science Sponsored (22)NNSA Sponsored (12)Joint Sponsored (3)
Other Sponsored (NSF LIGO, NOAA)Laboratory Sponsored (6)
QWESTATM
42 end user sites
ESnet mid-2004
SInet (Japan)Japan – Russia(BINP)
CA*net4MRENNetherlandsRussiaStarTapTaiwan (ASCC)
CA*net4KDDI (Japan)FranceSwitzerlandTaiwan (TANet2)
AustraliaCA*net4Taiwan (TANet2)Singaren
ESnet core: Packet over SONET Optical Ring and
Hubs
ELP HUB
SNV HUB CHI HUB
ATL HUB
DC HUB
peering points
MAE-E
Fix-W
PAIX-W
MAE-W
NY-NAP
PAIX-E
Euqinix
PN
WG
SEA HUB
ESnet Provides Full Internet Serviceto DOE Facilities and Collaborators with High-Speed Access to
Major Science Collaborators
hubs SNV HUB
Ab
ilene
Abilene high-speed peering points
Abilene
Ab
ilen
e MA
N L
AN
Abi
lene
CERN(DOE link)
GEANT - Germany, France, Italy, UK, etc
NYC HUB
StarlightChi NAP
GEANT (Europe)
Asia-Pacific
ESnetIP Core
New York(AOA)
Chicago (CHI)
Sunnyvale(SNV)
Washington, DC (DC)
El Paso (ELP)
DOE/OSC Labs
New hubs
Existing hubs
ESnetScience Data
Network(2nd Core)
A New ESnet Architecture:Science Data Network + IP Core
Possible new hubs
Atlanta (ATL)
MetropolitanAreaRings
CERN
ESnet ATF ProjectAuthentication, Trust & Federation Services for DOE Office of Science • Certification Authorities
– ESnet Root CA– DOEGrids CA– NERSC CA – NERSC’s “myProxy-NIM” integration– ESnet SSL Server CA – soon to expand
• Scope – X.509/PKIX certificates for Office of Science supported research and collaborations– Grids ; TLS ; Experimental uses
• Rigorous security – Industry best practices – Hardware Security Modules (HSM)
• Services– People, host, and service certificates– Key lifecycle management– User interface development and automation– Grid integration
Offline Vaulted Root CA
HSM
Secure Data Center
Building Security
LBNL Site security
Hardware Security Modules
Access controlled racks
PKI Systems
Internet
Fire Wall
Intrusion Detection
Grid User
DOEGrids Security
ESnet PKI Project (2)• Federation and Standards
– DOEGrids supports 15 distinct “Registration Authorities”• Two are in progress for addition (LCG and EPA-NCC)
– Regional peering – “Americas” PMA, TERENA, Asia-Pacific
– Global Grid Forum • CAOPS (TG chair)
• PGP Key server
New Initiatives:• GIRAF – Grid Integrated RADIUS Authentication Fabric• Fusion Grid PKI – support “myProxy” integration• Remote Hardware Security Module operation
– Response to ESnet’s challenge to provide redundant CA services
• Mozilla browser integration• SIRS – Security Incident Response Services
What Does the RAF Do?
NERSC
r
ANL
r
OTP Service
ORNL
r
PNNL
OTP Service
OTP Service
OTP Service
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
• es.net
Realms
R
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
r• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
ESnet RAF Federation
anl.gov
nersc.gov
pnnl.gov
ornl.gov
r RADIUS
App
ESnet Radius
AuthDB
ESnet Root CA
MyProxyCredentials
PAM
1 Log in
2 Ask AuthN; hint
OTP
5 Receive Proxy Cert
Manage myProxy
6 (Opt) Store Proxy
7 Execute
OTPServices
OCSP
HSM
Subordinate CA
Engine
4. Auth OK;
Namestring
3 OTP verification
4 Sign Proxy
Sign Subordinate
CA
SIPS
What Is the Grid Integrated RAF?
Proposal Apr 2004
Special case of GridLogon
RAF Benefits & Features
• O(n) peering
• Authorization decision controlled by siteSound familiar?
