GEC5 Security Summary Stephen Schwab Cobham Analytical Services July 21, 2009.
-
Upload
marjorie-hamilton -
Category
Documents
-
view
212 -
download
0
Transcript of GEC5 Security Summary Stephen Schwab Cobham Analytical Services July 21, 2009.
GEC5Security Summary
Stephen Schwab
Cobham Analytical Services
July 21, 2009
Outline
• GENI Security Architecture – plans
• GENI Clusters & Projects – status chart
• GENI Clusters – identity/authentication & authorization diagrams
• GENI Security call-outs for other notable projects
GENI Security Architecture
• Revised Document Posted on GENI wiki
• Includes “As-built” discussions on each control framework
• At least one more revision in August
Security ChartCluster Project Name CH CM/AM Spiral 2
A TIED Federation using ABAC
B PlanetLab SFA-based GENIwrappersB EnterpriseGENI Uses PL CH as a trusted authorityB GushProto ToolsB ProvisioningService (Raven) ToolsB Mid-Atlantic CrossroadsB GpENIB Internet Scale Overlay Hosting
C ProtoGENI CH and AMs using UUID/HRNC DtunnelsC CMULabC InstrumentationTools Measurement Plane On trackC MeasurementSystem Measurement Plane Needs WorkC ProgrammableEdgeNode Not in Spiral 1C DigitalObjectRegistry Registry for CH UnknownC MillionNodeGENI Language-based N/A
D ORCA/BEN Shirako (ticket) basedD DOMED ViSED KanseiSensorNetD Embedded Real-Time Measurements Measurement Plane
E ORBITE WiMAX
? RegionalOptIn
All GENIMetaOps External OperationsAll GENISecurity Security ArchitectureAll GENIFourYearCollegesAll Data Plane Measurements Measurement Plane
None OpticalAccessNets No connectivity
Control Plane
Key
PlanetLab
• Cluster B
Identifiers • GID consists of
– UUID generated as per RFC4122 v4– HRN (resolvable nicknames)– A SSL X.509 Certificate with parent field
• The GID stored in subject-alt-name of certificate – The authority that is responsible for the entity
authenticates it by signing the certificate
Authentication
• Authentication is done on the basis of the certificate that is signed by the responsible authority.
• Authentication implies no permission – the certificate just indicates identity
Identity and Authentication
GID
1. Generate self-signed certificate authority. The PlanetLab Consortium serves as top-level slice,
Slice and UserRegistry
3a. Request a GID by sending 1024-bit RSA public key
4. Register user with registry
Slice Manager
Planetlab Central
Aggregate Manager
2. Register root certificate with registry
3. Register: PLC generates a certificate that includes a UUID (public key) and HRN in the subject-alt-name field. The subject-public-key contains the user public key. It signed by the PLC.
Authorization
• Based on credentials; credentials grants privileges to users
Aggregate Manager
4. GetTicket: the ticket is defined by a 5-tuple, (GIDCaller, GIDObject, Attribs, Rspec, Delegate) . The GetTicket operation is completed by the AM
Slice Creation
GID
Slice Authority
PlanetLab Central
1. Verify user credentials and authorize him to perform slice creation
3. Request Ticket: User selects components, creates Rspec. If request is granted, the AM signs the request and returns a ticket
5. Redeem Ticket: User redeems the ticket causing the sliver to be created. The Rspec defines the resources bound to the slice.
7 Start Sliver: User requests sliver to be brought to running state
Compute Cluster
Network
Storage
MeasurementComponent Manager
2.List Resources: On behalf of the user, the SM calls each peer AM to learn of available resources. 6. SM maintains a database of
all slices created with the resources used.
Registries
Slice & User Registry
ResourceStatusService
ProtoGENI
• Cluster C
Identifiers • GID consists of
– UUID (ex: a0f4)– HRN (resolvable nicknames)– A SSL Certificate
• The GID stored in DN of SSL certificate – Cert issued by home emulab that
authenticates entity in GENI – DN also includes email address
Authentication
• Authentication is done on basis of the SSL certificate that is signed by the home emulab
• Authentication implies no permission, SSL certificate just indicates identity
Identity and Authentication
GID
ProtoGENI Slice
Authority
1. Generate self-signed certificate authority, serves as root for Emulab.
2. Register root certificate with clearing house
ClearingHouse
Slice & User Registry
ResourceStatusService
3. Register: MA generates a certificate that includes a UUID (public key) and HRN in the DN field.
3a. Request a GID by sending hashed public key
4. Register user with Clearing house
Authorization
• Based on credentials; credentials grants privileges to users
Slice Creation
GID
6b. AM sends copy of ticket to Slice Registry (who tracks resources in each slice).
