| |||||||||
|
Final Report August, 2002
Introduction
This effort advances the state of the art for practical application and deployment of distributed applications that rely on quality-of-service (QoS) guarantees from the network infrastructure. We are mainly concerned with the signaling required for the automated set-up of network QoS, specifically the design and transmission of authentication and authorization information. We have tested with UDP based applications for which current Cisco QoS configurations work, and will experiment with TCP based applications, as well as other router and switch products .
Reliable high speed end-to-end network services are increasingly important for scientific collaborators, whether separated by large distances or located just across campus. Our experience shows that long haul networks demonstrate good performance (thanks to overprovisioning), but the last mile - from the edge of the campus network to the desktop is often a network bottleneck.
Quality of Service functionality (QoS) is a common feature of network hardware. Recent studies show the viability and usefulness of these features to control network resources. The architectural specifications of QoS reservations are still being developed and configuration of network hardware QoS is done by hand.
Our work was sponsored by a multi-institutional partnership.
- University of Michigan Department of Physics
- University of Michigan College of Literature, Science, and the Arts,
- University of Michigan Center for Information Technology Integration (CITI)
- University of Michigan Office of the Vice President for Research
- Merit
- University Corporation for Advanced Internet Development (UCAID)
- European Organization for Nuclear Research (CERN)
- Argonne National Laboratory (ANL).
Statement of work
We provide project partners with an architecture to reserve network resources online using strong authentication and fine grained authorization based on use of existing security and group services. We have an alpha level deployment at UMICH, and have demonstrated the architecture by reserving bandwidth for a UDP based MJPEG video streaming application running between UMICH and CERN.
Architecture Components
The architecture is described in detail, and issues discussed in this CITI techreport A Practical Distributed Authorization System for GARA ( .ps ) , William A. Adamson and Olga Kornievskaia. The work has been accepted for publication at InfraSec 2002 .
The Internet2 QBone Working Group Signaling Design Team has produced a final report on the state of the Simple Inter-domain Bandwidth Broker protocol (SIBBS), and implementations are being coded. Bandwidth brokers (BB) manage a pool of network resources in an administrative domain. SIBBS provides a protocol for BB's to communicate network resource requests that span administrative domains. We envision a user, or a distributed application requesting intra domain network resources from a local bandwidth broker, which in turn forwards the request through the BB infrastructure to the BB in the destination network.
We base our work on the Globus Project General-purpose Architecture for Reservation and Allocation (GARA) code base. In it's current state, GARA offers PK based authenticated QoS resource reservation with minimal access control, and has yet to include a BB to BB protocol. Our contributions to the GARA architecture are twofold. First, we provide a fine-grained cross-domain authorization for GARA that leverages existing institutional security and group services, with universal access for users. Second, we eliminate the need for long term Public Key (PK) credentials and associated overheads that are required the current system. We describe the implementation of an easy and convenient Web interface for making reservation requests.
Public key cryptography is fundamental to secure communications, with a huge installed base of supporting software (namely, every web server and browser) and a growing commitment to a global PKI in the every sector.
Like many large enterprises, the partner institutions rely heavily on Kerberos for authentication. Yet, an emerging consensus is establishing PK authentication as a critical technology for web security and other applications. For example, Globus systems rely on PK authentication.
The CITI Kerberos Leveraged PKI project leverages an existing Kerberos infrastructure to provide a lightweight Public Key Infrastructure. CITI runs a Kerberized Certificate Authority (KCA) that signs keys based on valid Kerberos authentication of the requester. These certificates are comparable to Kerberos tickets in many ways, and can be used for any application that requires strong authentication. For example, CITI uses them to obtain conventional Kerberos tickets in web applications hostile to Kerberos. CITI's PK certificates have a short lifetime, comparable to Kerberos tickets, and do not support long-term digital signatures or long-term encryption; we refer to them as junk keys. Junk keys are fully interoperable with all PK-authenticated services, including Globus.
The KeyNote Trust-Management System policy engine is used to ensure a fine grained authorization. It accepts input attributes such as request parameters (time of request, bandwidth, etc), environmental parameters (system load), and group membership. The policy engine then applies configurable rules to the input attributes to make an authorization decision.
Existing group services are consulted to determine a users membership in groups required by the policy rules. Our implementation uses UMICH AFS PTS group services.
Demonstration
In April 2002, we demonstrated our architecture by reserving bandwidth for a real-time video conferencing application running between the University of Michigan Physics Department and CERN. The UMICH-CERN Authenticated QoS Demo Network diagram shows the network topology used in the demonstration.
Traffic generators (Iperf) provided competition for resources at the egress interface on the configured routers. The generator program when run on sufficiently powerful computers, has the ability to fill 99 percent of a 100MB interface, and ~80% of a 1000MB interface with little packet loss.
