ESCC Meeting

Oct 1-3, 1997

Jefferson Lab, Newport News, VA

Notes by Bob Cowles

10/1 – Over 50 people in attendance. Next meeting is 3/24-27 in Berkeley

DOE Update – George Seweryniak

Look in http://www.er.doe.gov/production/octr/mics/index.html

The Privacy and Security Working Group is now in the Large Scale Networking group.

Check out http://www.ngi.gov for information on the next generation internet initiative.

FTS2001 award is at about the same time as the next award for ESnet – there are likely to be lots of questions about why they both just can’t be the same. Need to have answers on how ESnet differentiates itself for other networks.

DOE got no ($0.00) finding for NGI work in FY98.

The tension between production and R&D is critical – production nets tend to stagnate (and don’t get funding).

 

ES Steering Committee update – Sandy Merola (LBNL)

International issues – some HEP sites want better connections to CERN

How is ESnet differentiated?

Application Workgroup being formed.

 

ESnet Update – Jim Leighton (ESnet)

Current stats are 277 bytes/packet; 18.8 Gigapackets accepted.

QoS issues

Coupling IP and ATM QoS capabilities

Allocation of resources – how is pain inflicted? How paid for?

Internal vs. External – mostly an external issue for now

QoS performance levels – how to guarantee?

 

ESnet Network Info & Services Update – Allen Sturtevant (ESnet)

They are currently using DCE 1.1 for Solaris 2.5.1

JLAB is using Network Intrusion Detector, SPInet. They require all multi-user systems to provide the computer center with a non-privileged login. That login is used to check the system to be sure it hasn’t been compromised. It does an MD5 checksum of key binaries [rlogin, su, etc.]. They have been able to require SSH, and Kerberos, SecureID. SLAC has a monitor tied into the phone pager.

It was proposed that the ESnet Distributed Helpdesk centralize(sic) info on security hole plugging.

 

Next Generation Internet – NGI – Bob Aiken

The acronym stands for No Government Involvement check out http://www.ngi.com

First goal is network research.

Security

Concurrent production and research on the same network – MORPHnet http://www.ccic.gov

QoS implies accounting and settlement capabilities

Internet 2 is much more production oriented

NGI – aggressive integration of Net R&D and applications

 

Network Challenged Applications – Bob Aiken

Money available from MICS

Establish a small number of test-bed projects for ER research applications

 

10/2 –

Distributed Systems Management Working Group

SNL and LANL have shared cross authentication (on the secure side)

AFS allows multiple credentials; DCE allows only one

[the session demonstrated much interest in the bureaucratic side of security and little interest in real security]

 

DCE Working Group

In 6 months it will be possible to access HPSS files through DFS (longer for the rest of us)

Lag time etween a new release of NT and support in DCE and DFS is a real problem. (DFS especially since DCE comes with the new version of NT)

Managing DFS ACL’s needs a better user interface – Gracle? Perl TK prototype that PNNL is implementing or Platinum PCI or AIX

PNNL is doing proof of concept for running a number of DFS servers on NT (and still use central authentication)

ORNL may be interested in organizing DCE/DFS internals class – maybe in conjunction with the next ESnet meeting

Bill Meyer – Mag Fusion Experiment at LLNL – use DCE/DFS to do computing at LLNL while experiments are performed elsewhere

 

Report on Open Group meeting in Boston last week

There had been a prioritization of enhancements but nothing had been done

Old model for enhancement to DCE is broken

DCE will not be ubiquitous, it must co-exist; need to be able to co-exist with other security infrastructures. RFC 95 includes making DCE work with public key – entrust, in particular

Some sites create a groups for each user and create a ‘friends’ directory under that

There are real problems in using chmod on DFS files. Even with user education, there are many install scripts – or tar if you untar and preserve ownership.

 

Working Group Review session (Les left so I had to take more notes)

DSMWG Look on es.net in /hypertext/committees/dsmwg.html

Authentication is a shared responsibility between sites

Want to start a pilot project – limit to non-sensitive data – sites available for arbitrary cross-certification: ANL, Ames, ESnet, JNL, LLNL, NERSC, PNNL

 

DCEWG

Focus on working on integration of DCE and PK environment

Tools – DFS websecure from SNL

Internals training proposed by ORNL

Bulk licenses proposed by ORNL – could for now just put something out on a list if there is a deal others may want to get in on.

