secure network performance testing using serif...secure network performance testing using serif...
TRANSCRIPT
![Page 1: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/1.jpg)
Secure Network PerformanceTesting using SeRIF
Charles J. AntonelliCenter for Information Technology Integration
University of MichiganLaurence Kirchmeier
MERIT, Inc.21 June 2005
![Page 2: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/2.jpg)
Contributors• CITI
– Andy Adamson– Olga Kornievskaia– David Richter– Nathan Gallaher
• MGRID• ITCom
Work supported by OVPR and U-M ITCom
![Page 3: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/3.jpg)
SeRIF• SeRIF : Secure Remote Invocation
Framework• Purpose : provide a secure and
extensible remote process invocationservice, with strong authentication andflexible authorization
• Based on Globus, GARA• Adds fine-grained authorization
– Walden
![Page 4: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/4.jpg)
SeRIF• Central portal host
– Authentication– Control (invocation, parameters, results)– Databases (LDAP)
• Dedicated remote nodes– Gatekeeper– Local scheduler for execution and cleanup– Provides status and output redirection– Fine grained authorization at resource
![Page 5: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/5.jpg)
SeRIF Architecture
mod ssl
mod kx509
mod kct
Apache
Tomcat
KCT
GateKeeper
Resource
Grid Resource
KCAkx509
kinit
User Workstation
KDC
Kerberos V5
SSL – Client Certificate required
GSI
Kerberos
Kerberos
SASL
Portal
1
2
3
4
5
6
7
Authorization
Resource Mgr
SASL
8WALDEN
AuthorizationWALDEN
libpkcs11
Browser
mod php
mod jk
CHEF
LDAP
NW Topology
Output
![Page 6: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/6.jpg)
NTAP• NTAP : Network Testing and Performance
• Purpose : provide a secure and extensiblenetwork testing and performance toolinvocation service at U-M
• Uses SeRIF framework• Runs on portal host and Performance
Measurement Platforms (PMPs) attached torouters in a VLAN environment
![Page 7: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/7.jpg)
NTAP Architecture
Portal
Router 1
Host A
Router 2 Router 3
Host B
PMP 1 PMP 2 PMP 3
GSI GSI GSI
Attribute Callout
AFS PTS
Flat File
Walden
![Page 8: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/8.jpg)
NTAP I• Bandwidth reservation tool:
– Securely modifies network switch configurationsto provide differentiated services
– Based on GARA extension• “General-purpose Architecture for Reservation
and Allocation”• Layered on Globus• Includes scheduler for future reservations
– Implements modular, fine-grained, role-basedauthorization
• Added signed group membership(s) to reservation data• Keynote policy engine / AFS PTS group service
![Page 9: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/9.jpg)
NTAP II• Added PERMIS authorization plug-in• Generalized to run securely arbitrary
programs at a Grid service endpoint• Automatic path discovery
– traceroute & topology database• Multihomed PMP support
– source address selects per-VLAN route• Production hardening
– recovery, packaging & installation
![Page 10: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/10.jpg)
Output Database• Test program outputs captured• Stored in LDAP database• Database display tool
– Output hop-by-hop matrix display– Color-coded test history– Click through cells for detailed views
• Links to most recent tests– Config file for rapid prototyping
![Page 11: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/11.jpg)
NTAP III• Deployment
– PMPs deployed at CITI, ITCom, Merit• 10 Gbps PMPs
– PCI-X vs. PCI-X V2.0 vs. PCIe• Walden authorization plug-in• Additional Path Testing• Host Endpoint Testing• Automated Testing• Profile-based Interface
![Page 12: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/12.jpg)
Walden• Fine-grained authorization at gatekeeper• Walden policy engine / XACML policy file
– Resource, Action, Subject attributes• Demo policy
– Any authenticated principal may run a test ondesignated PMPs
– Specific principals may run a test on any PMP
![Page 13: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/13.jpg)
Walden
![Page 14: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/14.jpg)
Additional Path Testing• Adds customer-specified tests to
schedule• endpoint - add R1-Rn• cascade - add R1-R2, R1-R3, …, R1-Rn
Router 1 Router 2 Router 3 Router n
![Page 15: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/15.jpg)
Host Endpoint Testing• First mile problem
