do component managers need to authenticate researchers?

> Leigh is basically right -- it is a nice simple architecture with a
> central point of failure -- as long as your clearinghouse is a
> high-availability system you would be fine.
>
> But the idea of lightening the implementation burden on the AM doesn't
> force everything to go through the clearinghouse.  The generalization is
> to introduce an AM Security Connection Point (AM-SCP).  This is just the
> part of the clearinghouse that accepts the SSL connection (or verifies
> user certs in xmlsig format) and then forwards commands over the
> pre-established secure channel to the AM.  That secure channel probably
> just needs HMACs for integrity, so is considerably easier to support.
>
> You can start by co-locating the AM-SCP with the Clearinghouse, but
> provide a set of alternate servers and a place to lookup the complete
> set of alternate addresses/ports/URIs.  This also gives you scalability,
> and probably is not much more difficult to manage.
>
> --Steve
>
> -----Original Message-----
> From: Leigh Stoller [mailto:stoller@...]
> Sent: Monday, March 16, 2009 9:40 PM
> To: Aaron Falk
> Cc: Guido Appenzeller; gpo-tech@...; control-wg@...
> Subject: Re: [cwg] do component managers need to authenticate
> researchers?
>
>> The proposal on the table is for a simpler approach.  The AM
>> maintains an SSL connection to the clearinghouse (CH).  Researcher
>> credentials are sent to the AM by way of the clearinghouse and the
>> validates the credentials before forwarding the request to the AM.
>> This removes burden of validating the credentials from the AM at the
>> expense of forcing requests to pass through the clearinghouse.
>
> But this makes the CH a central point of failure and contention. This
> seems like a bad idea, unless there is a pretty sophisticated
> fail-over mechanism, which does not seem like a simplification.
>
>> There is a fundamental change here in the need for a GENI-wide PKI
>> is removed and the crypto functions in the AM are reduced to
>> maintaining an SSL connection.  Also, the aggregate manager's
>> control plane API becomes much simpler, e.g., roles and credentials
>> added many calls and options to the PlanetLab Slice-Federated
>> Architecture.  However, this changes the message flow in GENI in a
>> significant way, making the clearinghouse a waypoint for control
>> plane communications between researches and AMs.
>
> This makes it sound like the researcher never actually contacts the AM
> directly, since if the researcher did, the AM would be able to verify
> the SSL certificate used to initiate the SSL connection? And if the AM
> could do that, it could, with a little additional work, verify the
> credential, right?
>
>> From a near-term, implementation perspective, this seems like a
>> advantageous change.  A complex, not-well-understood function
>> (researcher credential authentication) has been moved out of the
>> development path of aggregates and their managers.  However, I'd
>> like to understand what the costs are of this design.
>
> Our (ProtoGeni) approach to this was for the root certificates to be
> cached at the AM/CMs so that it could verify the SSL certificates
> directly. This simplification makes it possible to bypass part of
> GENI's somewhat complicated delegation model, but still be able to
> verify user certificates and credentials (in xmlsig format). However,
> this simplification also assumes that the user certificates are
> generated from a relatively small set of authorities, which seems
> reasonable for a prototype implementation. At the same time, we still
> manage to follow the architecture (roughly), with the hope that we
> will solve the total PKI problem, later ...
>
> I agree that a simplification is needed, to the benefit of all of us,
> but I am not crazy about this approach.
>
> My two cents.
>
> Lbs
>
>
>
> _______________________________________________
> control-wg mailing list
> control-wg@...
> http://lists.geni.net/mailman/listinfo/control-wg
>
> _______________________________________________
> control-wg mailing list
> control-wg@...
> http://lists.geni.net/mailman/listinfo/control-wg
>

