autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160,...

Connect. Communicate. Collaborate

AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authorisation and Authentication

TNC2007 – TERENA Technical WorkshopLyngby, 20 May 2007

Connect. Communicate. CollaborateAgenda• AutoBAHN service overview

• AAI Infrastructure for AutoBAHN– Overview– AA Scenario

• User AuthN (Automated & Human user)• Interdomain AAI

– Policy module and attributes

• Progress


AutoBAHN overview

Connect. Communicate. CollaborateAutoBAHN is…

• … a research activity for engineering, automating and streamlining the inter-domain setup of guaranteed capacity (Gbps) end-to-end paths

• AutoBAHN = Joint Research Activity 3 of the GN2 project– GN2 is an EC-funded Integrated Infrastructure Initiative (I3) project,

with all NRENs as partners (DANTE: coordinator)– GN2 includes:

• Networking Activities (NAs) (Human networks)• Service Activities (SAs) (deployment of GÉANT2 with focus on

services)• Joint Research Activities (JRAs) (applied technological research)

Connect. Communicate. CollaborateGÉANT2 • 25 POPs (+4) serve >30 NRENs• 11600 km of fibre + 140 ILA sites

– DWDM (Alcatel 1626 LM)• 50+ x (own) 10G lambdas• 9 x (leased) 10G lambdas• 8 x 2.5G (leased) “lambdas” +

some lower speed links• Alcatel MCC 1678• Juniper T640, M160, M40 routers• NREN accesses at up to 10Gbps

(+ backup) + P2P• 4 x 10G to North America• POP in NY• connections to other R&E

networks: Abilene, ESnet, CA*net4, SINET, TENET, RedCLARA, EUMEDCONNECT, TEIN2 (coming)

Connect. Communicate. CollaborateEnd-to-end services over GÉANT2• Up to now: Packet Switched IP (Layer 3) & MPLS Managed Bandwidth

Services – VPNs• From now on the hybrid NREN - GÉANT2 service model also enables:

– Layer 2 Switched e2e circuits (e.g.1 GigE) involving GÉANT2facilities ( + local circuits provided by NRENs and Campuses)

– 10 Gig Optical Private Networks (OPNs) configured for large e-Science projects using GÉANT2 DWDM & NREN - Campus lightpaths

GEANT2

End user

End-user

end-to-end path

GEANT2

NREN 1NREN 2

MAN/ Campus/ Institution

MAN/ Campus/ Institution

Connect. Communicate. CollaborateAn example• 1GE path between Brno (CZ) and Louisiana (USA)

Connect. Communicate. CollaborateA multi-domain …• …multi-technology, multi-disciplinary environment• Control and provisioning has to be distributed• Business-layer related interactions include AA, policies, advance

reservations etc.• Privacy and control of intra-domain resources must be safeguarded

Client equipment

IP domain

NMS

GE domain

L2 MPLS VLL

SDH domain

Native EthernetGFP over SDH

GMPLSsignalling

Client equipment

Technology Stitching

Technology StitchingManual

provisioning

Connect. Communicate. CollaborateAutoBAHN overview

Client equipment

IP domain

NMS

GE domain

L2 MPLS VPN

SDH domain

Native EthernetGFP over SDH

GMPLS signalling

Technology Proxy

Domain Manager

Inter-Domain ManagerUser access

moduleRequest

handling logic

DM pathfinding

AAI

Resource modelling

Policy module

Inter-domain pathfinder

User interface

Technology Proxy

Domain Manager


moduleRequest

handling logic

DM pathfinding

AAI

Resource modelling

Policy module


User interface

Client equipment

Aut

oBA

HN

sys

tem

Dat

a pl

ane

Technology Proxy

Domain Manager


moduleRequest

handling logic

DM pathfinding

AAI

Resource modelling

Policy module


User interface


A distributed approach

User interface

Inter-Domain Manager

Domain Manager

Client equipment IP domain

NMS

GE domain

L2 MPLS VPN

SDH domain

Native Ethernet GFP over SDH

GMPLS signalling

Client equipment

User interface


Domain Manager

User interface


Domain Manager

(1)

(2)

(4)

(5)

(6)

(7)(3)

Inter-domain path-finding

(8)(9)(10)


Authentication and AuthorisationInfrastructure

Connect. Communicate. CollaborateAAI in AutoBAHN: overview• Based on the work made by another GN2 project research

activity (GN2-JRA5) – EduGAIN, a federator of already established AAIs all

over European countries for inter-domain services• A chained-solution is adopted

– A user is authenticated and his bandwidth reservation request is authorised successively in each domain where bandwidth should be reserved.

