Secure Network Performance Testing using SeRIF Dr. Charles J. Antonelli Center for Information Technology Integration University of Michigan Winter 2006 CSG http://www.albinoblacksheep.com/flash/nintendogs.php U-M Contributors • CITI – – – – – Andy Adamson Charles Antonelli Nathan Gallaher Olga Kornievskaia David Richter • ITCom • MGRID Work supported by OVPR and ITCom SeRIF • SeRIF : Secure Remote Invocation Framework • Purpose : provide a secure and extensible remote process invocation service, with strong authentication and flexible authorization • Based on Globus 2.4, GARA 1.2.2 • Leverages existing user credentials – Kerberos (via kx509) • Adds fine-grained authorization – Walden SeRIF • Central portal host – Authentication – Control (invocation, parameters, results) – Databases (LDAP) • Dedicated remote nodes – – – – Gatekeeper Local scheduler for execution and cleanup Provides status and output redirection Fine grained authorization at resource SeRIF Architecture Portal Apache mod ssl mod kct mod kx509 User Workstation SSL – Client Certificate required 3 4 Kerberos 5 KCA mod php KDC mod jk Tomcat CHEF LDAP Output GSI libpkcs11 GateKeeper Resource Mgr SASL 8 Resource kx509 2 Kerberos kinit 1 Grid Resource 6 NW Topology WALDEN Authorization Kerberos V5 KCT Browser SASL 7 WALDEN Authorization NTAP • NTAP : Network Testing and Performance • Purpose : provide a secure and extensible network testing and performance tool invocation service at U-M • Uses SeRIF framework • Runs on portal host and Performance Measurement Platforms (PMPs) attached to routers in a VLAN environment NTAP Architecture Host A Host B Router 1 Router 2 Router 3 Portal GSI GSI GSI PMP 1 Attribute Callout Walden (XACML) AFS PTS Flat File PMP 2 PMP 3 Mapping and Reporting • Segment mapping – Use traceroute to obtain packet routing path – Use network topology database to map each router to its associated PMP – Execute pairwise performance tests along path • Reporting tool – Output hop-by-hop matrix display – Color-coded test history – Click through cells for detailed views • Links to most recent tests Host Endpoint Testing • Solution to first mile problem Host A – Leverages Network Diagnostic Tester • Authenticated user clicks first-mile link Router 1 – Portal runs traceroute back to client – Portal determines client’s first-hop router and attached PMP (running NDT server) from path and network topology database – Portal displays link to first-hop PMP – Client downloads NDT app from PMP as usual – Client runs NDT test and displays results as usual – NDT server sends results to NTAP database Automated Testing • Need repetitive, automated testing – … but with secure authentication and authorization • Solution: renewable credentials – User obtains long-term credentials – Portal schedules repetitive testing – Prior to a test cycle, portal validates long-term credential and derives from it a short-term credential – Rest of SeRIF architecture unchanged Future Work • Post-processed statistics, graphs • Measurement database reorganization – Scalability improvements • Alternatives to topology database – Active infrastructure probing • Automated tools a la NDT – Tune TCP stack – Detect conditions, e.g. duplex mismatches • Cross-domain testing Cross-Domain Testing Host A Host B Router 1 Router 2 Router 3 Portal GSI GSI Domain 2 PMP 1 PMP 2 Domain 1 PMP 3 GSI Portal Cross-Domain Testing • Goals – Extend test path across administrative domains – Address larger end-to-end performance issues – Leverage SeRIF’s strong security and finegrained authorization model – Promote SeRIF at other institutions – Share performance data among institutions Cross-Domain Testing • Approach – Retain portal within each domain – Originating portal runs traceroute • Determines sequence of domains • Verfies permissions for test • Or “chunked” by domain – Each portal tests and stores local results • Independently, or synchronized – Test data available via local SeRIF controls – Boundary-crossing segments • Need cross-domain trust – Transit segments Merit Measurement Infrastructure Cross-Domain Testing • Seeking – Large network testbed – Independent administrative domains – Partners – Funding – Proposal SeRIF Resources • SeRIF & NTAP home page – http://www.citi.umich.edu/projects/ntap – FAQ & documentation – Download NTAP code & installation instructions • Tools – iperf http://dast.nlanr.net/Projects/Iperf/ – ndt http://e2epi.internet2.edu/ndt/ – owamp http://e2epi.internet2.edu/owamp/ Any Questions? http://www.citi.umich.edu