esnet radius authentication fabric
DESCRIPTION
ESnet RADIUS Authentication Fabric. Michael Helm ESnet/LBNL GGF-12 Sec Workshop 18 Sep 2004. r. RADIUS. What Does the RAF Do?. ORNL. PNNL. OTP Service. OTP Service. r. r. anl.gov nersc.gov pnnl.gov ornl.gov. anl.gov nersc.gov pnnl.gov ornl.gov. Realms. anl.gov - PowerPoint PPT PresentationTRANSCRIPT
ESnet RADIUS Authentication Fabric
Michael HelmESnet/LBNL
GGF-12 Sec Workshop18 Sep 2004
What Does the RAF Do?
NERSC
r
ANL
r
OTP ServiceORNL
r
PNNL
OTP Service
OTP Service
OTP Service
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
• es.net
Realms
R
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
r• anl.gov
• nersc.gov
• pnnl.gov• ornl.gov
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
ESnet RAF Federation
anl.gov
nersc.gov
pnnl.gov
ornl.gov
r RADIUSApp
ESnet Radius
AuthDB
ESnet Root CA
MyProxyCredentials
PAM
1 Log in
2 Ask AuthN; hint
OTP
5 Receive Proxy Cert
Manage myProxy
6 (Opt) Store Proxy
7 Execute
OTPServices
OCSP
HSM
Subordinate CA
Engine
4. Auth OK;
Namestring
3 OTP verification
4 Sign Proxy
Sign Subordinate
CA
SIPS
What Is the Grid Integrated RAF?
Proposal Apr 2004
Special case of GridLogon
RAF Benefits & Features
• O(n) peering• Authorization decision controlled by site
Sound familiar?• Single token per person• Interoperability on an open, standard,
industry-supported AAA protocol• WAN use of RADIUS (RFC 2865)• Federation
Repli-cation
ESnet RAF Architecture
Network (IP)
VPN (IPsec)
RADIUSProxy router
AuthNAuthority
(OTP)
Appli-cation
1Rc
Site nRADIUS
AuthNAuthority
(OTP)
Appli-cation
1Rc
Site 1RADIUS
AuthNAuthority
(OTP)
Appli-cation
1Rc
Site 2RADIUS
RADIUSProxy router
RADIUSProxy router
RADIUSProxy router
ESnet
RAF
Site
ESnet
RAF Current Issues• Reliability – Replication
– Currently RAF issue, but also applies to site RADIUS/OTP • * Federation• * Application Integration
– Where’s our “Grid Integration” solution?– PAM – more layers!
• * Name management: (Fed/App Integration)– Essential issue for Grid integration
• *? OTP Service Reliability– “Transit time” ; resync ; loss
• * Federation• *? Integrity & Security
– VPN – See later
• Market research – size/scope of deployment* Grid issue Current: 6 – 18 mos
RAF Current Issues
NERSC
r
ANL
r
OTP ServiceORNL
r
PNNL
OTP Service
OTP Service
OTP Service
R
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
r• anl.gov
• nersc.gov
• pnnl.gov• ornl.gov
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
ESnet RAF Federation
anl.gov
nersc.gov
pnnl.gov
ornl.gov
Reliability/Replication
Integrity/Security
OTP/C&R
Federation
Transit time
Application Integration
RAF Long Term Issues• RAF support for other protocols
– Kerberos– Web services– EAP/TLS
• Myproxy Protocol• End to End integrity
– “AuthA” protocol• Application integration
– Always an issue– Architecture: fan-out/gateway– Firewalls
• RADIUS* Grid issue Future: 12 – 48 mos
AuthAAn OTP-based key-exchange technology that offers protection against:
capture of the user’s password capture of the server’s password-databasedictionary attacks on the user’s passworddenial-of-service attacks
An OTP-based DH key-exchange technology that allows users to connect from an un-trusted terminal and still preserve the privacy of data transmitted on the wire:
confidentially, authenticity, and integrity of the datamutual authentication of the user and the server
Technology publication:M. Abdalla, O. Chevassut, and D. Pointcheval, “One-time Verifier-based Encrypted key Exchange” ,submitted for publication to the 8th International Workshop on Practice in Public-Key Cryptography, Feb 2005.
Conclusion
• Successful RAF demonstration project• Engineering and User experience issues• Ready to proceed to pilot• Need Grid Integration• First step toward Auth Fabric
– Support more protocols– Federation– Successor to RADIUS
Demo
• http://topaz.es.net/secure/index.html• http://panda.ccs.ornl.gov/radius/index.html
Fusion Grid Firewall Issues
Michael HelmESnet/LBNL
GGF-12 Sec Workshop18 Sep 2004
FusionGrid Use Case
Comments
Each site is protected by a firewall
Different firewall technology
OTP is probably a feature
Need single sign-on, delegation, autonomous processes….
Fusion Grid
• Use case comes from Dave Schissel• Evolved from discussion of OTP
– 2 of 3 labs in FusionGrid already have a SecurID infrastructure
• Need direct support• Need to identify path to solution