Authorisation infrastructure for on-demand network resource provisioning

Demchenko, Yuri; Wan, Alfred; Cristea, Mihai; Laat, Cees de

doi:10.1109/grid.2008.4662787

Cited by 12 publications

(10 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, they do not investigate authorization process in case of non preregistered users, that, instead, is addressed in this work as a result of one-step decision-making process prior the effective access to resource. Nevertheless, the proposed authorization mechanisms can supplement the one proposed in [14,15] for the generation and delivery of the token to verify if it can be granted to the requesting user.…”

Section: Related Workmentioning

confidence: 99%

“…In [14,15], the access control issue is tackled within the context of on-demand network resource provisioning in a multi-domain scenario for the benefit of grid applications. In this works, the focus is on per-session authorization and security context management assuring to be consistent across domains (i.e., spatial consistency) and between the resource provisioning and access phases (i.e., temporal consistency) thanks to the use of a token mechanisms.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Extending Resource Access in Multi-Provider Networks Using Trust Management

Colombo¹,

Martinelli²,

Mori³

et al. 2011

IJCNC

View full text Add to dashboard Cite

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Extending Resource Access in Multi-Provider Networks Using Trust Management

Colombo¹,

Martinelli²,

Mori³

et al. 2011

IJCNC

View full text Add to dashboard Cite

show abstract

“…The authors addressed this problem in developing AuthZ service for Grid based collaborative applications and for NRP [27,28] by using AuthZ tickets and token that when used together can address both extended AuthZ context management and performance issues. The proposed and currently implemented in the GAAA-TK solution supports two types of AuthZ tickets: proprietary, and based on the SAML 2.0 Assertions format [29] and SAML 2.0 Profile of XACML [30].…”

Section: B User and Authorisation Session Managementmentioning

confidence: 99%

“…The authors have implemented the CRP model in application to the multidomain Network Resource Provisioning authorisation infrastructure (GAAA-NRP) [27] in the framework of the Phosphorus project.…”

Section: A Complex Resource Provisioning Modelmentioning

confidence: 99%

Re-thinking Grid Security Architecture

Demchenko

Laat

Koeroo

et al. 2008

2008 IEEE Fourth International Conference on eScience

Self Cite

View full text Add to dashboard Cite

Abstract-The security models used in Grid systems today strongly bear the marks of their diverse origin. Historically retrofitted to the distributed systems they are designed to protect and control, the security model is usually limited in scope and applicability, and its implementation tailored towards a few specific deployment scenarios. A common approach towards even the "basic" elements such as authentication to resources is only now emerging, whereas for more complex issues such as community organization, integration of site access control with operating systems, crossdomain resource provisioning, or overlay community Grids ("late authentication" for pilot job frameworks or communitybased virtual machines) there is no single coherent and consistent "security" view. Via this paper we aim to share some observations on current security models and solutions found in Grid architectures and deployments today and identify architectural limitations in solving complex access control and policy enforcement scenarios in distributed resource management. The paper provides a short overview of the OGSA security services and other security solutions used in Grid middleware and operations practice. However, it is becoming clear that further development in Grid requires a fresh look at the concepts, both operationally and securitywise. This paper analyses the security aspects of different types of Grids and a set of use cases that may require extended security functionality, such as dynamic security context management, and management of stateful services. Recent developments in open systems security, and revisiting basic security concepts in networking and computing including the OSI Security Architecture and the concepts used in the Trusted Computing Base provide interesting examples on how some of the conceptual security problems in Grid can be addressed, and on how the shortcomings of current systems and the frequently proposed "ad-hoc" stop-gaps for what are in fact complex security manageability problems may be avoided. This paper is thus intended to initiate and stimulate the wider discussion on the concepts of Grid security, thereby setting the scene for and providing input to a Grid security taxonomy leading to a more consistent Grid Security Architecture.

show abstract

“…The push model, described in this framework, has been used in scenarios that implements network resource provisioning involving multiple domains. The provisioning process can be split into three stages 13 : (1) reservation / authorization, (2) deployment or activation, and (3) access or use/consumption. The reservation stage, which involves the user, may require (sometimes complex and time consuming) interactions to find, select, schedule and authorize the appropriate resources.…”

mentioning

confidence: 99%

Multi-domain lightpath authorization, using tokens

Gommans

Demchenko

et al. 2009

Future Generation Computer Systems

Self Cite

View full text Add to dashboard Cite

Abstract.This paper highlights the concepts and results of our research leading to demonstrations during the period [2005][2006][2007] use their own dedicated network infrastructure, designed to handle the required data volumes without being tightly coupled to computational resources. In our paper we will not target such applications but consider data intensive applications that are expected to benefit from the ability of a network to dynamically allocate and reserve lightpaths that are shared at different times with other applications. Several examples of these applications within areas such as data mining and visualisation can be found within the realm of the OptIPuter project. We will also consider network situations were multiple network providers must work together in order to create end-to-end lightpaths. We will assume that providers will allow applications or its middleware to make lightpath reservations. As lightpaths typically do not use network layer data forwarding techniques and rely on layer-2 or below technologies, access control to a lightpath becomes more difficult, in particular if a lightpath needs to be specifically bound to an application. During the course of this paper we will see that network domains and applications can work together in different ways to make sure applications, which reserve a lightpath, actually get unique access to their reserved lightpath. and GEANT2 Autobahn 8 allow applications to reserve and use a lightpath on demand. Within these networks it is however unclear how particular applications can be given exclusive access to a reserved lightpath, whilst preventing other applications from using the same lightpath during its use. In this paper, we show a token based access control mechanism that can be used for this purpose. Recent research and development projects such as Phosphorus 9 and Internet2 DCN aim at making network resources Grid middleware enabled. The token approach is being incorporated and tested in these projects.A token provides a flexible mechanism that allows the right to access a lightpath to be

show abstract

Authorisation infrastructure for on-demand network resource provisioning

Cited by 12 publications

References 13 publications

Extending Resource Access in Multi-Provider Networks Using Trust Management

Extending Resource Access in Multi-Provider Networks Using Trust Management

Re-thinking Grid Security Architecture

Multi-domain lightpath authorization, using tokens

Contact Info

Product

Resources

About