> I think ultimately we will need to do it both ways: the easy way in spiral 1
> because it is expeditious, and "no single points of failure" isn't a
> requirement.  For most devices the best long term solution is for the AH to do
> the authenticating.
>
> However, a slightly different version of this problem comes up in Opt-In and
> potentially other highly constrained substrates.  It probably would not be a
> good thing to require that all (future) AMs be capable of doing
> authentication, because this will exclude some infrastructure.
>
> Thanks,
> --MM--
>
> On Mon, 16 Mar 2009, Schwab, Stephen wrote:
>
>  
>> Leigh is basically right -- it is a nice simple architecture with a
>> central point of failure -- as long as your clearinghouse is a
>> high-availability system you would be fine.
>>
>> But the idea of lightening the implementation burden on the AM doesn't
>> force everything to go through the clearinghouse.  The generalization is
>> to introduce an AM Security Connection Point (AM-SCP).  This is just the
>> part of the clearinghouse that accepts the SSL connection (or verifies
>> user certs in xmlsig format) and then forwards commands over the
>> pre-established secure channel to the AM.  That secure channel probably
>> just needs HMACs for integrity, so is considerably easier to support.
>>
>> You can start by co-locating the AM-SCP with the Clearinghouse, but
>> provide a set of alternate servers and a place to lookup the complete
>> set of alternate addresses/ports/URIs.  This also gives you scalability,
>> and probably is not much more difficult to manage.
>>
>> --Steve
>>
>> -----Original Message-----
>> From: Leigh Stoller [mailto:stoller@...]
>> Sent: Monday, March 16, 2009 9:40 PM
>> To: Aaron Falk
>> Cc: Guido Appenzeller; gpo-tech@...; control-wg@...
>> Subject: Re: [cwg] do component managers need to authenticate
>> researchers?
>>
>>    
>>> The proposal on the table is for a simpler approach.  The AM
>>> maintains an SSL connection to the clearinghouse (CH).  Researcher
>>> credentials are sent to the AM by way of the clearinghouse and the
>>> validates the credentials before forwarding the request to the AM.
>>> This removes burden of validating the credentials from the AM at the
>>> expense of forcing requests to pass through the clearinghouse.
>>>      
>> But this makes the CH a central point of failure and contention. This
>> seems like a bad idea, unless there is a pretty sophisticated
>> fail-over mechanism, which does not seem like a simplification.
>>
>>    
>>> There is a fundamental change here in the need for a GENI-wide PKI
>>> is removed and the crypto functions in the AM are reduced to
>>> maintaining an SSL connection.  Also, the aggregate manager's
>>> control plane API becomes much simpler, e.g., roles and credentials
>>> added many calls and options to the PlanetLab Slice-Federated
>>> Architecture.  However, this changes the message flow in GENI in a
>>> significant way, making the clearinghouse a waypoint for control
>>> plane communications between researches and AMs.
>>>      
>> This makes it sound like the researcher never actually contacts the AM
>> directly, since if the researcher did, the AM would be able to verify
>> the SSL certificate used to initiate the SSL connection? And if the AM
>> could do that, it could, with a little additional work, verify the
>> credential, right?
>>
>>    
>>> From a near-term, implementation perspective, this seems like a
>>> advantageous change.  A complex, not-well-understood function
>>> (researcher credential authentication) has been moved out of the
>>> development path of aggregates and their managers.  However, I'd
>>> like to understand what the costs are of this design.
>>>      
>> Our (ProtoGeni) approach to this was for the root certificates to be
>> cached at the AM/CMs so that it could verify the SSL certificates
>> directly. This simplification makes it possible to bypass part of
>> GENI's somewhat complicated delegation model, but still be able to
>> verify user certificates and credentials (in xmlsig format). However,
>> this simplification also assumes that the user certificates are
>> generated from a relatively small set of authorities, which seems
>> reasonable for a prototype implementation. At the same time, we still
>> manage to follow the architecture (roughly), with the hope that we
>> will solve the total PKI problem, later ...
>>
>> I agree that a simplification is needed, to the benefit of all of us,
>> but I am not crazy about this approach.
>>
>> My two cents.
>>
>> Lbs
>>
>>
>>
>> _______________________________________________
>> control-wg mailing list
>> control-wg@...
>> http://lists.geni.net/mailman/listinfo/control-wg
>>
>> _______________________________________________
>> control-wg mailing list
>> control-wg@...
>> http://lists.geni.net/mailman/listinfo/control-wg
>>
>>    
>
> _______________________________________________
> control-wg mailing list
> control-wg@...
> http://lists.geni.net/mailman/listinfo/control-wg
>  

