Authenticated QoS Signaling
William A. (Andy) Adamson
Olga Kornievskaia
CITI, University of Michigan
• Michigan High Energy Physics Group are involved in key phases of the ATLAS project
–Video conferencing, distributed shared workspace
– Bulk data transfer
• Advances in QoS are necessary to further this research.
•Impact on University of Michigan Community– Many other projects face similar problems
– Bandwidth allocation already an issue on campus (Napster).
Motivation
• UMICH - Physics, LS&A, ITCom, OVPR
• Merit
• UCAID
• ANL
• CERN
• PSC
Participants
• Reliable high speed end to end service– Cross campus
– To external sites across high speed (Internet2) networks
• Automated access and network configuration
• Use of existing infrastructure
• Currently requires hands on at every stage
• Divide and conquer– network tuning
– security component
– automated network configuration
Vision
• Realize authenticated bandwidth reservation signaling
• Integration and extension of existing work and infrastructure
• Distributed authorization proof of concept
• Implement the architecture for demonstration, pre-production, and future research
Project Goals
• Answer all distributed authorization design questions
• Network tuning
• Aggregate traffic issues
• Multicast bandwidth reservation
• Production system
Not Project Goals
• Construct end point QoS network domains
• Use QoS features in existing routers
• Over provision connecting networks
• No change to application– QoS reservation communication via a web interface
– Routers mark packets, not application
Architecture
• Bandwidth broker
• Authorization service
• LDAP directory service
• X509 security infrastructure
• Routers with packet-marking and policing features
QoS Network Domain
CITI
Startap
Merit
ITComPhysics
Argonne
Cleveland
Abilene
CERN
UMICH
622M100M
100M
622M45M
622M
Network Path
BB
BB
BBPSC
BB
• GARA, from ANL
• Integrated with their Grid reservation system
• X509 based authentication
• Flat file access control for authorization
• No inter bandwidth broker communication
Bandwidth Broker
• Globus PKI based GSSAPI_SSLEAY
• Globus user proxy– Obviates the need for multiple password entry
– Enables remote services to act on users behalf
• No CA peering: exchange self-signed CA certificates
• UMICH Kerberos solution: KX509 - junk keys– Short term keys granted with valid kerberos identity
– Stored in kerberos ticket cache
Authentication
Authentication
Globus Client Globus
gssapi_ssleayGatekeeper
Resource Manager
Home Directory
GARA
RouterRouter
X509 long lived creds
X509 proxy creds
WS
globus-proxy-init
• limited access to private key, not mobile
• the longer you distribute a public key, the more places it is cached, and the problematic revocation becomes.
• Short-lived kx509 generated ‘junk keys’ address these problems
Problems with long lived keys
Kx509 Authentication
Globus Client Globus
gssapi_ssleayGatekeeper
Resource Manager
Home Directory
Kerberos Ticket Cache
Kerberos DB
Kerberos CA
GARA
RouterRouter
X509 junk-key creds
X509 proxy creds
WSkx509
globus-proxy-init
kinitKCAticket
• Problem: Local users, remote resources– Ideally, no copying of user or resource data
– In common case, no extra communication
• Solution we will explore:– Common LDAP namespace and schema
– Pass authorization attributes with identity
– Requires the ability to do SSL mutual authentication between remote sites
Distributed Authorization
• Akenti access control system from lbl.gov – Policy engine that can express complex policies
– User attributes, resource use-conditions
– Distributed management from many sources
• LDAP back end– Internet2 middleware working group schema
– Akenti data
Authorization Server
• LDAP schema required for users, resources, user-attributes and use-conditions
• user-attributes are assigned to users
• use-conditions are assigned to resources
• Access for a user to a resource is determined by comparing user attributes to resource use-conditions
Akenti Authorization
Local Akenti Authorization
User: aliceinternet2_bw_groupumich_staff_group10MB_bandwidth…...
Resource: subnet-1
Member umich_staff_groupnot member bad_users_groupmember internet2_bw_group10MB or less bandwidth request
Akenti LDAP back end
• Akenti policy engine receives a request:– can Alice reserver 10MB of bandwidth on subnet-1?
• All data required to make the decision is held locally in the Akenti/LDAP service
• Since Alice holds all the necessary attributes required by the resource, access is granted.
Akenti Authorization of Remote Resource
• Akenti policy engine receives a request:– can Alice reserver 10MB of bandwidth on remote subnet-1?
• User data required to make the decision is held locally
• Resource data held by remote Akenti/LDAP service
• Send user identity and appropriate attributes to the remote Akenti/LDAP service over secure channel
User: aliceinternet2_bw_groupumich_staff_group10MB_bandwidth
Resource: subnet-1Member umich_staff_groupnot member bad_users_groupmember internet2_bw_group10MB or less bandwidth request
Akenti LDAP back end Akenti LDAP back end
User attributes
Akenti Authorization of Remote Resource
• Akenti policy engine receives a request:– can Alice reserver 10MB of bandwidth on remote subnet-1?
• Remote Akenti/LDAP service compares the user attributes received off the wire to the resource use-conditions.
• Since Alice holds all the necessary attributes required by the resource, access is granted
User: aliceinternet2_bw_groupumich_staff_group10MB_bandwidth
Resource: subnet-1Member umich_staff_groupnot member bad_users_groupmember internet2_bw_group10MB or less bandwidth request
Akenti LDAP back end Akenti LDAP back end
Access granted
• Necessary to communicate distributed authorization decision parameters
• Enables minimal replication of resource and user data
• Complicates namespace administration, simplifies authorization communication
• Each authorization realm assigns local values
Common Namespace
Gatekeeper
Resource Manager
Globus Client
RouterCPU
GARA
Access FileGARA
RM
GK
Authorization_API
Akenti
LDAP
Akenti
LDAPuser attributes
• Completed kx509 integration
• Configured and tested GARA to reserve bandwidth on Cisco 7500 at UMICH
• Preparing to test with remote bandwidth reservation ANL and CERN using current functionality
• Netscape LDAP with Internet2 Eduperson schema
• Just starting work with Akenti
Status
http:/www.citi.umich.edu/projects/qos
htttp:/www.globus.org
http://www-itg.lbl.gov/security/Akenti
Questions?