© Janet 2012
Project Moonshot
Technology, use cases & pilot
17 January, 2012
Haka conference, Helsinki
1
© Janet 2012
BackgroundProject Moonshot
2
© Janet 2012
Why Janet?
• Trusted provider of mission-critical network services to the UK education & research community
• Expertise in developing and operating AAI
• Demand from both internal and external customers
3
© Janet 2012
Goals
4
Lower the barriers to business between our customers
Reduce the cost to market for new services
Drive down operational costs for both Janet and our customers
© Janet 2012
Vision
To deliver a unified approach for securing access to any service or
application – enabling new opportunities, business models and
cost efficiencies.
5
© Janet 2012
Use casesProject Moonshot
6
© Janet 2012
Science & Technology Facilities Council
• Operates the UK’s National Grid Service
• X.509 authentication too complex for users
• Goal to simplify authentication across distributed computing Grids
“We aim to streamline access services using Moonshot technology, which will take the burden of authentication out of the hands of our
users.”
Dr Peter Oliver, Group Leader, Science and Technology Facilities Council7
© Janet 2012
Diamond Light Source
• The UK’s national synchrotron facility
• Piloting the use of Moonshot within the PANDATA project, which supports 30,000 scientists at more than 20 photon and neutron facilities
“Moonshot has thought beyond websites, and looked at what is really required in authentication – right
down to the point when you open your laptop to begin work.”
Bill Pulford, Head of DASC, Diamond Light Source
8
© Janet 2012
Cancer Research UK• Cancer Research UK is the world’s leading charity
dedicated to beating cancer through research.
• The institutes form ad hoc relationships to collaborate for research purposes, but when the need arises to share data and documents, each institute can only authenticate within their own organisation.
“Moonshot is a valuable enabler for Cancer Research across the UK. It will make collaboration systems easy to build internally so that we can quickly share large data
sets between institutes, without complicating the management of that system.”
Peter Maccallum, Head of IT & Scientific Computing, CRUK Cambridge Research Institute
9
© Janet 2012
Janet Brokerage
• Work with the community and suppliers to provide solutions based on IT as a service, facilitating the uptake of data centre, hosted and cloud services.
– Create efficiencies and cost savings– Accelerate and improve services and add value– Reduce risk in adopting new services– Address technical and business questions– Create a competitive market based on sound technical
platforms
10
© Janet 2012
Moonshot & Hosted Exchange PoC
• A number of Universities running student but not staff email due to privacy issues
• Create a hosted Exchange with Moonshot components integrated
– Creates an interesting usage model for suppliers and users
– Sets an example to the two major cloud providers
11
© Janet 2012
Some key challenges• Federated authentication for web and other applications
• Different deployment models: centralised, distributed & cloud (private, public & hybrid).
• Need to easily use different types of credentials
• Federated authentication to workstations, not just apps
• Massive scale – at least tens of millions of entities
12
© Janet 2012
Technology overviewProject Moonshot
13
© Janet 2012
Underlying technologies• Moonshot builds on the eduroam technologies
– EAP (RFC 3748): strong mutual authentication– RADIUS (RFC 2865): federation between domains
• To this, Moonshot adds
– SAML, for rich authorisation semantics– Application integration, using operating system security APIs
• SSPI: Windows• GSS-API (RFC 2078): Other operating systems• SASL (RFC 4422): Windows and other operating systems
– This architecture is being standardised within the IETF Abfab working group
14
© Janet 2012
Architecture
15
SSH client SSH server RADIUS server
(2) SSH negotiation (4) RADIUS
(3) Authentication
(1) Credentialing
(5) Attributes(6) SSH session
OpenSSH used as example of application; many others also apply
© Janet 2012
Deployment requirements• Most HE organisations are nearly Moonshot-ready today
• RADIUS authentication server at user organisation– Any RADIUS product should support pre-production testing today
• Option to integrate RADIUS server with Shibboleth IdP
• Logical connection to national RADIUS infrastructure– Already implemented in most cases (shared with eduroam)
• Moonshot client and server plug-in– Linux: packaging available for Debian & RHEL; Scientific Linux soon– Windows: native support using prototype plugin – Mac: Packaging almost complete for Snow Leopard and Lion
16
© Janet 2012
Application integration
• Most modern applications use at least one of the security APIs supported by Moonshot
• Correctly written applications will ‘just work’ without modification or recompilation
• Less correctly written applications may require minor source modifications
17
© Janet 2012
PuTTY against OpenSSH
18
© Janet 2012
IE7 against Apache
19
© Janet 2012
Outlook 2010 against Exchange 2010
20
© Janet 2012
Outlook 2010 against Exchange 2010
21
© Janet 2012
Examples of other tested scenarios • OpenSSH client OpenSSH server (GSS)
• OpenLDAP client OpenLDAP server (GSS)
• OpenLDAP client (GSS) Windows Active Directory (SSPI)
• Firefox Apache (GSS)
• Internet Explorer IIS (SSPI)
• MyProxy client MyProxy server (SASL)
• Adium Jabberd (SASL)
• Console authentication using PAM on Linux (GSS) and SSPI on Windows
22
© Janet 2012
Technology pilotProject Moonshot
23
© Janet 2012
Janet Moonshot Technology Pilot Goals
1. To test the suitability of the Moonshot technology for deployment, focusing on e-Research use cases
2. To identity what further work is needed to support the wider community’s use of the technology
3. To plan, implement or support this additional work
24
© Janet 2012
Current status
• Pilot operating using Janet’s eduroam infrastructure
• Software ready for pre-production testing
• Production-quality environment due Q1 2012
• IETF standardisation approaching completion
• On-going discussions with OS and application vendors
25
© Janet 2012
Conclusions• Next generation federation technology that meets the needs of advanced
use cases
• Builds on widely deployed infrastructure (RADIUS & SAML) and operating system extensibility
• Cross-platform implementation ready for pre-production testing
• Correctly written applications ‘just work’
• Architecture being standardised within IETF
• Janet will review progress of Technology Pilot in 2012 Q2, and consider a formal offering to its customers in the future
26
© Janet 2012
Q & AProject Moonshot
27