> Several folks from Cluster B and the GPO met a few weeks ago to discuss
> how to network switches would be integrated into this cluster.  Guido
> Appenzeller, from the Enterprise GENI project. had some thoughts on
> changes to the conceptual design's authentication approach that are
> worth repeating here and possibly discussing further.  (Slides, minutes,
> other reading can be found at [1].  In particular, see slides 41-50 of [2].)
>
> To illustrate the issue, let's take the case of a researcher who wants
> to contact an aggregate manager (AM) to make a resource reservation.
> Notionally, a researcher would send this request and include signed
> credentials that would give him authority to perform this task.  The
> aggregate manager would verify the credentials were signed by an entity
> the AM trusted.
>
> The proposal on the table is for a simpler approach.  The AM maintains
> an SSL connection to the clearinghouse (CH).  Researcher credentials are
> sent to the AM by way of the clearinghouse and the validates the
> credentials before forwarding the request to the AM.  This removes
> burden of validating the credentials from the AM at the expense of
> forcing requests to pass through the clearinghouse.
>
> There is a fundamental change here in the need for a GENI-wide PKI is
> removed and the crypto functions in the AM are reduced to maintaining an
> SSL connection.  Also, the aggregate manager's control plane API becomes
> much simpler, e.g., roles and credentials added many calls and options
> to the PlanetLab Slice-Federated Architecture.  However, this changes
> the message flow in GENI in a significant way, making the clearinghouse
> a waypoint for control plane communications between researches and AMs.
>
> >From a near-term, implementation perspective, this seems like a
> advantageous change.  A complex, not-well-understood function
> (researcher credential authentication) has been moved out of the
> development path of aggregates and their managers.  However, I'd like to
> understand what the costs are of this design.
>
> Thanks,
>
> --aaron
>
> ps. Cluster B is going to add a prototype interface of this design.  In
> fact, a PLC geniwrapper initial patch is already available at [3].
>
> pps.  There was also an interesting discussion of the benefits of
> SOAP/XSDL as compared to Pyton/XML-RPC and the patch above represents an
> XSDL implementation of a control plane API.
>
> [1] http://groups.geni.net/geni/wiki/ClusterB
> [2]
> http://groups.geni.net/geni/attachment/wiki/ClusterB/Enterprise%20Geni.pdf
> [3] http://www.openflowswitch.org/wk/index.php/GENILight
>
>
>  

> Thus spake Jeff Chase on Thu, Mar 19, 2009 at 11:36:32AM -0400:
>  
>> I would like to ask a clarifying question.  It seems to be implicit in
>> this proposal and supporting material that the AM is viewed as the
>> switch element itself (or other substrate component).  If so, then
>> simplicity for the AM control protocol would be a dominating design
>> concern, since the protocol must be supported by the components/aggregates.
>>
>> Is my interpretation correct?
>>    
>
> I believe it's not the location of the AM that's at issue here: the
> existing architecture documents are pretty clear (I think) on the fact
> that a CM/AM need not be physically located on the component - it might
> be a service run somewhere else, which uses some "private" interface to
> actually create the slivers. The AM for a 'traditional' switch
> infrastructure, for example, might be a service that exports the CM API
> to clients, and uses SNMP on the back end to create "slices" of the
> network. So, no change is necessary to the current design in order to
> allow OpenFlow to run an AM on a PC "near" the OpenFlow network at
> Stanford.
>
> The issue here, as I understand it, is whether every AM in the system
> needs to be able to authenticate users and validate credentials, and
> specifically whether AMs should have to participate in some sort of PKI.
>
> The proposal raised by the OpenFlow project is one way to keep AMs from
> having to participate in a PKI. By centralizing all operations, the
> process of managing keys is simplified. There are other possible ways to
> do this - eg. I find Steve Schwab's suggestion and interesting one.
>  
> In my view, though, it is not asking too much of the AMs to ask them to
> authenticate users and validate credentials. In the ProtoGENI design, we
> are basically using the "browser model", in which there is a well-known
> set of trust roots, roughly corresponding to federates in the system -
> federating with another facility essentially boils down to adding that
> facility's CA to your set of trust roots. Authenticating users and
> checking credentials is simply a matter of tracing standard certificates
> and signatures back to one of these trust roots. Managing trust roots is
> not a hard thing - at the simplest, some entity overseeing the
> federation can simply supply a list of trust roots to all members of the
> federation.
>
>  

