GEC5Security Summary

Stephen Schwab

Cobham Analytical Services

July 21, 2009

Outline

• GENI Security Architecture – plans

• GENI Clusters & Projects – status chart

• GENI Clusters – identity/authentication & authorization diagrams

• GENI Security call-outs for other notable projects

GENI Security Architecture

• Revised Document Posted on GENI wiki

• Includes “As-built” discussions on each control framework

• At least one more revision in August

Security ChartCluster Project Name CH CM/AM Spiral 2

A TIED Federation using ABAC

B PlanetLab SFA-based GENIwrappersB EnterpriseGENI Uses PL CH as a trusted authorityB GushProto ToolsB ProvisioningService (Raven) ToolsB Mid-Atlantic CrossroadsB GpENIB Internet Scale Overlay Hosting

C ProtoGENI CH and AMs using UUID/HRNC DtunnelsC CMULabC InstrumentationTools Measurement Plane On trackC MeasurementSystem Measurement Plane Needs WorkC ProgrammableEdgeNode Not in Spiral 1C DigitalObjectRegistry Registry for CH UnknownC MillionNodeGENI Language-based N/A

D ORCA/BEN Shirako (ticket) basedD DOMED ViSED KanseiSensorNetD Embedded Real-Time Measurements Measurement Plane

E ORBITE WiMAX

? RegionalOptIn

All GENIMetaOps External OperationsAll GENISecurity Security ArchitectureAll GENIFourYearCollegesAll Data Plane Measurements Measurement Plane

None OpticalAccessNets No connectivity

Control Plane

Key

PlanetLab

• Cluster B

Identifiers • GID consists of

– UUID generated as per RFC4122 v4– HRN (resolvable nicknames)– A SSL X.509 Certificate with parent field

• The GID stored in subject-alt-name of certificate – The authority that is responsible for the entity

authenticates it by signing the certificate

Authentication

• Authentication is done on the basis of the certificate that is signed by the responsible authority.

• Authentication implies no permission – the certificate just indicates identity

Identity and Authentication

GID

1. Generate self-signed certificate authority. The PlanetLab Consortium serves as top-level slice,

Slice and UserRegistry

3a. Request a GID by sending 1024-bit RSA public key

4. Register user with registry

Slice Manager

Planetlab Central

Aggregate Manager

2. Register root certificate with registry

3. Register: PLC generates a certificate that includes a UUID (public key) and HRN in the subject-alt-name field. The subject-public-key contains the user public key. It signed by the PLC.

Authorization

• Based on credentials; credentials grants privileges to users

Aggregate Manager

4. GetTicket: the ticket is defined by a 5-tuple, (GIDCaller, GIDObject, Attribs, Rspec, Delegate) . The GetTicket operation is completed by the AM

Slice Creation

GID

Slice Authority

PlanetLab Central

1. Verify user credentials and authorize him to perform slice creation

3. Request Ticket: User selects components, creates Rspec. If request is granted, the AM signs the request and returns a ticket

5. Redeem Ticket: User redeems the ticket causing the sliver to be created. The Rspec defines the resources bound to the slice.

7 Start Sliver: User requests sliver to be brought to running state

Compute Cluster

Network

Storage

MeasurementComponent Manager

2.List Resources: On behalf of the user, the SM calls each peer AM to learn of available resources. 6. SM maintains a database of

all slices created with the resources used.

Registries

Slice & User Registry

ResourceStatusService

ProtoGENI

• Cluster C

Identifiers • GID consists of

– UUID (ex: a0f4)– HRN (resolvable nicknames)– A SSL Certificate

• The GID stored in DN of SSL certificate – Cert issued by home emulab that

authenticates entity in GENI – DN also includes email address

Authentication

• Authentication is done on basis of the SSL certificate that is signed by the home emulab

• Authentication implies no permission, SSL certificate just indicates identity

Identity and Authentication

GID

ProtoGENI Slice

Authority

1. Generate self-signed certificate authority, serves as root for Emulab.

2. Register root certificate with clearing house

ClearingHouse

Slice & User Registry

ResourceStatusService

3. Register: MA generates a certificate that includes a UUID (public key) and HRN in the DN field.

3a. Request a GID by sending hashed public key

4. Register user with Clearing house

Authorization

• Based on credentials; credentials grants privileges to users

Slice Creation

GID

6b. AM sends copy of ticket to Slice Registry (who tracks resources in each slice).

