Secure Network Performance Testing using SeRIF
description
Transcript of Secure Network Performance Testing using SeRIF
![Page 1: Secure Network Performance Testing using SeRIF](https://reader036.fdocuments.us/reader036/viewer/2022062315/5681599f550346895dc6ecc8/html5/thumbnails/1.jpg)
Secure Network Performance
Testing using SeRIF
Dr. Charles J. AntonelliCenter for Information Technology Integration
University of Michigan
Winter 2006 CSG
![Page 2: Secure Network Performance Testing using SeRIF](https://reader036.fdocuments.us/reader036/viewer/2022062315/5681599f550346895dc6ecc8/html5/thumbnails/2.jpg)
http://www.albinoblacksheep.com/flash/nintendogs.php
![Page 3: Secure Network Performance Testing using SeRIF](https://reader036.fdocuments.us/reader036/viewer/2022062315/5681599f550346895dc6ecc8/html5/thumbnails/3.jpg)
U-M Contributors• CITI
– Andy Adamson– Charles Antonelli– Nathan Gallaher– Olga Kornievskaia– David Richter
• ITCom• MGRID
Work supported by OVPR and ITCom
![Page 4: Secure Network Performance Testing using SeRIF](https://reader036.fdocuments.us/reader036/viewer/2022062315/5681599f550346895dc6ecc8/html5/thumbnails/4.jpg)
SeRIF• SeRIF : Secure Remote Invocation
Framework• Purpose : provide a secure and
extensible remote process invocation service, with strong authentication and flexible authorization
• Based on Globus 2.4, GARA 1.2.2• Leverages existing user credentials
– Kerberos (via kx509)
• Adds fine-grained authorization– Walden
![Page 5: Secure Network Performance Testing using SeRIF](https://reader036.fdocuments.us/reader036/viewer/2022062315/5681599f550346895dc6ecc8/html5/thumbnails/5.jpg)
SeRIF• Central portal host
– Authentication– Control (invocation, parameters, results)– Databases (LDAP)
• Dedicated remote nodes– Gatekeeper– Local scheduler for execution and cleanup– Provides status and output redirection– Fine grained authorization at resource
![Page 6: Secure Network Performance Testing using SeRIF](https://reader036.fdocuments.us/reader036/viewer/2022062315/5681599f550346895dc6ecc8/html5/thumbnails/6.jpg)
SeRIF Architecture
mod ssl
mod kx509
mod kct
Apache
Tomcat
KCT
GateKeeper
Resource
Grid Resource
KCA
kx509
kinit
User Workstation
KDC
Kerberos V5
SSL – Client Certificate required
GSI
Kerberos
Kerberos
SASL
Portal
1
2
3
4
5
6
7
Authorization
Resource Mgr
SASL
8WALDEN
AuthorizationWALDEN
libpkcs11
Browser
mod php
mod jk
CHEF
LDAP
NW Topology
Output
![Page 7: Secure Network Performance Testing using SeRIF](https://reader036.fdocuments.us/reader036/viewer/2022062315/5681599f550346895dc6ecc8/html5/thumbnails/7.jpg)
NTAP• NTAP : Network Testing and
Performance
• Purpose : provide a secure and extensible network testing and performance tool invocation service at U-M
• Uses SeRIF framework• Runs on portal host and Performance
Measurement Platforms (PMPs) attached to routers in a VLAN environment
![Page 8: Secure Network Performance Testing using SeRIF](https://reader036.fdocuments.us/reader036/viewer/2022062315/5681599f550346895dc6ecc8/html5/thumbnails/8.jpg)
NTAP Architecture
Portal
Router 1
Host A
Router 2 Router 3
Host B
PMP 1 PMP 2 PMP 3
GSI GSI GSI
Attribute Callout
AFS PTS
Flat File
Walden (XACML)
![Page 9: Secure Network Performance Testing using SeRIF](https://reader036.fdocuments.us/reader036/viewer/2022062315/5681599f550346895dc6ecc8/html5/thumbnails/9.jpg)
Mapping and Reporting• Segment mapping
– Use traceroute to obtain packet routing path
– Use network topology database to map each router to its associated PMP
– Execute pairwise performance tests along path
• Reporting tool– Output hop-by-hop matrix display– Color-coded test history– Click through cells for detailed views
• Links to most recent tests
![Page 10: Secure Network Performance Testing using SeRIF](https://reader036.fdocuments.us/reader036/viewer/2022062315/5681599f550346895dc6ecc8/html5/thumbnails/10.jpg)
Host Endpoint Testing• Solution to first mile problem
