Project MoonshotFebruary 2012

BackgroundProject Moonshot

2

Why Janet?

Janet is a trusted provider of mission-critical network services to the UK education & research community

Janet has significant expertise in developing and operating federated authentication & authorisation infrastructure (AAI)

On the basis of this experience and customer demand, we decided that existing federation solutions were not sufficient

3

Three solutions for a similar problem…

4

eduroam service

•Based on RADIUS technology

•Typically for making security claims for network single sign-on

Identity federation

•Based on SAML technology

•Typically for making security claims for web single sign-on

Certificate service

•Based on X.509 technology

•Typically for making security claims for SSL-based applications

Federated identity is fragmented…

Today’s implementations of federated identity are a collection of technologies with different

•Aims & objectives

•Technical infrastructures & capabilities

•Policy requirements & overheads

5

Not a great customer experience…

Customers have to sign up to multiple policies and manage multiple federation technologies

Significant overhead for activities that are conceptually similar, imposing unnecessary costs

“I can only afford to implement eduroamor UK federation; which should I do?” – Janet customer

Three completely different technologies – and still no solution for many key customer use cases!

6

Moonshot goals

Lower the barriers to business between our customers

Reduce the cost and time to market for new services

Drive down operational costs for both Janet and our customers

7

Moonshot vision

“To deliver a unified approach for securing access to any service or application

Enabling new opportunities, business models and cost efficiencies”

8

Use casesProject Moonshot

9

Grid computing @ STFC

STFC operates the UK’s National Grid Service

•Existing X.509 authentication is too complex for users

•Goal to simplify authentication across distributed computing Grids

“We aim to streamline access services using Moonshot technology, which will take the burden of authentication out of the hands of

our users.” 

Dr Peter Oliver, Group Leader, Science and Technology Facilities Council

10

Console access @ Diamond Light Source

The UK’s national synchrotron facility

•Piloting Moonshot within the PANDATA project, which supports 30,000 scientists at 20+ photon and neutron facilities

•Federated access needed to physical and remote (SSH) consoles

“Moonshot has thought beyond websites, and looked at what is really required in authentication – right down to the point when you open your laptop to begin

work.” 

Bill Pulford, Head of DASC, Diamond Light Source

11

Sharing data @ Cancer Research UK

Cancer Research UK is the world’s leading charity dedicated to beating cancer through research.

•The institutes form ad hoc relationships to collaborate for research purposes, but when the need arises to share data and documents, each institute can only authenticate within their own organisation.

“Moonshot is a valuable enabler for Cancer Research across the UK. It will make collaboration systems easy to build internally so that we can

quickly share large data sets between institutes, without complicating the management of that system.”

 Peter Maccallum, Head of IT & Scientific Computing, CRUK Cambridge Research

Institute

12

Cloud services @ Janet Brokerage

The Janet Brokerage works with the community and suppliers to provide solutions based on ‘IT as a service’, facilitating the uptake of data centre, hosted and cloud services

• Create efficiencies and cost savings

• Accelerate and improve services and add value

• Reduce risk in adopting new services

• Address technical and business questions

• Create a competitive market based on sound technical platforms

13

The main challenges from our customers

Extend the use of federated identity to all network-connected systems, applications and services

Support any deployment model: centralised, distributed & cloud

Enable the use of any kind of authentication credential

Supersize it! Enable this for millions of system entities and users

14

Technology overviewProject Moonshot

15

Moonshot technologies

Moonshot builds on the eduroam technologies•EAP (RFC 3748): strong mutual authentication•RADIUS (RFC 2865): federation between domains

To this, Moonshot adds•SAML, for rich authorisation semantics•Integration using operating system security APIs

• SSPI: Windows• GSS-API (RFC 2078): Other operating systems• SASL (RFC 4422): Windows and other operating systems

16

Deployment requirements

Most Higher Education organisations are nearly Moonshot-ready today

•A connection to eduroam

•A RADIUS server (any modern RADIUS product should support pre-production testing today). There is also an experimental capability to integrate FreeRADIUS with the Shibboleth IdP

•Moonshot client and server plug-in• Linux: packaging available for Debian & RHEL; Scientific

Linux soon• Windows: native support using prototype plugin • Mac: Packaging almost complete for Snow Leopard and Lion

•Moonshot Identity Selector to facilitate the selection of an identity to use, for GUI environments (Windows, Mac & Linux)

17

Architecture

18

SSH client SSH server RADIUS server

(2) SSH negotiation (4) RADIUS

(3) Authentication

(1) Credentialing

(5) Attributes(6) SSH session

OpenSSH used as example of application; many others also apply

Application support

Most modern applications use at least one of the security APIs supported by Moonshot

Correctly written applications will ‘just work’ without modification or recompilation

Less correctly written applications may require minor modifications

Project Moonshot is testing applications and sending patches upstream

19

PuTTY OpenSSH

20

21

IE Apache

22

Outlook 2010 Exchange 2010

Examples of other tested scenarios

• OpenSSH client OpenSSH server (GSS)

• OpenLDAP client OpenLDAP server (SASL)

• OpenLDAP client (GSS) Windows Active Directory (SSPI)

• Firefox Apache (GSS)

• Internet Explorer IIS (SSPI)

• MyProxy client MyProxy server (SASL)

• Adium Jabberd (SASL)

• Console authentication using PAM/GSS on Linux and SSPI on Windows

23

Standardisation

The architecture is currently being standardised within the IETF’s ‘Abfab’ working group

See https://datatracker.ietf.org/wg/abfab for documents

The key documents are•draft-ietf-abfab-arch describing the high-level architecture•draft-ietf-abfab-gss-eap describing the core “GSS EAP” technology•draft-ietf-abfab-aaa-saml describing the use of SAML

Get involved!

The project is Janet-led initiative, with contributions from GÉANT and others

•http://www.project-moonshot.org/using describes installing, configuring and using Moonshot. An installable Live DVD (Debian-based) is available, in addition to Debian, CENTOS and Scientific Linux packages

•https://www.jiscmail.ac.uk/MOONSHOT-COMMUNITY is our community mailing list

•We also have a Jabber room at moonshot@groupchat.nordu.net

Technology pilotProject Moonshot

26

Technology pilot goals

1. To test the suitability of the Moonshot technology for deployment, focusing on e-Research use cases

1. To identity what further work is needed to support the wider community’s use of the technology

2. To plan, implement or support this additional work

27

Current status

•Pilot sites connected to Janet’s eduroam infrastructure

•Software ready for pre-production testing only

•Production-quality environment due Q1 2012

•IETF standardisation approaching completion

•On-going discussions with OS and application vendors

28

Future plansProject Moonshot

29

The next six months

The primary activities will be

•Continuation of existing Technology Pilot

•Improvement and refinement of core software

•Out-reach to other stakeholders

•Development the final element needed for a production-ready service

•Completion of standardisation

30

Conclusions

Moonshot provides a standardised next-generation identity & trust technology

Moonshot builds on widely deployed technologies and infrastructure

Moonshot provides a cross-platform implementation ready for pre-production testing

Moonshot will provide the trust & identity platform for Janet’s services

31

Q & AProject Moonshot

32