Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.

Slides:

Advertisements

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Enabling Secure Internet Access with ISA Server

Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005.

Secure Network Performance Testing using SeRIF Dr. Charles J. Antonelli Center for Information Technology Integration University of Michigan Winter 2006.

MyProxy: A Multi-Purpose Grid Authentication Service

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

High Performance Computing Course Notes Grid Computing.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

Lecture 23 Internet Authentication Applications

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Password?. Project CLASP: Common Login and Access rights across Services Plan

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Authenticated QoS Project Overview Andy Adamson Research Investigator Center for Information Technology Integration University of Michigan Ann Arbor.

The EC PERMIS Project David Chadwick

Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.

Abdelilah Essiari Gary Hoo Keith Jackson William Johnston Srilekha Mudumbai Mary Thompson Akenti - Certificate-based Access Control for Widely Distributed.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

MGRID: Network Testing and Performance Charles J. Antonelli Center for Information Technology Integration University of Michigan.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Service Broker Lesson 11. Skills Matrix Service Broker Service Broker, provides a solution to common problems with message delivery and consistency that.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Network Testing and Performance Using SeRIF Charles J. Antonelli David Richter Olga Kornievskaia Nathan Gallaher Center for Information Technology Integration.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman Bill Doster.

M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.

A detailed look at the Microsoft Windows Infrastructure at UWE including Active Directory (AD), MIIS, Exchange, SMS, IIS, SQL Server, Terminal Services.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Module 9: Fundamentals of Securing Network Communication.

Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.

1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.

Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Practical Distributed Authorization for GARA Andy Adamson and Olga Kornievskaia Center for Information Technology Integration University of Michigan, USA.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.

Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers

Introduction to Active Directory

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.

X509 Web Authentication From the perspective of security or An Introduction to Certificates.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Al Lilianstrom and Dr. Olga Terlyga NLIT 2016 May 4 th, 2016 Under the Hood of Fermilab’s Identity Management Service.

Establishing End-to-End Guaranteed Bandwidth Network Paths Across Multiple Administrative Domains The DOE-funded TeraPaths project at Brookhaven National.

Goals Introduce the Windows Server 2003 family of operating systems

IS 4506 Server Configuration (HTTP Server)

Distributed Systems Bina Ramamurthy 12/2/2018 B.Ramamurthy.

Presentation transcript:

Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan

Michigan High Energy Physics Group are involved in key phases of the ATLAS project –Video conferencing, distributed shared workspace – Bulk data transfer Advances in QoS are necessary to further this research. Impact on University of Michigan Community – Many other projects face similar problems – Bandwidth allocation already an issue on campus (Napster). Motivation

UMICH - Physics, LS&A, ITCom, OVPR Merit UCAID ANL CERN PSC Participants

Reliable high speed end to end service – Cross campus – To external sites across high speed (Internet2) networks Automated access and network configuration Use of existing infrastructure Currently requires hands on at every stage Divide and conquer – network tuning – security component – automated network configuration Vision

Realize authenticated bandwidth reservation signaling Integration and extension of existing work and infrastructure Distributed authorization proof of concept Implement the architecture for demonstration, pre-production, and future research Project Goals

Answer all distributed authorization design questions Network tuning Aggregate traffic issues Multicast bandwidth reservation Production system Not Project Goals

Construct end point QoS network domains Use QoS features in existing routers Over provision connecting networks No change to application – QoS reservation communication via a web interface – Routers mark packets, not application Architecture

Bandwidth broker Authorization service LDAP directory service X509 security infrastructure Routers with packet-marking and policing features QoS Network Domain

CITI Startap Merit ITCom Physics Argonne Cleveland Abilene CERN UMICH 622M 100M 622M 45M 622M Network Path BB PSC BB

GARA, from ANL Integrated with their Grid reservation system X509 based authentication Flat file access control for authorization No inter bandwidth broker communication Bandwidth Broker

Globus PKI based GSSAPI_SSLEAY Globus user proxy – Obviates the need for multiple password entry – Enables remote services to act on users behalf No CA peering: exchange self-signed CA certificates UMICH Kerberos solution: KX509 - junk keys – Short term keys granted with valid kerberos identity – Stored in kerberos ticket cache Authentication

Globus Client Globus gssapi_ssleay Gatekeeper Resource Manager Home Directory GARA Router X509 long lived creds X509 proxy creds WS globus-proxy-init

limited access to private key, not mobile the longer you distribute a public key, the more places it is cached, and the problematic revocation becomes. Short-lived kx509 generated ‘junk keys’ address these problems Problems with long lived keys

Kx509 Authentication Globus Client Globus gssapi_ssleay Gatekeeper Resource Manager Home Directory Kerberos Ticket Cache Kerberos DB Kerberos CA GARA Router X509 junk-key creds X509 proxy creds WS kx509 globus-proxy-init kinit KCA ticket

Problem: Local users, remote resources – Ideally, no copying of user or resource data – In common case, no extra communication Solution we will explore: – Common LDAP namespace and schema – Pass authorization attributes with identity – Requires the ability to do SSL mutual authentication between remote sites Distributed Authorization

Akenti access control system from lbl.gov – Policy engine that can express complex policies – User attributes, resource use-conditions – Distributed management from many sources LDAP back end – Internet2 middleware working group schema – Akenti data Authorization Server

LDAP schema required for users, resources, user- attributes and use-conditions user-attributes are assigned to users use-conditions are assigned to resources Access for a user to a resource is determined by comparing user attributes to resource use-conditions Akenti Authorization

Local Akenti Authorization User: alice internet2_bw_group umich_staff_group 10MB_bandwidth …... Resource: subnet-1 Member umich_staff_group not member bad_users_group member internet2_bw_group 10MB or less bandwidth request Akenti LDAP back end Akenti policy engine receives a request: – can Alice reserver 10MB of bandwidth on subnet-1? All data required to make the decision is held locally in the Akenti/LDAP service Since Alice holds all the necessary attributes required by the resource, access is granted.

Akenti Authorization of Remote Resource Akenti policy engine receives a request: – can Alice reserver 10MB of bandwidth on remote subnet-1? User data required to make the decision is held locally Resource data held by remote Akenti/LDAP service Send user identity and appropriate attributes to the remote Akenti/LDAP service over secure channel User: alice internet2_bw_group umich_staff_group 10MB_bandwidth Resource: subnet-1 Member umich_staff_group not member bad_users_group member internet2_bw_group 10MB or less bandwidth request Akenti LDAP back end User attributes

Akenti Authorization of Remote Resource Akenti policy engine receives a request: – can Alice reserver 10MB of bandwidth on remote subnet-1? Remote Akenti/LDAP service compares the user attributes received off the wire to the resource use- conditions. Since Alice holds all the necessary attributes required by the resource, access is granted User: alice internet2_bw_group umich_staff_group 10MB_bandwidth Resource: subnet-1 Member umich_staff_group not member bad_users_group member internet2_bw_group 10MB or less bandwidth request Akenti LDAP back end Access granted

Necessary to communicate distributed authorization decision parameters Enables minimal replication of resource and user data Complicates namespace administration, simplifies authorization communication Each authorization realm assigns local values Common Namespace

Gatekeeper Resource Manager Globus Client RouterCPU GARA Access File GARA RM GK Authorization_API Akenti LDAP Akenti LDAP user attributes

Completed kx509 integration Configured and tested GARA to reserve bandwidth on Cisco 7500 at UMICH Preparing to test with remote bandwidth reservation ANL and CERN using current functionality Netscape LDAP with Internet2 Eduperson schema Just starting work with Akenti Status

htttp:/ Questions?