ESnet RADIUS Authentication Fabric

Michael HelmESnet/LBNL

GGF-12 Sec Workshop18 Sep 2004

What Does the RAF Do?

NERSC

r

ANL

r

OTP Service

ORNL

r

PNNL

OTP Service

OTP Service

OTP Service

• anl.gov

• nersc.gov

• pnnl.gov

• ornl.gov

• es.net

Realms

R

• anl.gov

• nersc.gov

• pnnl.gov

• ornl.gov

• anl.gov

• nersc.gov

• pnnl.gov

• ornl.gov

r• anl.gov

• nersc.gov

• pnnl.gov

• ornl.gov

• anl.gov

• nersc.gov

• pnnl.gov

• ornl.gov

ESnet RAF Federation

anl.gov

nersc.gov

pnnl.gov

ornl.gov

r RADIUS

App

ESnet Radius

AuthDB

ESnet Root CA

MyProxyCredentials

PAM

1 Log in

2 Ask AuthN; hint

OTP

5 Receive Proxy Cert

Manage myProxy

6 (Opt) Store Proxy

7 Execute

OTPServices

OCSP

HSM

Subordinate CA

Engine

4. Auth OK;

Namestring

3 OTP verification

4 Sign Proxy

Sign Subordinate

CA

SIPS

What Is the Grid Integrated RAF?

Proposal Apr 2004

Special case of GridLogon

RAF Benefits & Features

• O(n) peering

• Authorization decision controlled by siteSound familiar?

• Single token per person

• Interoperability on an open, standard, industry-supported AAA protocol

• WAN use of RADIUS (RFC 2865)

• Federation

Repli-cation

ESnet RAF Architecture

Network (IP)

VPN (IPsec)

RADIUSProxy router

AuthNAuthority

(OTP)

Appli-cation

1Rc

Site nRADIUS

AuthNAuthority

(OTP)

Appli-cation

1Rc

Site 1RADIUS

AuthNAuthority

(OTP)

Appli-cation

1Rc

Site 2RADIUS

RADIUSProxy router

RADIUSProxy router

RADIUSProxy router

ESnet

RAF

Site

ESnet

RAF Current Issues• Reliability – Replication

– Currently RAF issue, but also applies to site RADIUS/OTP • * Federation• * Application Integration

– Where’s our “Grid Integration” solution?– PAM – more layers!

• * Name management: (Fed/App Integration)– Essential issue for Grid integration

• *? OTP Service Reliability– “Transit time” ; resync ; loss

• * Federation• *? Integrity & Security

– VPN – See later

• Market research – size/scope of deployment* Grid issue Current: 6 – 18 mos

RAF Current Issues

NERSC

r

ANL

r

OTP Service

ORNL

r

PNNL

OTP Service

OTP Service

OTP Service

R

• anl.gov

• nersc.gov

• pnnl.gov

• ornl.gov

• anl.gov

• nersc.gov

• pnnl.gov

• ornl.gov

r• anl.gov

• nersc.gov

• pnnl.gov

• ornl.gov

• anl.gov

• nersc.gov

• pnnl.gov

• ornl.gov

ESnet RAF Federation

anl.gov

nersc.gov

pnnl.gov

ornl.gov

Reliability/Replication

Integrity/Security

OTP/C&R

Federation

Transit time

Application Integration

RAF Long Term Issues• RAF support for other protocols

– Kerberos– Web services– EAP/TLS

• Myproxy Protocol• End to End integrity

– “AuthA” protocol• Application integration

– Always an issue– Architecture: fan-out/gateway– Firewalls

• RADIUS* Grid issue Future: 12 – 48 mos

AuthAAn OTP-based key-exchange technology that offers protection against:

capture of the user’s password capture of the server’s password-databasedictionary attacks on the user’s passworddenial-of-service attacks

An OTP-based DH key-exchange technology that allows users to connect from an un-trusted terminal and still preserve the privacy of data transmitted on the wire:

confidentially, authenticity, and integrity of the datamutual authentication of the user and the server

Technology publication:M. Abdalla, O. Chevassut, and D. Pointcheval, “One-time Verifier-based Encrypted key Exchange” ,submitted for publication to the 8th International Workshop on Practice in Public-Key Cryptography, Feb 2005.

Conclusion

• Successful RAF demonstration project

• Engineering and User experience issues

• Ready to proceed to pilot

• Need Grid Integration

• First step toward Auth Fabric– Support more protocols– Federation– Successor to RADIUS

Demo

• http://topaz.es.net/secure/index.html

• http://panda.ccs.ornl.gov/radius/index.html

Fusion Grid Firewall Issues

Michael HelmESnet/LBNL

GGF-12 Sec Workshop18 Sep 2004

FusionGrid Use Case

Comments

Each site is protected by a firewall

Different firewall technology

OTP is probably a feature

Need single sign-on, delegation, autonomous processes….

Fusion Grid

• Use case comes from Dave Schissel

• Evolved from discussion of OTP– 2 of 3 labs in FusionGrid already have a

SecurID infrastructure

• Need direct support

• Need to identify path to solution