– Leverages Network Diagnostic Tester• Uses JavaWebStart to run signed
apps on client– Client downloads NDT app
• Multi-step process• User clicks two links
– Client identifies first-hop router and attached PMPrunning NDT server
– Client runs NDT test and displays results as usual– NDT server sends results to NTAP database
Router 1
Host A
![Page 16: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/16.jpg)
Automated Testing• Need repetitive, automated testing
– … but with secure authentication andauthorization
• Solution: renewable credentials– User obtains long-term credentials– Portal schedules repetitive testing– Prior to a test cycle, portal validates long-term
credential and derives from it a short-termcredential
– Rest of SeRIF architecture unchanged
![Page 17: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/17.jpg)
Profile-based Interface• Tests specified via test profile, composed of
– A path map– One or more application profiles– An output profile
• Database of path maps and profiles– Segment mapped or user-specified– Captures common test configurations– Leverages testing expertise
• Maps and profiles stored in LDAP database
![Page 18: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/18.jpg)
Future Work• Post-processed statistics, graphs• Cross-domain testing• Alternatives to topology database
– Active infrastructure probing• Automated tools
– Tune TCP stack– Detect conditions, e.g. duplex mismatches
• Graph the topology database
![Page 19: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/19.jpg)
SeRIF Resources• SeRIF & NTAP home page
– http://www.citi.umich.edu/projects/ntap
– FAQ & documentation
– Download NTAP code & installation instructions
• Tools– iperf http://dast.nlanr.net/Projects/Iperf/
– ndt http://e2epi.internet2.edu/ndt/
– owamp http://e2epi.internet2.edu/owamp/
![Page 20: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/20.jpg)
Merit’s Measurement Infrastructure• Goals
– Provide measurement servers located acrossMichNet
– Permit ad-hoc measurements to these servers formembers and affiliates
– Perform regular measurements between theservers to track the health of MichNet
– Tie in MichNet servers with UM’s ntap servers &Internet2 measurement infrastructure
![Page 21: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/21.jpg)
Merit Measurement Infrastructure
ntap1.merit.edu
ntap2.merit.edu
ntap3.merit.edu
deployment later summer
![Page 22: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/22.jpg)
Merit’s Measurement Infrastructure• Measurement tools available
– ndt• Last mile network diagnostic tool
– owamp• One-way ping tool
– bwctl• Bandwidth test controller
• ntap provides strong authentication andauthorization to these tools
• See http://e2epi.internet2.edu for moreinformation on these tools
![Page 23: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/23.jpg)
Denver
Seattle
Sunnyvale
LosAngeles
Houston
KansasCity
Chicago
Indianapolis
Atlanta
WashingtonDC
New York
http://e2epi.internet2.edu/pipes/ami/pmp-info.html#ndt
Internet2 ndt serversInternet2 ndt servers
![Page 24: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/24.jpg)
Internet2 bwctl & owamp servers
Denver
Seattle
Sunnyvale
LosAngeles
Houston
KansasCity
Chicago
Indianapolis
Atlanta
WashingtonDC
New York
http://e2epi.internet2.edu/pipes/ami/bwctl/http://e2epi.internet2.edu/pipes/ami/bwctl/
![Page 25: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/25.jpg)
Merit’s Measurement Infrastructure• Next steps
– Deploy measurement servers– Develop report web pages and front-ends to the
tools– Work with members and affiliates -Internet2
measurement workshop?– Review other measurement tools such as Mona
Lisa
• Lunchtime BOF on E2E performance andmeasurement
![Page 26: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/26.jpg)
Merit’s Measurement Info• resources
– Merit Measurement web pages• http://www.merit.edu/nrd/projects/e2e.html
– Internet2 Measurement Performance workshop• http://e2epi.internet2.edu/network-perf-
wk/index.html
– Email:• [email protected]
![Page 27: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/27.jpg)
MGRID NTAP Project
Demonstration
![Page 28: Secure Network Performance Testing using SeRIF...Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan](https://reader033.vdocuments.site/reader033/viewer/2022053007/5f0a8ae97e708231d42c25be/html5/thumbnails/28.jpg)
Any Questions?http://www.citi.umich.edu