 

The ASCI Experience – Barry Howard – LLNL

Accelerated Strategic Computing Initiative http://www.llnl.gov/asci

Three labs, one program – develop simulation technology for stockpile stewardship

HPC platform can only be used with a supportive computing environment and the gap is widening

Problems

 

Critical path items

Looking ahead

 

Integrating Kerberos and DCE – Ron Wilkins LANL

The division of responsibilities at LANL has Kerberos doing authentication, DCE doing authorization

kinit goes to the K4,5 server

TGS and PS are accessed using k5dcelogin (on another server) to turn K5 ticket into DCE credentials

If the key in DCE and K5 is the same and realm name is the same then the K5 TGT is exactly the same as the DCE TGT

Passwords are only managed on the Kerberos KDC; DCE security server passwords are random

All DCE systems use k5dcelogin

No change in what the user has to do – always use kinit

Kerberos is moving faster than DCE and is getting new features – this architecture helps to de-couple things so they can take advantage of new Kerberos features as they are available

It all should work OK with NT 5 when Microsoft includes a K5 implementation

There is a problem with European access to K5 (the encryption, at any rate)

 

AuthTF – Doug Engert – ANL deengert@anl.gov

PAG – Process Authentication Group

 

k5dcelogin

New solution

New k5dcelogin

 

Callable by rshd, ftpd, rlogind, telnetd, sshd, others and it happens before any access is made to the home directory

Solaris 2.5 has a pluggable authentication structure

For mods look at: ftp://achilles-ctd.anl.gov/pub/kerberos.V5

Consider momentum of the various products – 200 people at DCE conference; 6000 people at NT developers conference

Projects –

 

DOE 2000 Update (check out http://www-itg.lbnl.gov)

 

Collaborative Technologies

 

Implementation – definition of API complete – need feedback. Write in Nexus, Java, C++, C, CORBA

Van Jacobsen has done the QoS design

 

Web references: (probably close, but not guaranteed)

 

ESnet Remote Conferencing – Kipp – FNL

IP multicast only

352 x 288 resolution only

audiobridging

 

MSB

 

H.323

 

- - - - - - -

Bob Aiken comment from the back of the room -

Internet 2 was able to group and talk to congressional staffers. We need to get scientists to say they need the stuff we’re doing.

 

 

10/3 -

Snareworks

Provides security framework to TCP/IP based and legacy apps, including single sign-on, in a transparent manner.

Protocols currently supported

Supports mapping Single Signon to multiple targets

Works in conjunction with integrated login – forwarding user credentials to target host

Extensible

Dynamic user registration

Based on host/domain./cell

Account attributes and policies

Fine grane access control by

Settings can represent permissions

Settings can represent features

Licensed for export (40 bit export, 56 bit local)

Future PSM’s planned for Oracle, Tuxedo, PeopleSoft, and others

Does not encrypt the headers to be firewall friendly

Platforms supported:

 

Is able to maintain you credentials for multiple DCE cells (getting around a problem discussed earlier in the week)

Requires DCE 1.1 – but results in significant cuts in DCE license costs since very few servers are required.

 

Security Developments – Bill Johnston – LBNL

http://www-itg.lbl.gov/~johnston

 

In the model they are developing, authorization authorities specify the use conditions. Certificate servers hold those conditions. A policy engine enforces the use conditions by matching use conditions and attributes and issues a capability for an entity (user) [like getting a security badge]. A access control gateway requires a capability and enforces certain policies – "check immediate" if the capability (badge) must be checked for current validity; out-of-band issues (payment), etc. and sets up the security context.

The actions allowed to be performed on resources is controlled independently of the access allowed.

[This appears to be a fairly theoretical effort. I asked a fairly basic real-world question about how the capabilities were handled and the speaker admitted that they had not considered that circumstance.]

 

Directory services and other random things – Michael Helm – Esnet

SLAC has it’s own X.500 service (?)

He is willing to set up a Certificate Authority for Esnet sites ... or at least explore the possibility.

Entrust is mailing a Eudora plug-in to support S/MIME

PS/MIME under Netscape may be easier to use than Eudora’s PGP.

 

Legal Aspects of PKI – Gary Fresen (lawyer)

The only thing I wrote down was the point he made that what we often talk about as non-repudiation is really non-deniability.

PKI WG Report – John Long – SNL

Certificate Authorities are expensive. DOE is setting up a policy on how funds can be used (training, infrastructure, etc.)

No hierarchy of CA’s is expected. Rather there will be cross certification to provide for certificate transfer.

Multi-level trust needs some more software AND user sophistication.

A draft DOE policy went out in early September and will be signed at any time now. There was much discussion about the fact that the draft policy went out without much announcement because they didn’t want a lot of comments back – most people at the meeting didn’t even know a policy was being considered.

 

* * * * * * * * * * * * * * * End of Meeting * * * * * * * * * * * * *