Authenticated QoS Signaling - PowerPoint PPT Presentation

About This Presentation
Title:

Authenticated QoS Signaling

Description:

Bandwidth broker. Authorization service. LDAP directory service. X509 security infrastructure ... bandwidth broker communication. Bandwidth Broker. Globus PKI ... – PowerPoint PPT presentation

Number of Views:59
Avg rating:3.0/5.0
Slides: 25
Provided by: And682
Category:

less

Transcript and Presenter's Notes

Title: Authenticated QoS Signaling


1
Authenticated QoS Signaling
  • William A. (Andy) Adamson
  • Olga Kornievskaia
  • CITI, University of Michigan

2
Motivation
  • Michigan High Energy Physics Group are involved
    in key phases of the ATLAS project
  • Video conferencing, distributed shared workspace
  • Bulk data transfer
  • Advances in QoS are necessary to further this
    research.
  • Impact on University of Michigan Community
  • Many other projects face similar problems
  • Bandwidth allocation already an issue on campus
    (Napster).

3
Participants
  • UMICH - Physics, LSA, ITCom, OVPR
  • Merit
  • UCAID
  • ANL
  • CERN
  • PSC

4
Vision
  • Reliable high speed end to end service
  • Cross campus
  • To external sites across high speed (Internet2)
    networks
  • Automated access and network configuration
  • Use of existing infrastructure
  • Currently requires hands on at every stage
  • Divide and conquer
  • network tuning
  • security component
  • automated network configuration

5
Project Goals
  • Realize authenticated bandwidth reservation
    signaling
  • Integration and extension of existing work and
    infrastructure
  • Distributed authorization proof of concept
  • Implement the architecture for demonstration,
    pre-production, and future research

6
Not Project Goals
  • Answer all distributed authorization design
    questions
  • Network tuning
  • Aggregate traffic issues
  • Multicast bandwidth reservation
  • Production system

7
Architecture
  • Construct end point QoS network domains
  • Use QoS features in existing routers
  • Over provision connecting networks
  • No change to application
  • QoS reservation communication via a web
    interface
  • Routers mark packets, not application

8
QoS Network Domain
  • Bandwidth broker
  • Authorization service
  • LDAP directory service
  • X509 security infrastructure
  • Routers with packet-marking and policing features

9
Network Path
ITCom
Physics
100M
BB
Merit
UMICH
CITI
622M
622M
100M
Cleveland
Startap
622M
45M
Argonne
BB
CERN
PSC
BB
BB
Abilene
10
Bandwidth Broker
  • GARA, from ANL
  • Integrated with their Grid reservation system
  • X509 based authentication
  • Flat file access control for authorization
  • No inter bandwidth broker communication

11
Authentication
  • Globus PKI based GSSAPI_SSLEAY
  • Globus user proxy
  • Obviates the need for multiple password entry
  • Enables remote services to act on users behalf
  • No CA peering exchange self-signed CA
    certificates
  • UMICH Kerberos solution KX509 - junk keys
  • Short term keys granted with valid kerberos
    identity
  • Stored in kerberos ticket cache

12
Authentication
Globus Client
Globus
gssapi_ssleay
globus-proxy-init
Gatekeeper
Resource Manager
Home Directory
X509 long lived creds
X509 proxy creds
GARA
WS
Router
Router
13
Problems with long lived keys
  • limited access to private key, not mobile
  • the longer you distribute a public key, the more
    places it is cached, and the problematic
    revocation becomes.
  • Short-lived kx509 generated junk keys address
    these problems

14
Kx509 Authentication
Kerberos DB
KCA ticket
Globus Client
kinit
Globus
gssapi_ssleay
Gatekeeper
globus-proxy-init
Resource Manager
Home Directory
X509 proxy creds
GARA
kx509
Kerberos Ticket Cache
WS
X509 junk-key creds
Kerberos CA
Router
Router
15
Distributed Authorization
  • Problem Local users, remote resources
  • Ideally, no copying of user or resource data
  • In common case, no extra communication
  • Solution we will explore
  • Common LDAP namespace and schema
  • Pass authorization attributes with identity
  • Requires the ability to do SSL mutual
    authentication between remote sites

16
Authorization Server
  • Akenti access control system from lbl.gov
  • Policy engine that can express complex policies
  • User attributes, resource use-conditions
  • Distributed management from many sources
  • LDAP back end
  • Internet2 middleware working group schema
  • Akenti data

17
Akenti Authorization
  • LDAP schema required for users, resources,
    user-attributes and use-conditions
  • user-attributes are assigned to users
  • use-conditions are assigned to resources
  • Access for a user to a resource is determined by
    comparing user attributes to resource
    use-conditions

18
Local Akenti Authorization
  • Akenti policy engine receives a request
  • can Alice reserver 10MB of bandwidth on
    subnet-1?
  • All data required to make the decision is held
    locally in the Akenti/LDAP service
  • Since Alice holds all the necessary attributes
    required by the resource, access is granted.

Akenti LDAP back end
Resource subnet-1
User alice
internet2_bw_group umich_staff_group 10MB_bandwidt
h ...
Member umich_staff_group not member
bad_users_group member internet2_bw_group 10MB or
less bandwidth request
19
Akenti Authorization of Remote Resource
  • Akenti policy engine receives a request
  • can Alice reserver 10MB of bandwidth on remote
    subnet-1?
  • User data required to make the decision is held
    locally
  • Resource data held by remote Akenti/LDAP service
  • Send user identity and appropriate attributes to
    the remote Akenti/LDAP service over secure channel

Akenti LDAP back end
Akenti LDAP back end
Resource subnet-1
User alice
User attributes
Member umich_staff_group not member
bad_users_group member internet2_bw_group 10MB or
less bandwidth request
internet2_bw_group umich_staff_group 10MB_bandwidt
h
20
Akenti Authorization of Remote Resource
  • Akenti policy engine receives a request
  • can Alice reserver 10MB of bandwidth on remote
    subnet-1?
  • Remote Akenti/LDAP service compares the user
    attributes received off the wire to the resource
    use-conditions.
  • Since Alice holds all the necessary attributes
    required by the resource, access is granted

Akenti LDAP back end
Akenti LDAP back end
Resource subnet-1
User alice
Access granted
Member umich_staff_group not member
bad_users_group member internet2_bw_group 10MB or
less bandwidth request
internet2_bw_group umich_staff_group 10MB_bandwidt
h
21

Common Namespace
  • Necessary to communicate distributed
    authorization decision parameters
  • Enables minimal replication of resource and user
    data
  • Complicates namespace administration, simplifies
    authorization communication
  • Each authorization realm assigns local values

22
Globus Client
GARA
GARA
Access File
GK
Gatekeeper
RM
Authorization_API
Akenti
user attributes
LDAP
Resource Manager
Akenti
LDAP
Router
CPU
23

Status
  • Completed kx509 integration
  • Configured and tested GARA to reserve bandwidth
    on Cisco 7500 at UMICH
  • Preparing to test with remote bandwidth
    reservation ANL and CERN using current
    functionality
  • Netscape LDAP with Internet2 Eduperson schema
  • Just starting work with Akenti

24
Questions?
  • http/www.citi.umich.edu/projects/qos
  • htttp/www.globus.org
  • http//www-itg.lbl.gov/security/Akenti
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Authenticated QoS Signaling" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!