Authenticated QoS Project Overview

1
Authenticated QoS Project Overview

• Andy Adamson
• Research Investigator
• Center for Information Technology Integration
• University of Michigan
• Ann Arbor

2
Collaborators

• Shawn McKee, University of Michigan
• Olivier Martin, Daniel Davids, and Martin
  Fluckiger, Jean-Philippe Martin-Flatin, CERN
• University of Michigan Department of Physics
  University of Michigan College of Literature,
  Science, and the Arts University of Michigan
  Office of the Vice President for Research Merit
  University Corporation for Advanced Internet
  Development (UCAID) European Organization for
  Nuclear Research (CERN) Argonne National
  Laboratory The Globus Project EU DataGrid EU
  DataTAG

3
End to End Performance

• Reliable high-speed end to end network services
  are important to scientific collaborators
• Video, audio, large data transfers
• Long haul networks demonstrate good performance
  due to overprovisioning
• The last-mile is often a network bottleneck

4
End to End Pragmatics

• Reliable end-to-end network service is achieved
  by reserving network resources within end-point
  institution networks, coupled with the good
  performance of overprovisioned long haul
  networks.

5
Automated Reservation

• QoS functionality is a common feature in network
  hardware.
• QoS configuration is currently done by hand.
• We address the need for an automated network
  reservation system.
• Security of all communications is vital.
• Difficult security problem due to cross-domain
  nature of end-to-end network resource allocation.

6
Based on Globus GARA

• GRID network reservation service
• GSI PKI based cross-domain authentication
• Requires user PK credentials
• Our contributions
• Fine-grained cross-domain authorization
• PK credentials based on Kerberos identity
• Secure web interface

7
Cross-domain Authorization

• Use existing local group services
• Avoid replicating data and management tasks
• Group name-space shared by domains
• Local administrators manage group membership as
  usual
• KeyNote Policy Engine makes authorization
  decision

8
Cross-domain Authorization

• KeyNote Policy Engine makes authorization
  decision
• Fine-grained authorization expressed in KeyNote
  policy rules
• Group membership
• Amount of bandwidth allowed
• Time/duration of reservation

9
Local Authorization

• Local GARA queries local service to learn the
  users group memberships.
• Memberships passed into KeyNote along with
  reservation request parameters.
• KeyNote compares input parameters to rules.
• If authorized the local GARA
• Package username and group membership.
• Sign the package with a private PK key.
• Add to the reservation request forwarded to the
  remote GARA.

10
Remote Authorization

• Remote GARA verifies signature, then accepts the
  user name/group membership from the wire.
• Group membership is passed into KeyNote along
  with reservation request parameters.
• KeyNote compares input parameters to the rules to
  make authorization decision.

11
DemonstrationUMICH iGrid 2002 CERN

• Reservation fails if
• User not in correct group
• Bandwidth request out of bounds
• Time of day request out of bounds

12
CITI.UMICH.EDU
KCT/KDC
KINIT
KCA
IGRID2002
KX509
KX509
Web Server GARA Client
Browser
SSL
GSI
GARA Service
TELNET
GSI
ATLAS.UMICH.EDU
Cisco 7206
AFS PTS Group Service
GARA Service
MJpeg Host
RX
SSH
Cisco 6506
Video Conference
MJpeg Host
13
any questions?
http//www.citi.umich.edu/