ESCC Meeting
Oct 1-3, 1997
Jefferson Lab, Newport News, VA
Notes by Bob Cowles
10/1 Over 50 people in attendance. Next meeting is 3/24-27 in Berkeley
DOE Update George Seweryniak
Look in
http://www.er.doe.gov/production/octr/mics/index.htmlThe Privacy and Security Working Group is now in the Large Scale Networking group.
Check out
http://www.ngi.gov for information on the next generation internet initiative.FTS2001 award is at about the same time as the next award for ESnet there are likely to be lots of questions about why they both just cant be the same. Need to have answers on how ESnet differentiates itself for other networks.
DOE got no ($0.00) finding for NGI work in FY98.
The tension between production and R&D is critical production nets tend to stagnate (and dont get funding).
ES Steering Committee update Sandy Merola (LBNL)
International issues some HEP sites want better connections to CERN
How is ESnet differentiated?
Application Workgroup being formed.
ESnet Update Jim Leighton (ESnet)
Current stats are 277 bytes/packet; 18.8 Gigapackets accepted.
QoS issues
Coupling IP and ATM QoS capabilities
Allocation of resources how is pain inflicted? How paid for?
Internal vs. External mostly an external issue for now
QoS performance levels how to guarantee?
ESnet Network Info & Services Update Allen Sturtevant (ESnet)
They are currently using DCE 1.1 for Solaris 2.5.1
JLAB is using Network Intrusion Detector, SPInet. They require all multi-user systems to provide the computer center with a non-privileged login. That login is used to check the system to be sure it hasnt been compromised. It does an MD5 checksum of key binaries [rlogin, su, etc.]. They have been able to require SSH, and Kerberos, SecureID. SLAC has a monitor tied into the phone pager.
It was proposed that the ESnet Distributed Helpdesk centralize(sic) info on security hole plugging.
Next Generation Internet NGI Bob Aiken
The acronym stands for No Government Involvement check out
http://www.ngi.comFirst goal is network research.
Security
Concurrent production and research on the same network MORPHnet http://www.ccic.gov
QoS implies accounting and settlement capabilities
Internet 2 is much more production oriented
NGI aggressive integration of Net R&D and applications
Network Challenged Applications Bob Aiken
Money available from MICS
Establish a small number of test-bed projects for ER research applications
10/2
Distributed Systems Management Working Group
SNL and LANL have shared cross authentication (on the secure side)
AFS allows multiple credentials; DCE allows only one
[the session demonstrated much interest in the bureaucratic side of security and little interest in real security]
DCE Working Group
In 6 months it will be possible to access HPSS files through DFS (longer for the rest of us)
Lag time etween a new release of NT and support in DCE and DFS is a real problem. (DFS especially since DCE comes with the new version of NT)
Managing DFS ACLs needs a better user interface Gracle? Perl TK prototype that PNNL is implementing or Platinum PCI or AIX
PNNL is doing proof of concept for running a number of DFS servers on NT (and still use central authentication)
ORNL may be interested in organizing DCE/DFS internals class maybe in conjunction with the next ESnet meeting
Bill Meyer Mag Fusion Experiment at LLNL use DCE/DFS to do computing at LLNL while experiments are performed elsewhere
Report on Open Group meeting in Boston last week
There had been a prioritization of enhancements but nothing had been done
Old model for enhancement to DCE is broken
DCE will not be ubiquitous, it must co-exist; need to be able to co-exist with other security infrastructures. RFC 95 includes making DCE work with public key entrust, in particular
Some sites create a groups for each user and create a friends directory under that
There are real problems in using chmod on DFS files. Even with user education, there are many install scripts or tar if you untar and preserve ownership.
Working Group Review session
(Les left so I had to take more notes)DSMWG
Look on es.net in /hypertext/committees/dsmwg.htmlAuthentication is a shared responsibility between sites
Want to start a pilot project limit to non-sensitive data sites available for arbitrary cross-certification: ANL, Ames, ESnet, JNL, LLNL, NERSC, PNNL
DCEWG
Focus on working on integration of DCE and PK environment
Tools DFS websecure from SNL
Internals training proposed by ORNL
Bulk licenses proposed by ORNL could for now just put something out on a list if there is a deal others may want to get in on.