ClearingHouse

Slice & User Registry

ResourceStatusService

Compute Cluster

Network

Storage

Aggregate Manager

Measurement

Slice Authority

Home Facility

1. GetCredential: S A issues self credential authenticating user to perform actions

3. Register: SA registers the user and the slice

2. CreateSlice: User creates a new slice and receives a credential granting control over the slice

4. ListComponents: Requests list of all AM registered with the CH

5. DiscoverResources: User submits credentials and send request to each AM for detail resource lists (Rspecs)

6. RequestTicket: User selects components, creates Rspec. If request is granted, the AM signs the request and returns a ticket 7. RedeemTicket: User

redeems the ticket causing the sliver to be created.

8. StartSliver: Client requests sliver to be brought to running state

Orca/Ben

• Cluster D

Identifiers • GID consists of

– RFC 4122-based GUIDS– Public Key– attributes

Identity and Authentication

GID

ShibbolethIdentity Provider

1. Identity provider maintains registry of all other id providers including their GUID, keys, and attributes

2. Runs as a SOAP server, all messages are digitally signed as per WS-Security

User Registry

Principal Registry

5. Returns a RFC 4122 based GUID and security attributes

4. User request a GID by sending a public key via a browser interface

3. Each ID provider is responsible for the principals it registers. It maintains a local MySQL database.

Slice Creation

6. UpdateLease: The DA grants the service manager the resources as a lease. It includes the unit properties as assigned from the DA..

GID

0. Export Tickets: Delegate splitable tickets to broker.Attempts to honor all tickets issued by the broker

Broker/ ClearingHouse

Policy Module(applies attribs. from ID provider)

Service Manager/ Slice Manager

1. Researcher/guest starts experiment creation using a web browser. Authenticated by the ID provider (not shown)

2. CreateSlice / GetTicket: user request allowed if he has the appropriate attributes and endorsed by ID.

5. RedeemTicket: The ticket is now presented to the DA along with configuration properties for setup of slice.

Guest Handler

(one per sliver)

Domain Authority/ Aggregate Manager

Site Policy(one per

resource pool

3. UpdateTicket: broker grants ticket to the service manager that can be now redeemed from the domain authority. Each guest has a guest handler within the service manager. The ticket includes resource type properties.

DETER TIED

• Cluster A

Identifiers• ID are triples

– Testbed , project, user ex: (“DETER”,”proj1”,”faber”)

• Also defines federation IDs– 160-bit SHA-1 hash of the public key – Avoids collisions when federating

• Triple name can use a fed-ID – (fedid:1234, “proj1”, “faber)

Authentication

• Authentication is done on the basis of the home testbed using public-private key pairs

Identity and Authentication

TIED Federator/

Management Authority

2. Register federated testbed with clearing house/federator

ClearingHouse/ Federator

Slice & User Registry

ResourceStatusService

3. Register: MA registers a new users with the testbed, associates him with a project, generates a fed-ID

4. Register user and fed-ID with Clearing house/federator

1. Create a name and fed-ID for testbed

Authorization

• Based on attributes assigned to user; project group is a type of attribute

• Attributes grant privileges to users

Experiment/Slice Creation

GID

6b. Fedd sends a copy of CEDL to the CH (who tracks resources usage across GENI).

Federated Fedds

Slice & User Registry

ResourceStatusService

Compute Cluster

Network

Storage

Federator/ Slice Authority

Measurement

Federator/ Aggregate Manager

Home Facility

1. User is authenticated by home facility aggregate manager for a federated exp.

4b. Register the user and the experiment with the CH

2. User initiates a federated experiments

3. Requests list of all testbed advertisements registered with the CH

4. User submits a canonical experiment description to the federator

5. Federator selects components, request resources from other testbeds.

6. Once all the resources are granted the experiment configuration begins

7. Grant the user complete control of the experiment

Federated Fedds

Slice & User Registry

ResourceStatusService

Federated Fedds

Slice & User Registry

ResourceStatusService

Orbit

• Cluster E

• No diagrams yet– Spiral 2 plans on-track to introduce security

mechanisms to address Spiral 2 needs

Other Notable Projects

• Enterprise GENI– Controller off-loads security mechanisms from

individual deployed switches

• Digital Object Registry– Provides for searching of identities beyond a single

clearinghouse

• Million Node GENI– Language-based VM: restricted python

Questions

• What mechanisms should GENI be using for identity and authentication?

• What mechanisms should GENI be using for policy creation/definition/distribution and authorization?

• Should GENI security focus on yet-to-be-implemented or already-up-and-running features?