![Page 1: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/1.jpg)
Connect. Communicate. Collaborate
AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authorisation and Authentication
TNC2007 – TERENA Technical WorkshopLyngby, 20 May 2007
![Page 2: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/2.jpg)
Connect. Communicate. CollaborateAgenda• AutoBAHN service overview
• AAI Infrastructure for AutoBAHN– Overview– AA Scenario
• User AuthN (Automated & Human user)• Interdomain AAI
– Policy module and attributes
• Progress
![Page 3: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/3.jpg)
Connect. Communicate. Collaborate
AutoBAHN overview
![Page 4: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/4.jpg)
Connect. Communicate. CollaborateAutoBAHN is…
• … a research activity for engineering, automating and streamlining the inter-domain setup of guaranteed capacity (Gbps) end-to-end paths
• AutoBAHN = Joint Research Activity 3 of the GN2 project– GN2 is an EC-funded Integrated Infrastructure Initiative (I3) project,
with all NRENs as partners (DANTE: coordinator)– GN2 includes:
• Networking Activities (NAs) (Human networks)• Service Activities (SAs) (deployment of GÉANT2 with focus on
services)• Joint Research Activities (JRAs) (applied technological research)
![Page 5: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/5.jpg)
Connect. Communicate. CollaborateGÉANT2 • 25 POPs (+4) serve >30 NRENs• 11600 km of fibre + 140 ILA sites
– DWDM (Alcatel 1626 LM)• 50+ x (own) 10G lambdas• 9 x (leased) 10G lambdas• 8 x 2.5G (leased) “lambdas” +
some lower speed links• Alcatel MCC 1678• Juniper T640, M160, M40 routers• NREN accesses at up to 10Gbps
(+ backup) + P2P• 4 x 10G to North America• POP in NY• connections to other R&E
networks: Abilene, ESnet, CA*net4, SINET, TENET, RedCLARA, EUMEDCONNECT, TEIN2 (coming)
![Page 6: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/6.jpg)
Connect. Communicate. CollaborateEnd-to-end services over GÉANT2• Up to now: Packet Switched IP (Layer 3) & MPLS Managed Bandwidth
Services – VPNs• From now on the hybrid NREN - GÉANT2 service model also enables:
– Layer 2 Switched e2e circuits (e.g.1 GigE) involving GÉANT2facilities ( + local circuits provided by NRENs and Campuses)
– 10 Gig Optical Private Networks (OPNs) configured for large e-Science projects using GÉANT2 DWDM & NREN - Campus lightpaths
GEANT2
End user
End-user
end-to-end path
GEANT2
NREN 1NREN 2
MAN/ Campus/ Institution
MAN/ Campus/ Institution
![Page 7: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/7.jpg)
Connect. Communicate. CollaborateAn example• 1GE path between Brno (CZ) and Louisiana (USA)
![Page 8: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/8.jpg)
Connect. Communicate. CollaborateA multi-domain …• …multi-technology, multi-disciplinary environment• Control and provisioning has to be distributed• Business-layer related interactions include AA, policies, advance
reservations etc.• Privacy and control of intra-domain resources must be safeguarded
Client equipment
IP domain
NMS
GE domain
L2 MPLS VLL
SDH domain
Native EthernetGFP over SDH
GMPLSsignalling
Client equipment
Technology Stitching
Technology StitchingManual
provisioning
![Page 9: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/9.jpg)
Connect. Communicate. CollaborateAutoBAHN overview
Client equipment
IP domain
NMS
GE domain
L2 MPLS VPN
SDH domain
Native EthernetGFP over SDH
GMPLS signalling
Technology Proxy
Domain Manager
Inter-Domain ManagerUser access
moduleRequest
handling logic
DM pathfinding
AAI
Resource modelling
Policy module
Inter-domain pathfinder
User interface
Technology Proxy
Domain Manager
Inter-Domain ManagerUser access
moduleRequest
handling logic
DM pathfinding
AAI
Resource modelling
Policy module
Inter-domain pathfinder
User interface
Client equipment
Aut
oBA
HN
sys
tem
Dat
a pl
ane
Technology Proxy
Domain Manager
Inter-Domain ManagerUser access
moduleRequest
handling logic
DM pathfinding
AAI
