A Practical Distributed Authorization System for GARA
Although Quality of Service functionality has become a common feature of network hardware, configuration of QoS parameters is done by hand. There is a critical need for an automated network reservation system to provide reliable last mile networking for video, audio, and large data transfers. Security of all communications in the process of automating the network configuration is vital. What makes this security problem difficult is the allocation of end-to-end network resources across security realms and administrative domains.
This paper introduces a practical system that shows a design and implementation of Globus General-purpose Architecture for Reservation and Allocation (GARA) services that offer automated network reservation services to users. The contributions of this paper are twofold. First, we provide a fine-grained cross-domain authorization for GARA that leverages existing institutional security and group services, with universal access for users. We identify and discuss issues involved. Second, we eliminate the need for long term public key credentials and associated overheads that are required by other systems. We describe the implementation of an easy and convenient Web interface for making reservation requests.
KeywordsReservation Request Trust Management System Authorization Decision Bandwidth Broker Network Hardware
Unable to display preview. Download preview PDF.
- 1.Andre Arnes. Public Key Certificate Revocation Schemes. PhD thesis, Norwegian University of Science and Technology, Kingson, Ontario, Canada, February 2000.Google Scholar
- 2.M. Blaze, J. Feigenbaum, J. Ioannidis, and A. Keromytis. The KeyNote trust management system version 2. RFC 2704, September 1999.Google Scholar
- 3.M. Blaze, J. Feigenbaum, and A. Keromytis. Keynote: Trust management for public-key infrastructure. In Proceedings Cambridge 1998 Security Protocols International Workshop, April 1998.Google Scholar
- 4.M. Blaze, J. Feigenbaum, and M. Strauss. Compliance checking in the PolicyMaker trust management system. In Proceedings of Financial Cryptography, February 1998.Google Scholar
- 5.R. Butler, D. Engert, I. Foster, C. Kesselman, S. Tuecke, and J. Volmer. A national-scale authentication infrastructure. IEEE computer, 33(12):60–66, December 2000.Google Scholar
- 9.W. Doster, M. Watts, and D. Hyde. The KX.509 protocol. Technical Report 01-2, Center for Information Technology Integration, University of Michigan, February 2001.Google Scholar
- 10.I. Foster, A. Roy, and V. Sander. A quality of service architecture that combines resource reservation and application adaptation. In Proceedings of the 8th International Workshop on Quality of Service (IWQQOS 2000), June 2000.Google Scholar
- 12.IETF Internet Traffic Engineering Working Group. http://www.ietf.org/html.charters/ tewg-charter.html.
- 13.O. Kornievskaia, P. Honeyman, B. Doster, and K. Coffman. Kerberized credential translation: A solution to web access control. In Proceedings of the 10th USENIX Security Symposium, August 2001.Google Scholar
- 15.L. Pearlman, V. Welch, I. Foster, C. Kesselman, and S. Tuecke. A community authorization service for group collaboration. In IEEE Workshop on Policies for Distributed Systems and Networks, 2002. submitted.Google Scholar
- 17.T. Ryutov and C. Neuman. Representation and evaluation of security policies for distributed system services. In Proceedings of the DISCEX, January 2000.Google Scholar
- 18.V. Sander, W. A. Adamson, I. Foster, and A. Roy. End-to-end provision of policy information for network qos. In Proceedings of the 10th Symposium on High Performance Distributed Computing, August 2001.Google Scholar
- 19.SIBBS. The simple inter-domain bandwidth broker specification. http://qbone.internet2.edu/bb/.
- 20.M. Thompson, W. Johnson, S. Mudumbai, G. Hoo, K. Jackson, and A. Essiari. Certificate based access control for widely distributed resources. In Proceedings of the 8th USENIX Security Symposium, August 1999.Google Scholar