perfsonar development work

[Nicolas Simar <>]

Nina Jeliazkova wrote:
> Hi all,
>
> One more security consideration - currently _any_ service can register 
> _anything_ in a Lookup service just by sending the appropriate 
> messages.  Could someone clarify, if the LS supports authentication and 
> it is just switched off by default, or it is open for anybody by design ?

Hi Nina,

currently there is no auth available on the LS. Because of the confined 
group using the LSes, it is not yet an issue.

However, on one side, we should add to the roadmap the capability to 
authenticate the web-services registering to the LSes to avoid having 
crap registered at it and to avoid being DoS-ed. This model works well 
for network operators who do not wish to have anybody else registering 
to their LS-es (home LS or hLS - see Maciej slide from Zagreb or slighly 
after Sagreb meeting).

On the other side, having the gLS/higher level dLS being so strict leads 
to braking the open model where people can easily join the "perfSONAR 
community" : only the poeple who would have contacted one LS 
administrator could register some information at it.

1) for the hLS, it is a sensible thing to have the capability of 
limiting who can register to it. We can add this functionality to the 
LSes and to the web-services after the dLS has been released. (Maciej, 
can you please add this to the roadmap).
1.1) The authentication model to be used need to be defined.
1.2) deployers are free to turn on authentication or not.

2) For the higher level LSes, what would the model followed? What is the 
model we want for perfSONAR.
(a) Entirely open to everybody (inlcuding bad things),
(b) do we want to add a minimum of protection that doesn't break the 
model (how - limiting the registration frequency, etc)?
(c) do we want to differenciate the treatment of the information 
received from a protected hLS from a non protected one?
(d) do we want to work only with "protected LS" (= LS whose registration 
is controled)

I would suggest a dedicated 1h session in Berlin to see more clearly 
through the issue and identify a timeline (end of the year for the 
implementation of the feature for the hLS or equivalent)

Cheers,
Nicolas

> Best regards,
> Nina
>
> Nicolas Simar wrote:
> > Hi Roman, Nina and David,
> >
> >
> > Cándido Rodríguez Montes wrote:
> > > Hi Nicolas and Loukik,
> > > as perfSONAR MDM 3.0 is going to be installed by european NRENs, I 
> > > would like to know if they are/will be deploy their services over 
> > > http or https.
> > > Https is not a requirement for the authN process but it is helpful 
> > > for replying attacks, even the authN hasn't been part of perfSONAR!
> >
> > what would be the impact on the
> > 1) the web-service development if we were to use https (none?)
> > 2) on the visualisation (the way they access the web-service).?
> >
> > > So, in case perfSONAR services are reached by http, we should ask 
> > > them to move it to https.
> >
> > Thanks a lot.
> >
> > Nicolas
> >
> >
> > > Regards
> > >
> > > --
> > > Cándido Rodríguez Montes E-mail:  
> > > <mailto:>
> > > Middleware warrior Tel:+34 955 05 66 13
> > > Red.ES/RedIRIS
> > > Edificio CICA
> > > Avenida Reina Mercedes, s/n
> > > 41012 Sevilla
> > > SPAIN

--
Nicolas
______________________________________________________________________

Nicolas Simar
Network Engineer

DANTE - www.dante.net

Tel - BE: +32 (0) 4 366 93 49
Tel - UK: +44 (0)1223 371 300
Mobile: +44 (0) 7740 176 883

City House, 126-130 Hills Road
Cambridge CB2 1PQ
UK
_____________________________________________________________________