wiki:GENISecurity-4Q08-status

Version 1 (modified by jtaylor@bbn.com, 9 years ago) (diff)

--

GENISecurity Project Status Report

Period: 4Q08

I. Major accomplishments

None.

A. Milestones achieved

None.

B. Deliverables made

Our schedule calls for delivery of a draft security architecture at the end of this month. We will work with Heidi Dempsey in the GPO to request an extension on delivery, as it has proven more difficult to complete the writing of this initial version during the end-of-year holiday period than anticipated.

II. Description of work performed during last quarter

A. Activities and findings

We have pursued interactions with several of the development and prototyping clusters, continuing on-going participation in a joint discussion with members of the GENI project from the old facilities architecture working group, including Larry Peterson, John Wroclawski, Rob Ricci and others. In addition, we are meeting regularly with the ProtoGENI and DETER clusters, as well as interacting less frequently with other GENI participants.

Internal discussions within the SPARTA GSAT team have identified a wide range of security issues that are potentially items to address in the GENI Security Architecture. In particular, Steve Schwab and Sandy Murphy have considered how early research in Active Networks maps roughly to the emerging GENI substrate and slice abstractions, and how to leverage thinking, or at least avoid rat holes, informed by that earlier work. It is also clear that only a small fraction of the overall GENI Security Architecture can be discussed in any significant depth during the current 12-month spiral given limited funding. Therefore, we will focus on the distributed authentication and authorization area where several of the clusters are investing time and effort, while trying to provide coverage of other security issues that need to be included on a security roadmap, but are not quite as high a priority for this spiral.

We have also been in discussions with GPO System Engineers including Harry Mussman and Heidi Dempsey to provide feedback on their initial capture of the Slice-based facility architecture abstractions and general set of O&M security issues respectively.

The SPARTA team prepared a poster for the GENI Engineering Conference #3 in Palo Alto, CA. Unfortunately, neither Steve Schwab nor Jim Horning was able to attend, so Calvin Ko attended the conference and presented the poster.

While it is still very early to identify findings, one item is worth calling out. The association of any given project or testbed with GENI is very amorphous. At some point in the very near future, a number of GENI prototypes will become active without a GENI-centric review of their security posture. Since the GENI prototypes are leveraging pre-existing operational testbeds in new ways to realize GENI capabilities, there is no clear delineation of a milestone at which the GENI Project Office can or should authorize, endorse and/or certify that the “GENI” prototypes are meeting any GENI requirements for security operations or policies. A GENI community discussion is perhaps needed to decide how to “register” or “brand” GENI prototypes as being part of the GENI Federation, whether funded directly or partially by GENI GPO, or merely interoperating with GENI cluster projects.

B. Project participants

The following SPARTA staff is participating in the GSAT project:
Stephen Schwab, Alefiya Hussain, Jim Horning, Sandra Murphy, Calvin Ko.

C. Publications (individual and organizational)

None.

D. Outreach activities

None.

E. Collaborations

We have been actively collaborating with Rob Ricci/Utah and other members of the projects collaborating under the ProtoGENI cluster umbrella. This collaboration includes periodic bi-weekly status telecons as well as additional frequent email and other interactions with Emulab staff at Utah. The aim of this effort is to track mechanisms being introduced within Emulab to support protoGENI multi-site deployment and prototyping, and to capture the security-relevant aspects of these mechanisms within our security abstractions.

We also have been working closely with John Wroclawski and Ted Faber of USC/ISI under the DETER GENI cluster. In particular, we have discussed Attribute Based Access Control (ABAC), sharing papers and exchanging ideas on how ABAC might serve as a useful basis for the security abstractions underpinning the DETER Federation implementation as it evolves to support GENI-specific goals. We plan to support the migration of ABAC software to DETER under other funding, and to capture the security architecture impacts gleaned from this work within the GENI Security Architecture.

We have continued to interact with Larry Peterson/Princeton regarding PlanetLab, in particular reviewing and discussing Acceptable Usage Policy issues. While not directly related to security architecture, we feel there is a need to coordinate security mechanisms in GENI that will be used to enforce the policies required in various deployment environments.

F. Other Contributions

None.