SALSA NetAuth Conference Call June 23, 2005
*Action Items*
New
[AI] {Chris, Eric and Kevin} will revise the diagram in the
Architecture document and send the document to SteveO as version 3 for
discussion on the next call.
[AI] {SteveO} will post the Architecture document version 3 to the WG’s
web site.
Carry Over
[AI] {Chris} will send the list of vendor questions developed by the WG
during this call to the group via the list.
[AI] {Chris} will arrange vendor discussions for a subsequent call.
[AI] {Chris} will contact Bob Morgan to discuss whether there may be
IETF activities that would be open to or in alignment with NetAuth
efforts.
[AI] {Chris} will post message to the NetAuth and FWNA lists soliciting
volunteers to develop an outline of issues for NetAuth in a federated
environment.
[AI] {Chris} will solicit from the WG contributions about NetAuth
vendor solutions currently being used.
[AI] {Individuals} will send in case studies for potential use in the
Strategies document.
*Participants*
Chris Misra, University of Massachusetts (chair)
Tony Genovese, ESnet
Eric Gauthier, Boston University
Mark Poepping, Carnegie Mellon University
Tom Zeller, Indiana University
Jon Moore, University of Pennsylvania
Robert Lowe, Lawrence University
Terrie Clark, Internet2 (scribe)
Renee Frost, Internet2
Steve Olshansky, Internet2
*Discussion*
The ResNet 2005 conference will be held in June, 2005 at Georgia
Institution of Technology. For more information please see:
http://resnet2005.gatech.edu/.
A Joint Techs workshop will be held in Vancouver, British Columbia from
July 17 – 21, 2005. The efforts of the SALSA, including those of the
NetAuth working group, will be of interest to attendees and will be
presented at the workshop. For info on Joint Techs see
http://jointtechs.es.net/Vancouver20051.htm. It is possible that this
will be an appropriate forum for a face-to-face discussion with network
architects and engineers about the NetAuth WG’s Strategies and Futures
documents.
The Call for Participation for the Fall 2005 Internet2 Member Meeting,
scheduled for September 19 - 22 in Philadelphia, PA is now available
for response at:http://events.internet2.edu/2005/fall-mm/calls.cfm. The
call for proposal’s deadline has been extended to July 8, 2005.
The “NetAuth Architecture for Automating Network Policy Enforcement
(Futures Document)” will undergo a few minor changes as a result of
feedback and discussion among the WG. It will be sent to the list,
reviewed by the group and published as draft 3. Once published it will
be vetted among other groups such as SALSA, ResNet and FWNA. The final
state box will be changed to reflect the state of a device that has
successfully connected to the network, but is being monitored for
policy violations. The group seeks a more descriptive term for this
state. Please send your suggestions to the group via the list. The
diagram will also reflect the enforcement states of remediation and
isolation as transitional states, not end states.
The FWNA Group will be working with the Eduroam Global Working Group as
new developments arise.
The group discussed NetAuth’s role in a federated environment. What
needs to be accomplished in order to implement NetAuth in a federated
environment? Should NetAuth render a binary decision about a
user/device’s compliance? Perhaps not, NetAuth seems to be a better fit
for generating an assertion about compliance for a user/device. The
NetAuth system could provide information about a local institution’s
network (and related access policies) and a user/device’s level of
compliance with the local institution’s network policies . It could be
viewed as the technology utilized to support the enforcement of policy
decisions for local institutions, federations, or both.
What, then, defines a federation in this context? Is it a group of
colleges and departments within an institution? A group of
institutions? A group of scientists or researchers from an institution?
A collection of individuals and institutions researching a grant
specific topic? The group discussed that, perhaps, the definition of
federation has already been defined within the Internet2 InCommon
Federation efforts and that once institutions become members of a
federation with policy agreement, the NetAuth technology can be
utilized regardless of the federation’s nature. NetAuth can provide two
services in this area, authorization of users and authorization of
devices. Authorization ultimately depends on the policies of the
network being accessed. NetAuth can utilize middleware attribute
management approaches developed by other groups for authentication.
Prominent among these in the R&E arena are SAML and Shibboleth.
Information on the InCommon Federation can be found at
http://www.incommonfederation.org/
It is important to understand the required credentials and necessary
attributes required by an organization to make access control decision
locally. Credentials and attributes can be found in authorization
information, state-of-a-device information and
state-of-username/password information. What other information will be
required to use technology to enforce policy decisions? The group will
discuss these concepts in greater detail on the next call.
GGF has developed a federation document addressing roaming scientists
and grids. For more information please see:
https://forge.gridforum.org/projects/caops-g/document/Guidelines_for_Authenticaiton_Federations_in_Grids/en/1
The next call is Thursday, July 7, 2005 at 12:00 PM EDT. An agenda with
the call in number will be sent out to the WG via the list prior to the
call.