190 likes | 343 Views
Dr. Charles J. Antonelli Center for Information Technology Integration University of Michigan Winter 2006 CSG. Secure Network Performance Testing using SeRIF. http://www.albinoblacksheep.com/flash/nintendogs.php. U-M Contributors. CITI Andy Adamson Charles Antonelli Nathan Gallaher
E N D
Dr. Charles J. Antonelli Center for Information Technology Integration University of Michigan Winter 2006 CSG Secure Network Performance Testing using SeRIF
U-M Contributors • CITI • Andy Adamson • Charles Antonelli • Nathan Gallaher • Olga Kornievskaia • David Richter • ITCom • MGRID Work supported by OVPR and ITCom
SeRIF • SeRIF : Secure Remote Invocation Framework • Purpose : provide a secure and extensible remote process invocation service, with strong authentication and flexible authorization • Based on Globus 2.4, GARA 1.2.2 • Leverages existing user credentials • Kerberos (via kx509) • Adds fine-grained authorization • Walden
SeRIF • Central portal host • Authentication • Control (invocation, parameters, results) • Databases (LDAP) • Dedicated remote nodes • Gatekeeper • Local scheduler for execution and cleanup • Provides status and output redirection • Fine grained authorization at resource
LDAP Output NW Topology SeRIF Architecture Portal User Workstation Apache SSL – Client Certificate required mod ssl Browser 3 mod kct libpkcs11 Kerberos V5 4 KCT Kerberos kx509 mod kx509 2 5 KCA kinit Kerberos mod php 1 KDC mod jk Tomcat CHEF GSI Grid Resource WALDEN 6 SASL Authorization GateKeeper 7 Resource Mgr Resource SASL WALDEN 8 Authorization
NTAP • NTAP : Network Testing and Performance • Purpose : provide a secure and extensible network testing and performance tool invocation service at U-M • Uses SeRIF framework • Runs on portal host and Performance Measurement Platforms (PMPs) attached to routers in a VLAN environment
Host A Host B Router 1 Router 2 Router 3 Portal GSI GSI GSI PMP 1 PMP 2 PMP 3 Attribute Callout AFS PTS Walden (XACML) Flat File NTAP Architecture
Mapping and Reporting • Segment mapping • Use traceroute to obtain packet routing path • Use network topology database to map each router to its associated PMP • Execute pairwise performance tests along path • Reporting tool • Output hop-by-hop matrix display • Color-coded test history • Click through cells for detailed views • Links to most recent tests
Host A Router 1 Host Endpoint Testing • Solution to first mile problem • Leverages Network Diagnostic Tester • Authenticated user clicks first-mile link • Portal runs traceroute back to client • Portal determines client’s first-hop router and attached PMP (running NDT server) from path and network topology database • Portal displays link to first-hop PMP • Client downloads NDT app from PMP as usual • Client runs NDT test and displays results as usual • NDT server sends results to NTAP database
Automated Testing • Need repetitive, automated testing • … but with secure authentication and authorization • Solution: renewable credentials • User obtains long-term credentials • Portal schedules repetitive testing • Prior to a test cycle, portal validates long-term credential and derives from it a short-term credential • Rest of SeRIF architecture unchanged
Future Work • Post-processed statistics, graphs • Measurement database reorganization • Scalability improvements • Alternatives to topology database • Active infrastructure probing • Automated tools a la NDT • Tune TCP stack • Detect conditions, e.g. duplex mismatches • Cross-domain testing
Portal Portal Cross-Domain Testing Host A Host B Router 1 Router 2 Router 3 Domain 2 GSI GSI PMP 1 PMP 2 PMP 3 Domain 1 GSI
Cross-Domain Testing • Goals • Extend test path across administrative domains • Address larger end-to-end performance issues • Leverage SeRIF’s strong security and fine-grained authorization model • Promote SeRIF at other institutions • Share performance data among institutions
Cross-Domain Testing • Approach • Retain portal within each domain • Originating portal runs traceroute • Determines sequence of domains • Verfies permissions for test • Or “chunked” by domain • Each portal tests and stores local results • Independently, or synchronized • Test data available via local SeRIF controls • Boundary-crossing segments • Need cross-domain trust • Transit segments
Cross-Domain Testing • Seeking • Large network testbed • Independent administrative domains • Partners • Funding • Proposal
SeRIF Resources • SeRIF & NTAP home page • http://www.citi.umich.edu/projects/ntap • FAQ & documentation • Download NTAP code & installation instructions • Tools • iperf http://dast.nlanr.net/Projects/Iperf/ • ndt http://e2epi.internet2.edu/ndt/ • owamp http://e2epi.internet2.edu/owamp/
Any Questions? http://www.citi.umich.edu