Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan Motivation • Michigan High Energy Physics Group are involved in key phases of the ATLAS project –Video conferencing, distributed shared workspace – Bulk data transfer • Advances in QoS are necessary to further this research. •Impact on University of Michigan Community – Many other projects face similar problems – Bandwidth allocation already an issue on campus (Napster). Participants • UMICH - Physics, LS&A, ITCom, OVPR • Merit • UCAID • ANL • CERN • PSC Vision • Reliable high speed end to end service – Cross campus – To external sites across high speed (Internet2) networks • Automated access and network configuration • Use of existing infrastructure • Currently requires hands on at every stage • Divide and conquer – network tuning – security component – automated network configuration Project Goals • Realize authenticated bandwidth reservation signaling • Integration and extension of existing work and infrastructure • Distributed authorization proof of concept • Implement the architecture for demonstration, pre-production, and future research Not Project Goals • Answer all distributed authorization design questions • Network tuning • Aggregate traffic issues • Multicast bandwidth reservation • Production system Architecture • Construct end point QoS network domains • Use QoS features in existing routers • Over provision connecting networks • No change to application – QoS reservation communication via a web interface – Routers mark packets, not application QoS Network Domain • Bandwidth broker • Authorization service • LDAP directory service • X509 security infrastructure • Routers with packet-marking and policing features Network Path ITCom Physics 100M BB UMICH CITI Merit 622M 622M 100M Cleveland Startap 45M 622M Argonne PSC BB BB CERN Abilene BB Bandwidth Broker • GARA, from ANL • Integrated with their Grid reservation system • X509 based authentication • Flat file access control for authorization • No inter bandwidth broker communication Authentication • Globus PKI based GSSAPI_SSLEAY • Globus user proxy – Obviates the need for multiple password entry – Enables remote services to act on users behalf • No CA peering: exchange self-signed CA certificates • UMICH Kerberos solution: KX509 - junk keys – Short term keys granted with valid kerberos identity – Stored in kerberos ticket cache Authentication Globus Client Globus gssapi_ssleay globus-proxy-init Home Directory X509 long lived creds X509 proxy creds Gatekeeper Resource Manager GARA WS Router Router Problems with long lived keys • limited access to private key, not mobile • the longer you distribute a public key, the more places it is cached, and the problematic revocation becomes. • Short-lived kx509 generated ‘junk keys’ address these problems Kx509 Authentication Kerberos DB KCA kinit ticket Globus Client Globus gssapi_ssleay globus-proxy-init Resource Manager Home Directory X509 proxy creds kx509 WS Kerberos CA Gatekeeper GARA Kerberos Ticket Cache X509 junk-key creds Router Router Distributed Authorization • Problem: Local users, remote resources – Ideally, no copying of user or resource data – In common case, no extra communication • Solution we will explore: – Common LDAP namespace and schema – Pass authorization attributes with identity – Requires the ability to do SSL mutual authentication between remote sites Authorization Server • Akenti access control system from lbl.gov – Policy engine that can express complex policies – User attributes, resource use-conditions – Distributed management from many sources • LDAP back end – Internet2 middleware working group schema – Akenti data Akenti Authorization • LDAP schema required for users, resources, userattributes and use-conditions • user-attributes are assigned to users • use-conditions are assigned to resources • Access for a user to a resource is determined by comparing user attributes to resource use-conditions Local Akenti Authorization • Akenti policy engine receives a request: – can Alice reserver 10MB of bandwidth on subnet-1? • All data required to make the decision is held locally in the Akenti/LDAP service • Since Alice holds all the necessary attributes required by the resource, access is granted. Akenti LDAP back end User: alice internet2_bw_group umich_staff_group 10MB_bandwidth …... Resource: subnet-1 Member umich_staff_group not member bad_users_group member internet2_bw_group 10MB or less bandwidth request Akenti Authorization of Remote Resource • Akenti policy engine receives a request: – can Alice reserver 10MB of bandwidth on remote subnet-1? • User data required to make the decision is held locally • Resource data held by remote Akenti/LDAP service • Send user identity and appropriate attributes to the remote Akenti/LDAP service over secure channel Akenti LDAP back end Akenti LDAP back end User: alice internet2_bw_group umich_staff_group 10MB_bandwidth Resource: subnet-1 User attributes Member umich_staff_group not member bad_users_group member internet2_bw_group 10MB or less bandwidth request Akenti Authorization of Remote Resource • Akenti policy engine receives a request: – can Alice reserver 10MB of bandwidth on remote subnet-1? • Remote Akenti/LDAP service compares the user attributes received off the wire to the resource useconditions. • Since Alice holds all the necessary attributes required by the resource, access is granted Akenti LDAP back end Akenti LDAP back end User: alice internet2_bw_group umich_staff_group 10MB_bandwidth Resource: subnet-1 Access granted Member umich_staff_group not member bad_users_group member internet2_bw_group 10MB or less bandwidth request Common Namespace • Necessary to communicate distributed authorization decision parameters • Enables minimal replication of resource and user data • Complicates namespace administration, simplifies authorization communication • Each authorization realm assigns local values Globus Client GARA GARA Gatekeeper Access File GK Authorization_API RM Akenti LDAP Resource Manager Akenti LDAP CPU Router Status • Completed kx509 integration • Configured and tested GARA to reserve bandwidth on Cisco 7500 at UMICH • Preparing to test with remote bandwidth reservation ANL and CERN using current functionality • Netscape LDAP with Internet2 Eduperson schema • Just starting work with Akenti Questions? http:/www.citi.umich.edu/projects/qos htttp:/www.globus.org http://www-itg.lbl.gov/security/Akenti