The ASCI Experience Barry Howard LLNL
Accelerated Strategic Computing Initiative
http://www.llnl.gov/asciThree labs, one program develop simulation technology for stockpile stewardship
HPC platform can only be used with a supportive computing environment and the gap is widening
Problems
Critical path items
Looking ahead
Integrating Kerberos and DCE Ron Wilkins LANL
The division of responsibilities at LANL has Kerberos doing authentication, DCE doing authorization
kinit goes to the K4,5 server
TGS and PS are accessed using k5dcelogin (on another server) to turn K5 ticket into DCE credentials
If the key in DCE and K5 is the same and realm name is the same then the K5 TGT is exactly the same as the DCE TGT
Passwords are only managed on the Kerberos KDC; DCE security server passwords are random
All DCE systems use k5dcelogin
No change in what the user has to do always use kinit
Kerberos is moving faster than DCE and is getting new features this architecture helps to de-couple things so they can take advantage of new Kerberos features as they are available
It all should work OK with NT 5 when Microsoft includes a K5 implementation
There is a problem with European access to K5 (the encryption, at any rate)
AuthTF Doug Engert ANL
deengert@anl.govPAG Process Authentication Group
k5dcelogin
New solution
New k5dcelogin
Callable by rshd, ftpd, rlogind, telnetd, sshd, others and it happens before any access is made to the home directory
Solaris 2.5 has a pluggable authentication structure
For mods look at:
ftp://achilles-ctd.anl.gov/pub/kerberos.V5Consider momentum of the various products 200 people at DCE conference; 6000 people at NT developers conference
Projects
DOE 2000 Update
(check out http://www-itg.lbnl.gov)
Collaborative Technologies
Implementation definition of API complete need feedback. Write in Nexus, Java, C++, C, CORBA
Van Jacobsen has done the QoS design
Web references: (probably close, but not guaranteed)
ESnet Remote Conferencing Kipp FNL
IP multicast only
352 x 288 resolution only
audiobridging
MSB
H.323
- - - - - - -
Bob Aiken comment from the back of the room -
Internet 2 was able to group and talk to congressional staffers. We need to get scientists to say they need the stuff were doing.
10/3 -
Snareworks
Provides security framework to TCP/IP based and legacy apps, including single sign-on, in a transparent manner.
Protocols currently supported
Supports mapping Single Signon to multiple targets
Works in conjunction with integrated login forwarding user credentials to target host
Extensible
Dynamic user registration
Based on host/domain./cell
Account attributes and policies
Fine grane access control by
Settings can represent permissions
Settings can represent features
Licensed for export (40 bit export, 56 bit local)
Future PSMs planned for Oracle, Tuxedo, PeopleSoft, and others
Does not encrypt the headers to be firewall friendly
Platforms supported:
Is able to maintain you credentials for multiple DCE cells (getting around a problem discussed earlier in the week)
Requires DCE 1.1 but results in significant cuts in DCE license costs since very few servers are required.
Security Developments Bill Johnston LBNL
http://www-itg.lbl.gov/~johnston
In the model they are developing, authorization authorities specify the use conditions. Certificate servers hold those conditions. A policy engine enforces the use conditions by matching use conditions and attributes and issues a capability for an entity (user) [like getting a security badge]. A access control gateway requires a capability and enforces certain policies "check immediate" if the capability (badge) must be checked for current validity; out-of-band issues (payment), etc. and sets up the security context.
The actions allowed to be performed on resources is controlled independently of the access allowed.
[This appears to be a fairly theoretical effort. I asked a fairly basic real-world question about how the capabilities were handled and the speaker admitted that they had not considered that circumstance.]
Directory services and other random things Michael Helm Esnet
SLAC has its own X.500 service (?)
He is willing to set up a Certificate Authority for Esnet sites ... or at least explore the possibility.
Entrust is mailing a Eudora plug-in to support S/MIME
PS/MIME under Netscape may be easier to use than Eudoras PGP.
Legal Aspects of PKI Gary Fresen (lawyer)
The only thing I wrote down was the point he made that what we often talk about as non-repudiation is really non-deniability.
PKI WG Report John Long SNL
Certificate Authorities are expensive. DOE is setting up a policy on how funds can be used (training, infrastructure, etc.)
No hierarchy of CAs is expected. Rather there will be cross certification to provide for certificate transfer.
Multi-level trust needs some more software AND user sophistication.
A draft DOE policy went out in early September and will be signed at any time now. There was much discussion about the fact that the draft policy went out without much announcement because they didnt want a lot of comments back most people at the meeting didnt even know a policy was being considered.
* * * * * * * * * * * * * * * End of Meeting * * * * * * * * * * * * *