autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160,...
Transcript of autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160,...
Connect. Communicate. Collaborate
AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authorisation and Authentication
TNC2007 – TERENA Technical WorkshopLyngby, 20 May 2007
Connect. Communicate. CollaborateAgenda• AutoBAHN service overview
• AAI Infrastructure for AutoBAHN– Overview– AA Scenario
• User AuthN (Automated & Human user)• Interdomain AAI
– Policy module and attributes
• Progress
Connect. Communicate. Collaborate
AutoBAHN overview
Connect. Communicate. CollaborateAutoBAHN is…
• … a research activity for engineering, automating and streamlining the inter-domain setup of guaranteed capacity (Gbps) end-to-end paths
• AutoBAHN = Joint Research Activity 3 of the GN2 project– GN2 is an EC-funded Integrated Infrastructure Initiative (I3) project,
with all NRENs as partners (DANTE: coordinator)– GN2 includes:
• Networking Activities (NAs) (Human networks)• Service Activities (SAs) (deployment of GÉANT2 with focus on
services)• Joint Research Activities (JRAs) (applied technological research)
Connect. Communicate. CollaborateGÉANT2 • 25 POPs (+4) serve >30 NRENs• 11600 km of fibre + 140 ILA sites
– DWDM (Alcatel 1626 LM)• 50+ x (own) 10G lambdas• 9 x (leased) 10G lambdas• 8 x 2.5G (leased) “lambdas” +
some lower speed links• Alcatel MCC 1678• Juniper T640, M160, M40 routers• NREN accesses at up to 10Gbps
(+ backup) + P2P• 4 x 10G to North America• POP in NY• connections to other R&E
networks: Abilene, ESnet, CA*net4, SINET, TENET, RedCLARA, EUMEDCONNECT, TEIN2 (coming)
Connect. Communicate. CollaborateEnd-to-end services over GÉANT2• Up to now: Packet Switched IP (Layer 3) & MPLS Managed Bandwidth
Services – VPNs• From now on the hybrid NREN - GÉANT2 service model also enables:
– Layer 2 Switched e2e circuits (e.g.1 GigE) involving GÉANT2facilities ( + local circuits provided by NRENs and Campuses)
– 10 Gig Optical Private Networks (OPNs) configured for large e-Science projects using GÉANT2 DWDM & NREN - Campus lightpaths
GEANT2
End user
End-user
end-to-end path
GEANT2
NREN 1NREN 2
MAN/ Campus/ Institution
MAN/ Campus/ Institution
Connect. Communicate. CollaborateAn example• 1GE path between Brno (CZ) and Louisiana (USA)
Connect. Communicate. CollaborateA multi-domain …• …multi-technology, multi-disciplinary environment• Control and provisioning has to be distributed• Business-layer related interactions include AA, policies, advance
reservations etc.• Privacy and control of intra-domain resources must be safeguarded
Client equipment
IP domain
NMS
GE domain
L2 MPLS VLL
SDH domain
Native EthernetGFP over SDH
GMPLSsignalling
Client equipment
Technology Stitching
Technology StitchingManual
provisioning
Connect. Communicate. CollaborateAutoBAHN overview
Client equipment
IP domain
NMS
GE domain
L2 MPLS VPN
SDH domain
Native EthernetGFP over SDH
GMPLS signalling
Technology Proxy
Domain Manager
Inter-Domain ManagerUser access
moduleRequest
handling logic
DM pathfinding
AAI
Resource modelling
Policy module
Inter-domain pathfinder
User interface
Technology Proxy
Domain Manager
Inter-Domain ManagerUser access
moduleRequest
handling logic
DM pathfinding
AAI
Resource modelling
Policy module
Inter-domain pathfinder
User interface
Client equipment
Aut
oBA
HN
sys
tem
Dat
a pl
ane
Technology Proxy
Domain Manager
Inter-Domain ManagerUser access
moduleRequest
handling logic
DM pathfinding
AAI
Resource modelling
Policy module
Inter-domain pathfinder
User interface
Connect. Communicate. Collaborate
A distributed approach
User interface
Inter-Domain Manager
Domain Manager
Client equipment IP domain
NMS
GE domain
L2 MPLS VPN
SDH domain
Native Ethernet GFP over SDH
GMPLS signalling
Client equipment
User interface
Inter-Domain Manager
Domain Manager
User interface
Inter-Domain Manager
Domain Manager
(1)
(2)
(4)
(5)
(6)
(7)(3)
Inter-domain path-finding
(8)(9)(10)
Connect. Communicate. Collaborate
Authentication and AuthorisationInfrastructure
Connect. Communicate. CollaborateAAI in AutoBAHN: overview• Based on the work made by another GN2 project research
activity (GN2-JRA5) – EduGAIN, a federator of already established AAIs all
over European countries for inter-domain services• A chained-solution is adopted
– A user is authenticated and his bandwidth reservation request is authorised successively in each domain where bandwidth should be reserved.