Resource modelling
Policy module
Inter-domain pathfinder
User interface
![Page 10: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/10.jpg)
Connect. Communicate. Collaborate
A distributed approach
User interface
Inter-Domain Manager
Domain Manager
Client equipment IP domain
NMS
GE domain
L2 MPLS VPN
SDH domain
Native Ethernet GFP over SDH
GMPLS signalling
Client equipment
User interface
Inter-Domain Manager
Domain Manager
User interface
Inter-Domain Manager
Domain Manager
(1)
(2)
(4)
(5)
(6)
(7)(3)
Inter-domain path-finding
(8)(9)(10)
![Page 11: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/11.jpg)
Connect. Communicate. Collaborate
Authentication and AuthorisationInfrastructure
![Page 12: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/12.jpg)
Connect. Communicate. CollaborateAAI in AutoBAHN: overview• Based on the work made by another GN2 project research
activity (GN2-JRA5) – EduGAIN, a federator of already established AAIs all
over European countries for inter-domain services• A chained-solution is adopted
– A user is authenticated and his bandwidth reservation request is authorised successively in each domain where bandwidth should be reserved.
– The reservation is enabled in each domain by the Domain Manager (DM) only after AA
![Page 13: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/13.jpg)
Connect. Communicate. Collaborate
AAI in AutoBAHN: overview• Some autoBAHN interactions depend on AAI:
– 1 - Home Domain: User AuthN• Interaction with the local AAI to authenticate the user and
retrieve its attributes– 2 - Communication between IDMs: Trust between IDM
• Using X509 certificates provided by eduGAIN– Communications between local web services (pathfinder,
IDM, DM, etc) are ensured using ssl tunnels
![Page 14: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/14.jpg)
Connect. Communicate. Collaborate
AAI at the home domain: User AuthN• An eduGAIN filter intercepts the user requests and interact with the
local AAI• Two possible scenarios
– An automated user makes a BoD reservation• Web services are used for communication between the user
and autoBAHN application (IDM)• The user has a certificate: The user can directly send the
AuthN information (there is no interaction asking for a login + AuthN information like in « human user case » )
– Human user: A user makes a BoD reservation via a web portal• The user is redirected to its local AAI using http redirections
![Page 15: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/15.jpg)
Connect. Communicate. Collaborate
JRA3 blockeduGAIN blockAAI local block
AAI at the home domain:Automated user AuthN
Step 1’ Step 2’
User
Local AAI: IDP/web SSOShibboleth, PAPI, etc
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
1’
User sends theAuthN information
EduGAIN filter sendsthis information to thelocal AAI to authenticate the user
JRA3 IDM2’
User info
… Attributes store & identity provider
3’
certificate
User info
…
Local AAI: IDP/web SSOShibboleth, PAPI, etc
Attributes store & identity provider
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
4’
The local AAI sendsthe response with theuser attributesassociated to autoBAHN
JRA3 IDM
usercertificate
5’6’
5-6: The filter sendsthe AuthN responseand the user replies sending the BoD request to the IDM
![Page 16: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/16.jpg)
Connect. Communicate. Collaborate
JRA3 blockeduGAIN blockAAI local block
user
Local AAI: IDP/web SSOShibboleth, PAPI, etc
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
1
2, 3
HTTP Redirect:
Edugain filterredirects the user to its local AAI
JRA3 IDM
user
User info
…
Local AAI: IDP/web SSOShibboleth, PAPI, etc
Attributes store & identity provider
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
5
6
User AuthN in its local AAI
4
JRA3 IDM
AAI at the home domain:Human user authN
Step 1 Step 2
![Page 17: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/17.jpg)
Connect. Communicate. Collaborate
user
User info
…