> As an aside, our (Orca and SHARP predecessor) approach is for the CH  
> to
> authenticate the user and apply whatever authorization/arbitration
> policy it uses, and then issue signed tickets.  The AM has to validate
> the tickets, and check that the tickets are not stolen, but it should
> not have to deal with any other kind of user credential.  This  
> approach
> is similar to a PKI if one squints too much: in particular, a ticket  
> is
> a signed endorsement sort of like a certificate.  But it is  
> different in
> that it does not require (but does not preclude) a global identity  
> or a
> common set of trust anchors across the entire system.  Also, a ticket
> only endorses the bearer for a particular purpose: use of some  
> resource
> set for a limited time.   It does not (necessarily) represent or  
> certify
> the identity of the bearer.

>> As an aside, our (Orca and SHARP predecessor) approach is for the CH to
>> authenticate the user and apply whatever authorization/arbitration
>> policy it uses, and then issue signed tickets.  The AM has to validate
>> the tickets, and check that the tickets are not stolen, but it should
>> not have to deal with any other kind of user credential.  This approach
>> is similar to a PKI if one squints too much: in particular, a ticket is
>> a signed endorsement sort of like a certificate.  But it is different in
>> that it does not require (but does not preclude) a global identity or a
>> common set of trust anchors across the entire system.  Also, a ticket
>> only endorses the bearer for a particular purpose: use of some resource
>> set for a limited time.   It does not (necessarily) represent or certify
>> the identity of the bearer.
>
> But, you must certify the identity of the bearer somehow, correct?
> Otherwise there is now way to determine if the credential was stolen.
> There are a number of ways to do that, SSL being just one example.

> Several folks from Cluster B and the GPO met a few weeks ago to discuss
> how to network switches would be integrated into this cluster.  Guido
> Appenzeller, from the Enterprise GENI project. had some thoughts on
> changes to the conceptual design's authentication approach that are
> worth repeating here and possibly discussing further.  (Slides, minutes,
> other reading can be found at [1].  In particular, see slides 41-50 of [2].)
>
> To illustrate the issue, let's take the case of a researcher who wants
> to contact an aggregate manager (AM) to make a resource reservation.
> Notionally, a researcher would send this request and include signed
> credentials that would give him authority to perform this task.  The
> aggregate manager would verify the credentials were signed by an entity
> the AM trusted.
>
> The proposal on the table is for a simpler approach.  The AM maintains
> an SSL connection to the clearinghouse (CH).  Researcher credentials are
> sent to the AM by way of the clearinghouse and the validates the
> credentials before forwarding the request to the AM.  This removes
> burden of validating the credentials from the AM at the expense of
> forcing requests to pass through the clearinghouse.
>
> There is a fundamental change here in the need for a GENI-wide PKI is
> removed and the crypto functions in the AM are reduced to maintaining an
> SSL connection.  Also, the aggregate manager's control plane API becomes
> much simpler, e.g., roles and credentials added many calls and options
> to the PlanetLab Slice-Federated Architecture.  However, this changes
> the message flow in GENI in a significant way, making the clearinghouse
> a waypoint for control plane communications between researches and AMs.
>
> >From a near-term, implementation perspective, this seems like a
> advantageous change.  A complex, not-well-understood function
> (researcher credential authentication) has been moved out of the
> development path of aggregates and their managers.  However, I'd like to
> understand what the costs are of this design.
>
> Thanks,
>
> --aaron
>
> ps. Cluster B is going to add a prototype interface of this design.  In
> fact, a PLC geniwrapper initial patch is already available at [3].
>
> pps.  There was also an interesting discussion of the benefits of
> SOAP/XSDL as compared to Pyton/XML-RPC and the patch above represents an
> XSDL implementation of a control plane API.
>
> [1] http://groups.geni.net/geni/wiki/ClusterB
> [2]
> http://groups.geni.net/geni/attachment/wiki/ClusterB/Enterprise%20Geni.pdf
> [3] http://www.openflowswitch.org/wk/index.php/GENILight
>
>
>