– The reservation is enabled in each domain by the Domain Manager (DM) only after AA


AAI in AutoBAHN: overview• Some autoBAHN interactions depend on AAI:

– 1 - Home Domain: User AuthN• Interaction with the local AAI to authenticate the user and

retrieve its attributes– 2 - Communication between IDMs: Trust between IDM

• Using X509 certificates provided by eduGAIN– Communications between local web services (pathfinder,

IDM, DM, etc) are ensured using ssl tunnels


AAI at the home domain: User AuthN• An eduGAIN filter intercepts the user requests and interact with the

local AAI• Two possible scenarios

– An automated user makes a BoD reservation• Web services are used for communication between the user

and autoBAHN application (IDM)• The user has a certificate: The user can directly send the

AuthN information (there is no interaction asking for a login + AuthN information like in « human user case » )

– Human user: A user makes a BoD reservation via a web portal• The user is redirected to its local AAI using http redirections


JRA3 blockeduGAIN blockAAI local block

AAI at the home domain:Automated user AuthN

Step 1’ Step 2’

User

Local AAI: IDP/web SSOShibboleth, PAPI, etc

User Access Module & other modules

AAI/policy Module

eduGAIN filter

JRA3 DB

1’

User sends theAuthN information

EduGAIN filter sendsthis information to thelocal AAI to authenticate the user

JRA3 IDM2’

User info

… Attributes store & identity provider

3’

certificate

User info

…


Attributes store & identity provider


AAI/policy Module

eduGAIN filter

JRA3 DB

4’

The local AAI sendsthe response with theuser attributesassociated to autoBAHN

JRA3 IDM

usercertificate

5’6’

5-6: The filter sendsthe AuthN responseand the user replies sending the BoD request to the IDM



user



AAI/policy Module

eduGAIN filter

JRA3 DB

1

2, 3

HTTP Redirect:

Edugain filterredirects the user to its local AAI

JRA3 IDM

user

User info

…




AAI/policy Module

eduGAIN filter

JRA3 DB

5

6

User AuthN in its local AAI

4

JRA3 IDM

AAI at the home domain:Human user authN

Step 1 Step 2


user

User info

…




AAI/policy Module

eduGAIN filter

JRA3 DB

7

The IDP redirectsthe user to the JRA3 service

The user attributesassociated to autoBAHN are alsosent

JRA3 IDM

user

User info

…




AAI/policy Module

eduGAIN filter

JRA3 DB

The IDM sends the BoD request and the user fills in the parameters

8

9

JRA3 IDM

AAI at the home domain:Human user authN

Step 3 Step 4


user

User info

…



JRA3 IDM


AAI/policy Module

eduGAIN filter

JRA3 DB

10

11

12 13

14

The BoD request is sent to the policymodule and the attributes are retrieved

User info

…



JRA3 IDM


AAI/policy Module

eduGAIN filter

JRA3 DB

15,16

17

The policymodule retrievesthe rules in the JRA3 DB and compare it to the BoD request

18

AAI at the home domain:Step 5 Step 6


user

User info

…



Previous trust between IDM’s

XML X509


AAI/policy Module

eduGAIN filter

JRA3 DB

eduGAIN module: concatenation BoD params + attributes


AAI/policy Module

JRA3 DB

19

21,22 20

BoD Id BoD param attr

eduGAIN module: extraction of BoD params & attributes

23JRA3 IDM JRA3 IDM

24

Inter-domain AAIStep 7


user

User info

…




AAI/policy Module

eduGAIN filter

JRA3 DB

32

JRA3 IDM


AAI/policy Module

JRA3 DB

25

31

JRA3 IDM


AAI/policy Module

JRA3 DB

27,28 26

JRA3 IDM

30

29

Home DomainIntermediate Domain Remote Domain

Inter-domain AAIStep 8



Policy module andattributes• AuthZ information is stored in the AutoBAHN DB

– Avoid problems of format : different formats stored in local AAIs

• Define entries like– jra3.renater.projects.DEISA

• Apply rules for these entries :– jra3.*.projects.DEISA = 1Gbit/s

• Advantages– Granularity and accuracy (if wanted) of rules– Easy maintenance and flexibility

• Existing AuthZ engines like PERMIS will be used


Policy module andattributes• The user attributes which can be used for AuthZ are:

– Role– Project– Home network domain– NREN

• This list can be updated• These attributes are stored in the local AAI

• Mapping with BoD information stored in the AutoBAHN DB to authorisea BoD request– Use of GIdP if a local AAI doesn’t exist for the user making the BoD

request

Connect. Communicate. CollaborateProgress• AuthN

– Automated interface: Deployed by GN2 JRA3. Ready but it has to be adapted to eduGAIN filter (certificate).

– Human interface: Web Portal to do BoD reservations. It will be deployed by GN2 JRA3 : ~ Q3 2007

– eduGAIN filter for user AuthN:• Human user: Being deployed by GN2 JRA5. First version ready

for the next month• Automated user: Will be deployed by GN2 JRA5.

• AuthZ– Work started to analyse how to use PERMIS in AutoBAHN

autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160,...

Documents

Transcript of autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160,...