ClearingHouse
Slice & User Registry
ResourceStatusService
Compute Cluster
Network
Storage
Aggregate Manager
Measurement
Slice Authority
Home Facility
1. GetCredential: S A issues self credential authenticating user to perform actions
3. Register: SA registers the user and the slice
2. CreateSlice: User creates a new slice and receives a credential granting control over the slice
4. ListComponents: Requests list of all AM registered with the CH
5. DiscoverResources: User submits credentials and send request to each AM for detail resource lists (Rspecs)
6. RequestTicket: User selects components, creates Rspec. If request is granted, the AM signs the request and returns a ticket 7. RedeemTicket: User
redeems the ticket causing the sliver to be created.
8. StartSliver: Client requests sliver to be brought to running state
Orca/Ben
• Cluster D
Identifiers • GID consists of
– RFC 4122-based GUIDS– Public Key– attributes
Identity and Authentication
GID
ShibbolethIdentity Provider
1. Identity provider maintains registry of all other id providers including their GUID, keys, and attributes
2. Runs as a SOAP server, all messages are digitally signed as per WS-Security
User Registry
Principal Registry
5. Returns a RFC 4122 based GUID and security attributes
4. User request a GID by sending a public key via a browser interface
3. Each ID provider is responsible for the principals it registers. It maintains a local MySQL database.
Slice Creation
6. UpdateLease: The DA grants the service manager the resources as a lease. It includes the unit properties as assigned from the DA..
GID
0. Export Tickets: Delegate splitable tickets to broker.Attempts to honor all tickets issued by the broker
Broker/ ClearingHouse
Policy Module(applies attribs. from ID provider)
Service Manager/ Slice Manager
1. Researcher/guest starts experiment creation using a web browser. Authenticated by the ID provider (not shown)
2. CreateSlice / GetTicket: user request allowed if he has the appropriate attributes and endorsed by ID.
5. RedeemTicket: The ticket is now presented to the DA along with configuration properties for setup of slice.
Guest Handler
(one per sliver)
Domain Authority/ Aggregate Manager
Site Policy(one per
resource pool
3. UpdateTicket: broker grants ticket to the service manager that can be now redeemed from the domain authority. Each guest has a guest handler within the service manager. The ticket includes resource type properties.
DETER TIED
• Cluster A
Identifiers• ID are triples
– Testbed , project, user ex: (“DETER”,”proj1”,”faber”)
• Also defines federation IDs– 160-bit SHA-1 hash of the public key – Avoids collisions when federating
• Triple name can use a fed-ID – (fedid:1234, “proj1”, “faber)
Authentication
• Authentication is done on the basis of the home testbed using public-private key pairs
Identity and Authentication
TIED Federator/
Management Authority
2. Register federated testbed with clearing house/federator
ClearingHouse/ Federator
Slice & User Registry
ResourceStatusService
3. Register: MA registers a new users with the testbed, associates him with a project, generates a fed-ID
4. Register user and fed-ID with Clearing house/federator
1. Create a name and fed-ID for testbed
Authorization
• Based on attributes assigned to user; project group is a type of attribute
• Attributes grant privileges to users
Experiment/Slice Creation
GID
6b. Fedd sends a copy of CEDL to the CH (who tracks resources usage across GENI).
Federated Fedds
Slice & User Registry
ResourceStatusService
Compute Cluster
Network
Storage
Federator/ Slice Authority
Measurement
Federator/ Aggregate Manager
Home Facility
1. User is authenticated by home facility aggregate manager for a federated exp.
4b. Register the user and the experiment with the CH
2. User initiates a federated experiments
3. Requests list of all testbed advertisements registered with the CH
4. User submits a canonical experiment description to the federator
5. Federator selects components, request resources from other testbeds.
6. Once all the resources are granted the experiment configuration begins
7. Grant the user complete control of the experiment
Federated Fedds
Slice & User Registry
ResourceStatusService
Federated Fedds
Slice & User Registry
ResourceStatusService
Orbit
• Cluster E
• No diagrams yet– Spiral 2 plans on-track to introduce security
mechanisms to address Spiral 2 needs
Other Notable Projects
• Enterprise GENI– Controller off-loads security mechanisms from
individual deployed switches
• Digital Object Registry– Provides for searching of identities beyond a single
clearinghouse
• Million Node GENI– Language-based VM: restricted python
Questions
• What mechanisms should GENI be using for identity and authentication?
• What mechanisms should GENI be using for policy creation/definition/distribution and authorization?
• Should GENI security focus on yet-to-be-implemented or already-up-and-running features?