Local AAI: IDP/web SSOShibboleth, PAPI, etc
Attributes store & identity provider
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
7
The IDP redirectsthe user to the JRA3 service
The user attributesassociated to autoBAHN are alsosent
JRA3 IDM
user
User info
…
Local AAI: IDP/web SSOShibboleth, PAPI, etc
Attributes store & identity provider
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
The IDM sends the BoD request and the user fills in the parameters
8
9
JRA3 IDM
AAI at the home domain:Human user authN
Step 3 Step 4
![Page 18: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/18.jpg)
Connect. Communicate. Collaborate
user
User info
…
Local AAI: IDP/web SSOShibboleth, PAPI, etc
Attributes store & identity provider
JRA3 IDM
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
10
11
12 13
14
The BoD request is sent to the policymodule and the attributes are retrieved
User info
…
Local AAI: IDP/web SSOShibboleth, PAPI, etc
Attributes store & identity provider
JRA3 IDM
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
15,16
17
The policymodule retrievesthe rules in the JRA3 DB and compare it to the BoD request
18
AAI at the home domain:Step 5 Step 6
![Page 19: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/19.jpg)
Connect. Communicate. Collaborate
user
User info
…
Local AAI: IDP/web SSOShibboleth, PAPI, etc
Attributes store & identity provider
Previous trust between IDM’s
XML X509
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
eduGAIN module: concatenation BoD params + attributes
User Access Module & other modules
AAI/policy Module
JRA3 DB
19
21,22 20
BoD Id BoD param attr
eduGAIN module: extraction of BoD params & attributes
23JRA3 IDM JRA3 IDM
24
Inter-domain AAIStep 7
![Page 20: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/20.jpg)
Connect. Communicate. Collaborate
user
User info
…
Local AAI: IDP/web SSOShibboleth, PAPI, etc
Attributes store & identity provider
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
32
JRA3 IDM
User Access Module & other modules
AAI/policy Module
JRA3 DB
25
31
JRA3 IDM
User Access Module & other modules
AAI/policy Module
JRA3 DB
27,28 26
JRA3 IDM
30
29
Home DomainIntermediate Domain Remote Domain
Inter-domain AAIStep 8
JRA3 blockeduGAIN blockAAI local block
![Page 21: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/21.jpg)
Connect. Communicate. Collaborate
Policy module andattributes• AuthZ information is stored in the AutoBAHN DB
– Avoid problems of format : different formats stored in local AAIs
• Define entries like– jra3.renater.projects.DEISA
• Apply rules for these entries :– jra3.*.projects.DEISA = 1Gbit/s
• Advantages– Granularity and accuracy (if wanted) of rules– Easy maintenance and flexibility
• Existing AuthZ engines like PERMIS will be used
![Page 22: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/22.jpg)
Connect. Communicate. Collaborate
Policy module andattributes• The user attributes which can be used for AuthZ are:
– Role– Project– Home network domain– NREN
• This list can be updated• These attributes are stored in the local AAI
• Mapping with BoD information stored in the AutoBAHN DB to authorisea BoD request– Use of GIdP if a local AAI doesn’t exist for the user making the BoD
request
![Page 23: autoBAHN AAI TNC2007 - RENATER · PDF file• Alcatel MCC 1678 • Juniper T640, M160, ... Manual Stitching ... autoBAHN_AAI_TNC2007.ppt Author:](https://reader034.vdocuments.site/reader034/viewer/2022051405/5a7883b17f8b9a7b698c2388/html5/thumbnails/23.jpg)
Connect. Communicate. CollaborateProgress• AuthN
– Automated interface: Deployed by GN2 JRA3. Ready but it has to be adapted to eduGAIN filter (certificate).
– Human interface: Web Portal to do BoD reservations. It will be deployed by GN2 JRA3 : ~ Q3 2007
– eduGAIN filter for user AuthN:• Human user: Being deployed by GN2 JRA5. First version ready
for the next month• Automated user: Will be deployed by GN2 JRA5.
• AuthZ– Work started to analyse how to use PERMIS in AutoBAHN