• Single token per person
• Interoperability on an open, standard, industry-supported AAA protocol
• WAN use of RADIUS (RFC 2865)
• Federation
Repli-cation
ESnet RAF Architecture
Network (IP)
VPN (IPsec)
RADIUSProxy router
AuthNAuthority
(OTP)
Appli-cation
1Rc
Site nRADIUS
AuthNAuthority
(OTP)
Appli-cation
1Rc
Site 1RADIUS
AuthNAuthority
(OTP)
Appli-cation
1Rc
Site 2RADIUS
RADIUSProxy router
RADIUSProxy router
RADIUSProxy router
ESnet
RAF
Site
ESnet
RAF Current Issues• Reliability – Replication
– Currently RAF issue, but also applies to site RADIUS/OTP • * Federation• * Application Integration
– Where’s our “Grid Integration” solution?– PAM – more layers!
• * Name management: (Fed/App Integration)– Essential issue for Grid integration
• *? OTP Service Reliability– “Transit time” ; resync ; loss
• * Federation• *? Integrity & Security
– VPN – See later
• Market research – size/scope of deployment* Grid issue Current: 6 – 18 mos
RAF Current Issues
NERSC
r
ANL
r
OTP Service
ORNL
r
PNNL
OTP Service
OTP Service
OTP Service
R
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
r• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
ESnet RAF Federation
anl.gov
nersc.gov
pnnl.gov
ornl.gov
Reliability/Replication
Integrity/Security
OTP/C&R
Federation
Transit time
Application Integration
RAF Long Term* Issues• RAF support for other protocols
– Kerberos– Web services– EAP/TLS
• Myproxy Protocol• End to End integrity
– “AuthA” protocol– Session hijacking (client)
• Application integration– Always an issue– Architecture: fan-out/gateway– Firewalls
• RADIUS* 12 – 48 mos
AuthAAn OTP-based key-exchange technology that offers protection against:
capture of the user’s password capture of the server’s password-databasedictionary attacks on the user’s passworddenial-of-service attacks
An OTP-based DH key-exchange technology that allows users to connect from an un-trusted terminal and still preserve the privacy of data transmitted on the wire:
confidentially, authenticity, and integrity of the datamutual authentication of the user and the server
Technology publication:M. Abdalla, O. Chevassut, and D. Pointcheval, “One-time Verifier-based Encrypted key Exchange” ,submitted for publication to the 8th International Workshop on Practice in Public-Key Cryptography, Feb 2005.
EduROAM• TERENA Mobility TF
http://www.terena.nl/tech/task-forces/tf-mobility
• Initiative to support _roaming_– Hence, 802.1x support– Wireless
• Motivation is a little different– Roaming vs Collaboration
• Architecture is similar– Key difference: DOE lab OTP
• Beginning interoperability discussion
Cross-domain 802.1X with VLAN assignment
RADIUS server
Institution B
RADIUS server
Institution A
Internet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
Guest
piet@institution_b.nl
StudentVLAN
GuestVLAN
EmployeeVLAN
data
signalling
Conclusion• Successful RAF demonstration project• Engineering and User experience issues• Ready to proceed to pilot• Need Grid Integration• European Liaison possible• First step toward Auth Fabric
– Support more protocols– Federation– Successor to RADIUS
• http://www.es.net/raf• http://www.doegrids.org
Demo
• http://topaz.es.net/secure/index.html
• http://panda.ccs.ornl.gov/radius/index.html
Fusion Grid Firewall Issues
Michael HelmESnet/LBNL
GGF-12 Sec Workshop18 Sep 2004
FusionGrid Use Case
Comments
Each site is protected by a firewall
Different firewall technology
OTP is probably a feature
Need single sign-on, delegation, autonomous processes….
Fusion Grid
• Use case comes from Dave Schissel
• Evolved from discussion of OTP– 2 of 3 labs in FusionGrid already have a
SecurID infrastructure
• Need direct support
• Need to identify path to solution