The demonstration consisted of running the high quality MJPEG video conferencing application, then turning on the traffic generators. For a non-reserved flow, the video quality degrads in the face of the generated traffic. A bandwidth reservation for the video conference is then configured for a short time in the future. When the reservation time occurred, the high quality of the video conferencing application returns even though the traffic generation is still present.
The system was configured to allow both a UMICH user or a CERN user to make a reservation request, and involves three Kerberos Version 5 security realms in order to demonstrate cross realm authentication and authorization.
- The CITI.UMICH.EDU realm runs a KCA/KCT/kx509 service which provides it's users with PK credentials based on their CITI.UMICH.EDU Kerberos credentials. The UMICH reservation Web Server runs in this realm.
- The ATLAS.UMICH.EDU realm provides Kerberos service for the Physics department Atlas project's AFS cell. The UMICH GARA service runs on the Physics research network, and the ATLAS.UMICH.EDU AFS PTS service provides Physics users group services for the demonstration.
- The PHOENIX.UMICH.EDU Kerberos V5 realm exists on a laptop, and runs it's own KCA/KCT/kx509 service, as well as a GARA service, and a reservation Web Server. For this demonstration, the PHOENIX.UMICH.EDU laptop will serve as the CERN security realm. Note that there is no AFS cell running on the laptop, so group membership is obtained from a simple file data base.
- Step 1 shows the user obtaining Kerberos credentials in the CITI.UMICH.EDU cell, as well as short lived PK credentials from the KCA.
- In step 2, the user's PK credentials are used in the mutually authenticated SSL communication with the reservation Web Server. The user fills in the reservation form, and the Web Server runs the GARA client,
- Step 3:The GARA client communicates with the GARA in the ATLAS.UMICH.EDU realm, passing the reservation request parameters. The ALTAS.UMICH.EDU KCA and the CITI.UMICH.EDU KCA have exchanged KCA self signed certificates to allow the GARA Client on the Web Server to authenticate to the GARA instance in the ATLAS.UMICH.EDU realm.
- Step 4 shows the GARA in the ATLAS.UMICH.EDU realm contacting the AFS PTS group service to obtain the user group information used in it's authorization decision. This is done over an authenticated RX connection, which requires obtaining an AFS service ticket performed at GARA startup. The group information and the reservation information is passed to the KeyNote policy engine, and an authorization decision is made.
- If the authorization decision is positive, and the requested network resources are available, cryptographically signs the group information, adds it to the reservation information and passes it all back to the GARA Client on the Web Server. The GARA Client on the Web Server forwards the reservation+group information to the CERN GARA in step 5. The CERN GARA, having no knowledge about the UMICH user, uses the signed group information from the wire, and contacts no group services. The resource request information and the signed group information are passed into the CERN GARA KeyNote policy engine which returns the authorization decision. If the authorization decision is positive, and the requested network resources are available, the CERN GARA returns a positive indication to the GARA Client on the Web Server.
- If the GARA Client on the Web Server receives positive results from the reservation requests from both realms, it sends a message to the GARAs in each realm indicating that the reservation should be entered into their reservation data bases. When the reservation time occurs, both GARAs configure their routers (Step 6)
The GARA services KeyNote authorization policies were configured to require bounded request parameters for bandwidth, start time and duration as well as membership in specific groups.
Demonstration Results
It was demonstrated that if any of the policy parameters were not satisfied such as too much requested bandwidth or incorrect group membership, the reservation failed. If the request parameters were in bounds, and if the user was a member of the correct {\small AFS PTS} group(s), the reservation succeeded.
Successful reservation resulted in configuring the end domain Cisco ingress router interfaces with the appropriate Committed Access Rate (CAR) rate limit which marks the packets and polices the flow. The egress router interfaces were statically configure with WRED, Cisco's implementation of the Random Early Detection (RED) class of congestion avoidance algorithms.
Here are some video/audio clips of the CERN demonstration.
| AVI (MS MPEG4v2 codec) | RealMedia | |
| Overview of demonstration (2:00) | AVI | RM |
| Jamming/QoS at U of M (2:36) | AVI | RM |
| Additional explanation of demostration (3:47) | AVI | RM |
iGrid 2002 Demonstration
We are running the same demonstration at iGrid2002 on September 24th, 25th, and 26th 2002 from 10:30AM-12:30AM EST. We will run the demo between the University of Michigan Physics Department site and the iGrid 2002 site in Amsterdam, as well as between CERN and the iGrid 2002 site. The demonstrations will be 'one way' in that we will mark packets at either the University of Michigan Physics site, or the CERN site, and run traffic generators and police at the iGrid 2002 site.
 |
|
 |