– Leverages Network Diagnostic Tester
• Authenticated user clicks first-mile link– Portal runs traceroute back to client
– Portal determines client’s first-hop router and attached PMP (running NDT server) from path and network topology database
– Portal displays link to first-hop PMP
– Client downloads NDT app from PMP as usual
– Client runs NDT test and displays results as usual
– NDT server sends results to NTAP database
Router 1
Host A
![Page 11: Secure Network Performance Testing using SeRIF](https://reader036.fdocuments.us/reader036/viewer/2022062315/5681599f550346895dc6ecc8/html5/thumbnails/11.jpg)
Automated Testing
• Need repetitive, automated testing– … but with secure authentication and
authorization
• Solution: renewable credentials– User obtains long-term credentials
– Portal schedules repetitive testing
– Prior to a test cycle, portal validates long-term credential and derives from it a short-term credential
– Rest of SeRIF architecture unchanged
![Page 12: Secure Network Performance Testing using SeRIF](https://reader036.fdocuments.us/reader036/viewer/2022062315/5681599f550346895dc6ecc8/html5/thumbnails/12.jpg)
Future Work• Post-processed statistics, graphs• Measurement database reorganization
– Scalability improvements
• Alternatives to topology database– Active infrastructure probing
• Automated tools a la NDT– Tune TCP stack– Detect conditions, e.g. duplex mismatches
• Cross-domain testing
![Page 13: Secure Network Performance Testing using SeRIF](https://reader036.fdocuments.us/reader036/viewer/2022062315/5681599f550346895dc6ecc8/html5/thumbnails/13.jpg)
Cross-Domain Testing
Portal
Router 1
Host A
Router 2 Router 3
Host B
PMP 1 PMP 2 PMP 3
GSI GSI
Portal
GSIDomain 1
Domain 2
![Page 14: Secure Network Performance Testing using SeRIF](https://reader036.fdocuments.us/reader036/viewer/2022062315/5681599f550346895dc6ecc8/html5/thumbnails/14.jpg)
Cross-Domain Testing• Goals
– Extend test path across administrative domains
– Address larger end-to-end performance issues
– Leverage SeRIF’s strong security and fine-grained authorization model
– Promote SeRIF at other institutions– Share performance data among institutions
![Page 15: Secure Network Performance Testing using SeRIF](https://reader036.fdocuments.us/reader036/viewer/2022062315/5681599f550346895dc6ecc8/html5/thumbnails/15.jpg)
Cross-Domain Testing
• Approach– Retain portal within each domain
– Originating portal runs traceroute• Determines sequence of domains
• Verfies permissions for test
• Or “chunked” by domain
– Each portal tests and stores local results• Independently, or synchronized
– Test data available via local SeRIF controls
– Boundary-crossing segments• Need cross-domain trust
– Transit segments
![Page 16: Secure Network Performance Testing using SeRIF](https://reader036.fdocuments.us/reader036/viewer/2022062315/5681599f550346895dc6ecc8/html5/thumbnails/16.jpg)
Merit Measurement Infrastructure
![Page 17: Secure Network Performance Testing using SeRIF](https://reader036.fdocuments.us/reader036/viewer/2022062315/5681599f550346895dc6ecc8/html5/thumbnails/17.jpg)
Cross-Domain Testing• Seeking
– Large network testbed– Independent administrative domains
– Partners– Funding
– Proposal
![Page 18: Secure Network Performance Testing using SeRIF](https://reader036.fdocuments.us/reader036/viewer/2022062315/5681599f550346895dc6ecc8/html5/thumbnails/18.jpg)
SeRIF Resources
• SeRIF & NTAP home page– http://www.citi.umich.edu/projects/ntap
– FAQ & documentation
– Download NTAP code & installation instructions
• Tools– iperf http://dast.nlanr.net/Projects/Iperf/– ndt http://e2epi.internet2.edu/ndt/
– owamp http://e2epi.internet2.edu/owamp/
![Page 19: Secure Network Performance Testing using SeRIF](https://reader036.fdocuments.us/reader036/viewer/2022062315/5681599f550346895dc6ecc8/html5/thumbnails/19.jpg)
Any Questions?http://www.citi.umich.edu