– The reservation is enabled in each domain by the Domain Manager (DM) only after AA
Connect. Communicate. Collaborate
AAI in AutoBAHN: overview• Some autoBAHN interactions depend on AAI:
– 1 - Home Domain: User AuthN• Interaction with the local AAI to authenticate the user and
retrieve its attributes– 2 - Communication between IDMs: Trust between IDM
• Using X509 certificates provided by eduGAIN– Communications between local web services (pathfinder,
IDM, DM, etc) are ensured using ssl tunnels
Connect. Communicate. Collaborate
AAI at the home domain: User AuthN• An eduGAIN filter intercepts the user requests and interact with the
local AAI• Two possible scenarios
– An automated user makes a BoD reservation• Web services are used for communication between the user
and autoBAHN application (IDM)• The user has a certificate: The user can directly send the
AuthN information (there is no interaction asking for a login + AuthN information like in « human user case » )
– Human user: A user makes a BoD reservation via a web portal• The user is redirected to its local AAI using http redirections
Connect. Communicate. Collaborate
JRA3 blockeduGAIN blockAAI local block
AAI at the home domain:Automated user AuthN
Step 1’ Step 2’
User
Local AAI: IDP/web SSOShibboleth, PAPI, etc
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
1’
User sends theAuthN information
EduGAIN filter sendsthis information to thelocal AAI to authenticate the user
JRA3 IDM2’
User info
… Attributes store & identity provider
3’
certificate
User info
…
Local AAI: IDP/web SSOShibboleth, PAPI, etc
Attributes store & identity provider
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
4’
The local AAI sendsthe response with theuser attributesassociated to autoBAHN
JRA3 IDM
usercertificate
5’6’
5-6: The filter sendsthe AuthN responseand the user replies sending the BoD request to the IDM
Connect. Communicate. Collaborate
JRA3 blockeduGAIN blockAAI local block
user
Local AAI: IDP/web SSOShibboleth, PAPI, etc
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
1
2, 3
HTTP Redirect:
Edugain filterredirects the user to its local AAI
JRA3 IDM
user
User info
…
Local AAI: IDP/web SSOShibboleth, PAPI, etc
Attributes store & identity provider
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
5
6
User AuthN in its local AAI
4
JRA3 IDM
AAI at the home domain:Human user authN
Step 1 Step 2
Connect. Communicate. Collaborate
user
User info
…
Local AAI: IDP/web SSOShibboleth, PAPI, etc
Attributes store & identity provider
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
7
The IDP redirectsthe user to the JRA3 service
The user attributesassociated to autoBAHN are alsosent
JRA3 IDM
user
User info
…
Local AAI: IDP/web SSOShibboleth, PAPI, etc
Attributes store & identity provider
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
The IDM sends the BoD request and the user fills in the parameters
8
9
JRA3 IDM
AAI at the home domain:Human user authN
Step 3 Step 4
Connect. Communicate. Collaborate
user
User info
…
Local AAI: IDP/web SSOShibboleth, PAPI, etc
Attributes store & identity provider
JRA3 IDM
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
10
11
12 13
14
The BoD request is sent to the policymodule and the attributes are retrieved
User info
…
Local AAI: IDP/web SSOShibboleth, PAPI, etc
Attributes store & identity provider
JRA3 IDM
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
15,16
17
The policymodule retrievesthe rules in the JRA3 DB and compare it to the BoD request
18
AAI at the home domain:Step 5 Step 6
Connect. Communicate. Collaborate
user
User info
…
Local AAI: IDP/web SSOShibboleth, PAPI, etc
Attributes store & identity provider
Previous trust between IDM’s
XML X509
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
eduGAIN module: concatenation BoD params + attributes
User Access Module & other modules
AAI/policy Module
JRA3 DB
19
21,22 20
BoD Id BoD param attr
eduGAIN module: extraction of BoD params & attributes
23JRA3 IDM JRA3 IDM
24
Inter-domain AAIStep 7
Connect. Communicate. Collaborate
user
User info
…
Local AAI: IDP/web SSOShibboleth, PAPI, etc
Attributes store & identity provider
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
32
JRA3 IDM
User Access Module & other modules
AAI/policy Module
JRA3 DB
25
31
JRA3 IDM
User Access Module & other modules
AAI/policy Module
JRA3 DB
27,28 26
JRA3 IDM
30
29
Home DomainIntermediate Domain Remote Domain
Inter-domain AAIStep 8
JRA3 blockeduGAIN blockAAI local block
Connect. Communicate. Collaborate
Policy module andattributes• AuthZ information is stored in the AutoBAHN DB
– Avoid problems of format : different formats stored in local AAIs
• Define entries like– jra3.renater.projects.DEISA
• Apply rules for these entries :– jra3.*.projects.DEISA = 1Gbit/s
• Advantages– Granularity and accuracy (if wanted) of rules– Easy maintenance and flexibility
• Existing AuthZ engines like PERMIS will be used
Connect. Communicate. Collaborate
Policy module andattributes• The user attributes which can be used for AuthZ are:
– Role– Project– Home network domain– NREN
• This list can be updated• These attributes are stored in the local AAI
• Mapping with BoD information stored in the AutoBAHN DB to authorisea BoD request– Use of GIdP if a local AAI doesn’t exist for the user making the BoD
request
Connect. Communicate. CollaborateProgress• AuthN
– Automated interface: Deployed by GN2 JRA3. Ready but it has to be adapted to eduGAIN filter (certificate).
– Human interface: Web Portal to do BoD reservations. It will be deployed by GN2 JRA3 : ~ Q3 2007
– eduGAIN filter for user AuthN:• Human user: Being deployed by GN2 JRA5. First version ready
for the next month• Automated user: Will be deployed by GN2 JRA5.
• AuthZ– Work started to analyse how to use PERMIS in AutoBAHN