ppt

advertisement
Secure Network Performance
Testing using SeRIF
Dr. Charles J. Antonelli
Center for Information Technology Integration
University of Michigan
Winter 2006 CSG
http://www.albinoblacksheep.com/flash/nintendogs.php
U-M Contributors
• CITI
–
–
–
–
–
Andy Adamson
Charles Antonelli
Nathan Gallaher
Olga Kornievskaia
David Richter
• ITCom
• MGRID
Work supported by OVPR and ITCom
SeRIF
• SeRIF : Secure Remote Invocation
Framework
• Purpose : provide a secure and extensible
remote process invocation service, with
strong authentication and flexible
authorization
• Based on Globus 2.4, GARA 1.2.2
• Leverages existing user credentials
– Kerberos (via kx509)
• Adds fine-grained authorization
– Walden
SeRIF
• Central portal host
– Authentication
– Control (invocation, parameters, results)
– Databases (LDAP)
• Dedicated remote nodes
–
–
–
–
Gatekeeper
Local scheduler for execution and cleanup
Provides status and output redirection
Fine grained authorization at resource
SeRIF Architecture
Portal
Apache
mod ssl
mod kct
mod kx509
User Workstation
SSL – Client Certificate required
3
4
Kerberos
5
KCA
mod php
KDC
mod jk
Tomcat
CHEF
LDAP
Output
GSI
libpkcs11
GateKeeper
Resource Mgr
SASL
8
Resource
kx509
2
Kerberos
kinit
1
Grid Resource
6
NW Topology
WALDEN
Authorization
Kerberos V5
KCT
Browser
SASL
7
WALDEN
Authorization
NTAP
• NTAP : Network Testing and Performance
• Purpose : provide a secure and extensible
network testing and performance tool
invocation service at U-M
• Uses SeRIF framework
• Runs on portal host and Performance
Measurement Platforms (PMPs) attached to
routers in a VLAN environment
NTAP Architecture
Host A
Host B
Router 1
Router 2
Router 3
Portal
GSI
GSI
GSI
PMP 1
Attribute Callout
Walden (XACML)
AFS PTS
Flat File
PMP 2
PMP 3
Mapping and Reporting
• Segment mapping
– Use traceroute to obtain packet routing path
– Use network topology database to map each
router to its associated PMP
– Execute pairwise performance tests along path
• Reporting tool
– Output hop-by-hop matrix display
– Color-coded test history
– Click through cells for detailed views
• Links to most recent tests
Host Endpoint Testing
• Solution to first mile problem
Host A
– Leverages Network Diagnostic Tester
• Authenticated user clicks first-mile link
Router 1
– Portal runs traceroute back to client
– Portal determines client’s first-hop router and
attached PMP (running NDT server) from path
and network topology database
– Portal displays link to first-hop PMP
– Client downloads NDT app from PMP as usual
– Client runs NDT test and displays results as usual
– NDT server sends results to NTAP database
Automated Testing
• Need repetitive, automated testing
– … but with secure authentication and
authorization
• Solution: renewable credentials
– User obtains long-term credentials
– Portal schedules repetitive testing
– Prior to a test cycle, portal validates long-term
credential and derives from it a short-term
credential
– Rest of SeRIF architecture unchanged
Future Work
• Post-processed statistics, graphs
• Measurement database reorganization
– Scalability improvements
• Alternatives to topology database
– Active infrastructure probing
• Automated tools a la NDT
– Tune TCP stack
– Detect conditions, e.g. duplex mismatches
• Cross-domain testing
Cross-Domain Testing
Host A
Host B
Router 1
Router 2
Router 3
Portal
GSI
GSI
Domain 2
PMP 1
PMP 2
Domain 1
PMP 3
GSI
Portal
Cross-Domain Testing
• Goals
– Extend test path across administrative domains
– Address larger end-to-end performance issues
– Leverage SeRIF’s strong security and finegrained authorization model
– Promote SeRIF at other institutions
– Share performance data among institutions
Cross-Domain Testing
• Approach
– Retain portal within each domain
– Originating portal runs traceroute
• Determines sequence of domains
• Verfies permissions for test
• Or “chunked” by domain
– Each portal tests and stores local results
• Independently, or synchronized
– Test data available via local SeRIF controls
– Boundary-crossing segments
• Need cross-domain trust
– Transit segments
Merit Measurement Infrastructure
Cross-Domain Testing
• Seeking
– Large network testbed
– Independent administrative domains
– Partners
– Funding
– Proposal
SeRIF Resources
• SeRIF & NTAP home page
– http://www.citi.umich.edu/projects/ntap
– FAQ & documentation
– Download NTAP code & installation instructions
• Tools
– iperf http://dast.nlanr.net/Projects/Iperf/
– ndt http://e2epi.internet2.edu/ndt/
– owamp http://e2epi.internet2.edu/owamp/
Any Questions?
http://www.citi.umich.edu
Download