• 130 likes • 225 Views
Authenticated QoS Project Overview. Andy Adamson Research Investigator Center for Information Technology Integration University of Michigan Ann Arbor. Collaborators. Shawn McKee , University of Michigan
E N D
Authenticated QoS Project Overview Andy Adamson Research Investigator Center for Information Technology Integration University of Michigan Ann Arbor
Collaborators • Shawn McKee, University of Michigan • Olivier Martin, Daniel Davids, and Martin Fluckiger, Jean-Philippe Martin-Flatin, CERN • University of Michigan Department of Physics; University of Michigan College of Literature, Science, and the Arts; University of Michigan Office of the Vice President for Research; Merit; University Corporation for Advanced Internet Development (UCAID); European Organization for Nuclear Research (CERN); Argonne National Laboratory; The Globus Project; EU DataGrid; EU DataTAG
End to End Performance • Reliable high-speed end to end network services are important to scientific collaborators • Video, audio, large data transfers • Long haul networks demonstrate good performance due to overprovisioning • The last-mile is often a network bottleneck
End to End Pragmatics • Reliable end-to-end network service is achieved by reserving network resources within end-point institution networks, coupled with the good performance of overprovisioned long haul networks.
Automated Reservation • QoS functionality is a common feature in network hardware. • QoS configuration is currently done by hand. • We address the need for an automated network reservation system. • Security of all communications is vital. • Difficult security problem due to cross-domain nature of end-to-end network resource allocation.
Based on Globus GARA • GRID network reservation service • GSI: PKI based cross-domain authentication • Requires user PK credentials • Our contributions: • Fine-grained cross-domain authorization • PK credentials based on Kerberos identity • Secure web interface
Cross-domain Authorization • Use existing local group services • Avoid replicating data and management tasks • Group name-space shared by domains • Local administrators manage group membership as usual • KeyNote Policy Engine makes authorization decision
Cross-domain Authorization • KeyNote Policy Engine makes authorization decision • Fine-grained authorization expressed in KeyNote policy rules • Group membership • Amount of bandwidth allowed • Time/duration of reservation
Local Authorization • Local GARA queries local service to learn the user’s group memberships. • Memberships passed into KeyNote along with reservation request parameters. • KeyNote compares input parameters to rules. • If authorized the local GARA: • Package username and group membership. • Sign the package with a private PK key. • Add to the reservation request forwarded to the remote GARA.
Remote Authorization • Remote GARA verifies signature, then accepts the user name/group membership from the wire. • Group membership is passed into KeyNote along with reservation request parameters. • KeyNote compares input parameters to the rules to make authorization decision.
DemonstrationUMICH iGrid 2002 CERN Reservation fails if: • User not in correct group • Bandwidth request out of bounds • Time of day request out of bounds
CITI.UMICH.EDU KCT/KDC KINIT KCA KX509 IGRID2002 KX509 Web Server GARA Client Browser SSL GSI GARA Service TELNET GSI ATLAS.UMICH.EDU Cisco 7206 AFS PTS Group Service GARA Service MJpeg Host RX SSH Cisco 6506 Video Conference MJpeg Host
any questions? http://www.citi.umich.edu/