Authentication and authorization in FELIX
Pages 553 - 558
Abstract
FELIX, the EU-Japan jointly-funded project, establishes a software defined networking (SDN) experimental facility which spans two continents and several administrative domains via dynamic transit network connections. The FELIX architectural blueprint provides an excellent example where key topics such as policy-based software-defined infrastructure instantiation is supported by resource orchestrators which manage multi-domain distributed compute and network resources including on-demand provisioning of transit network resources. In this context, FELIX implements a modern approach for authentication and authorization in SDN experimental facilities which enables finegrained control and avoids single points of failure. This paper details the underlying mechanisms for user and transit network resource authentication and authorization in FELIX.
References
[1]
E. Haleplidis, et al., "Software-Defined Networking (SDN): Layers and Architecture Terminology," IETF RFC 7426, Jan. 2015.
[2]
C. Fernndez, et al., "Large-scale SDN experiments in federated environments," IJPED Volume 30, Issue 3, April 2015.
[3]
U. Toseef, et al., "Implementation of the FELIX SDN Experimental Facility," in Fourth European Workshop on Software Defined Networks (EWSDN), Oct. 2015.
[4]
B.C. Neuman, et al., "Kerberos: an authentication service for computer networks," IEEE Communications Magazine, Sept. 1994.
[5]
J. Sermersheim, et al., "Lightweight Directory Access Protocol (LDAP): The Protocol," IETF RFC 4511, Jun. 2006.
[6]
S. M. Bellovin, "Limitations of the kerberos authentication system," SIGCOMM Comput. Commun. Rev., vol. 20, no. 5, Oct. 1990.
[7]
C. Obimbo, et al., "Vulnerabilities of LDAP As An Authentication Service," Journal of Information Security, vol. 2, 2011.
[8]
V. Fajardo, et al., "Diameter Base Protocol," IETF RFC 6733, Oct. 2012.
[9]
"Common Federation API," http://groups.geni.net/geni/wiki/ Common-FederationAPIv2, Nov. 2013.
[10]
U. Toseef, et al., "C-BAS: Certificate-Based AAA for SDN Experimental Facilities," in Third European Workshop on Software Defined Networks (EWSDN), Sept 2014.
[11]
U. Toseef and K. Pentikousis, "Implementation of C-BAS: Certificate-based AAA for SDN Experimental Facilities," in Proc. IEEE NCCA, June 2015.
[12]
G. Roberts, et al., "NSI Connection Service v2.0," https://www.ogf.org/documents/GFD.212.pdf, Tech. Rep., 2014.
[13]
"The Omni client," http://trac.gpolab.bbn.com/gcf/wiki/Omni, 2015.
[14]
"Java-based framework for testbed federation," http://jfed.iminds.be/.
[15]
J. Naous, et al., "Expedient: A centralized pluggable clearinghouse to manage geni experiments," Jan. 2010.
[16]
"The GENI Aggregate Manager API," http://groups.geni.net/geni/wiki/GeniApi, 2013.
[17]
L. Peterson, et al., "Slice-based Federation Architecture (SFA), version 2," July 2014.
[18]
N. Li, et al., "Design of a role-based trust-management framework," in IEEE Symposium on Security and Privacy, 2002.
[19]
S. Farrell, et al., "An Internet Attribute Certificate Profile for Authorization," IETF RFC 5755, Jan. 2010.
[20]
L. Florio, et al., "Report on the Establishment and enhancement of the Policy Management Authority and Repository," http://www.geant.net, GANT Deliverable DS3.1.1, July 2010.
[21]
"European Grid Policy Management Authority," https://www.eugridpma.org/.
[22]
"Open Grid Forum," https://www.ogf.org.
[23]
J. MacAuley, "Presentation on Authorization in NSI," in OGF 43, March 2015.
- Authentication and authorization in FELIX
Recommendations
Authentication and authorization infrastructures (AAIs): a comparative survey
In this article, we argue that traditional approaches for authorization and access control in computer systems (i.e., discretionary, mandatory, and role-based access controls) are not appropriate to address the requirements of networked or distributed ...
PERMIS: a modular authorization infrastructure
UK e-Science All Hands Meeting 2006Authorization infrastructures manage privileges and render access control decisions, allowing applications to adjust their behavior according to the privileges allocated to users. This paper describes the PERMIS role-based authorization infrastructure ...
Attribute-Based authentication and authorisation infrastructures for e-commerce providers
EC-Web'06: Proceedings of the 7th international conference on E-Commerce and Web TechnologiesAuthentication and authorisation has been a basic and necessary service for internet transactions. With the evolution of e-commerce, traditional mechanisms for data security and access control are becoming outdated. Several new standards have emerged ...
Comments
Information & Contributors
Information
Published In
Sponsors
- SIGARCH: ACM Special Interest Group on Computer Architecture
- IEEE TCSC: IEEE Technical Committee on Scalable Computing
In-Cooperation
Publisher
IEEE Press
Publication History
Published: 07 December 2015
Check for updates
Qualifiers
- Research-article
Acceptance Rates
Overall Acceptance Rate 38 of 125 submissions, 30%
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 21Total Downloads
- Downloads (Last 12 months)1
- Downloads (Last 6 weeks)0
Reflects downloads up to 30 Aug 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in