perfSONAR WG 2006 Spring Member Meeting

perfSONAR WG2006 Spring Member Meeting

Jeff W. Boote

24 April 2006

Jeff W. Boote

Agenda

• Introduction

• Agenda bashing

• perfSONAR overview/status

• perfSONAR multi-LS solution (Jason Z.)

• perfSONAR AuthN/Z plans

• Open Discussion

Jeff W. Boote

perfSONAR: Overview

• Joint effort of ESnet, GÉANT2 JRA1 and Internet2

• Webservices network performance framework

• Network measurement tools• Network measurement archives• Distributed scheduling/authorization• Multi-domain policy

Jeff W. Boote

perfSONAR: Credits

•perfSONAR is a joint effort•Participants: ESnet, GEANT2 JRA1, Internet2, RNP, Fermilab

•Internet2 includes:• University of Delaware• Georgia Tech• Internet2 staff

•My apologies if I have overlooked someone (still working on the credits process)

•GEANT2 JRA1 includes:• Arnes• Belnet• Carnet• Cesnet• DANTE• DFN• FCCN• GRNet• ISTF• PSNC• Nordunet (Uninett)• Renater• RedIRIS• Surfnet• SWITCH

Jeff W. Boote

perfSONAR: Project Activity Meter

• 1-2 conf calls/week• 1 new service/month (accelerating)• 3-4 development workshops/year• 3-4 paper submissions/year

Jeff W. Boote

perfSONAR: System Description

•Domains represented by a set of services•Each domain can deploy services important to the domain•Analysis clients interact with service across multiple domains

Jeff W. Boote

perfSONAR: Services (1)• Lookup Service

• Allows the client to discover the existing services and other LS services.

• Dynamic: services registration themselves to the LS and mention their capabilities, they can also leave or be removed if a service gets down.

• AuthN/Z Service• Internet2 MAT, GN2-JRA5 (eduGAIN)• Authorization functionality for the framework• Users can have several roles, the authorisation is done based

on the user role.• Trust relationships defined between users affiliated with

different administrative domains.

Jeff W. Boote

perfSONAR Services (2)

• Transformation Service• Transform the data (aggregation, concatenation, correlation,

translation, etc).

• Topology Service• Make the network topology information available to the

framework.• Find the closest MP, provide topology information for

visualisation tools

• Resource protector• Arbitrate the consumption of limited resources between

multiple services.

Jeff W. Boote

Here is who I am, I’d like to access MA B

Where Link utilisation along - Path a,b,c,d,e,f?a,b,c: Network A – LS A, c,d,e,f : Network B, MA B, AA B

Inter-domain perfSonar example interaction

Client

Network A Network B

LS A LS BMA A MA B

AA A AA B

a b

c de f

Where Link utilisation along - Path a,b,c?a,b,c : Network A, MA A, AA A Token MBHere is who I am, I’d like to access MA A

Get link utilisation c,d,e,fHere you go

Token MA

Get Link utilisation a,b,cHere you go

Useful graph

Jeff W. Boote

perfSONAR: Status Update

• Production release of base package expected by June (code freeze next week)

• Will include:•Single domain LS solution•RRD MA• (no AS)

• Additional services and client applications supporting this version will soon follow:•BWCTL MP•perfSONAR UI

Jeff W. Boote

perfSONAR: Hot Topics

• Multi-domain hierarchical LS

• AuthN/Z development plan with JRA-5 (eduGAIN)

• SSH MP (LookingGlass) service

• Topology Services

• L2 specific MA service

Jeff W. Boote

perfSONAR: Current Developments

•MPs• SSH/Telnet (Looking

Glass)• ABW (bandwidth packet

capture cards)• BWCTL• NMS (SDH status)• SNMP• Command line (OWAMP,

Ping, Traceroute)

•MAs• RRD• SQL• TopS• BWCTL• Hades (owd, jitter, owpl)• Flow replicator

•Visualization Clients• CNM• perfSONAR UI• Visual perfsonar• Looking glass

Jeff W. Boote

Agenda

• Introduction

• Agenda bashing




• Open Discussion

Jeff W. Boote

perfSONAR: multi-LS

• Jason

Jeff W. Boote

Agenda

• Introduction

• Agenda bashing




• Open Discussion

Jeff W. Boote

perfSONAR: authN/Z plans

• perfSONAR(JRA-1)/JRA-5 sub-group• Group tasked with determining how to

leverage JRA-5 authentication system (eduGAIN) in perfSONAR infrastructure•Jeff Boote (Internet2)•Diego Lopez (RedIRIS)•Maurizio Molina (Dante)•Andreas Solberg (Uninett)

Jeff W. Boote

perfSONAR: Background

• Designed with Federated authentication in mind

• AS becomes a ‘proxy’ for Authorization requests

Jeff W. Boote

eduGAIN: Background

•JRA-5 provided authentication “interface”•Provides “bridging” to other authentication systems

•Shibboleth•PAPI•Others…

•Designed mostly with web-browser interaction in mind

Jeff W. Boote

Current Status

• Group has come to general consensus on how this should work

• Paper is currently underway describing interaction of perfSONAR with eduGAIN API

Jeff W. Boote

perfSONAR: Trust relationship entities

•Client•idP (identity provider)•pSR (perfSONAR resource “service”)•AS (perfSONAR AS service)•HLS (Home Location Service)

Jeff W. Boote

Automated Client Interaction

Jeff W. Boote

Normal User Interaction

Jeff W. Boote

Implications for JRA-5

• Future extensibility for multiple X.509 root CA certificates

• Non-web profile for authN attribute request

• Current identity provider servers (attribute stores) may need to hold attributes for non-human clients

• Others???

Jeff W. Boote

Implications for JRA-1

•AS has slightly different role•Clients never directly interact with AS•AS is effectively a ‘proxy’ between services and the eduGAIN

‘bridging elements’

•Attribute requests from services to RP’s and from RP’s to AS need to be made in a ‘boolean’ fashion to protect the privacy of clients•Automated clients MUST have X.509 client certificates

Jeff W. Boote

Questions/Concerns

• Let me know if you would like a copy of the ‘document’ when it is complete

• Please feel free to send further questions/comments to Maurizio and Jeff

[email protected]

[email protected]

Jeff W. Boote

Agenda

• Introduction

• Agenda bashing




• Open Discussion

Jeff W. Boote

Additional Topics

Jeff W. Boote

Documents

perfSONAR WG 2006 Spring Member Meeting