Jeffrey Hunker JHA LLC Matt Bishop UC Davis Carrie Gates CA Labs Agenda What we are doing G eneralized framework for attribution P olicy negotiation a key part of this B enefits ID: 214999 Download Presentation
Heidi Picher Dempsey. Internet2 Annual Meeting. April 8. , . 2014 . www.geni.net. . GENI provides a virtual lab for networking and . distributed systems research and education. GENI started with exploratory, rapid prototyping 5 years ago.
GENI . Project . Office. GENI Terminology. slice. project. aggregate. experimenter. resource. Experimenter. An . experimenter. . is . a researcher who uses . GENI resources. Different types of experimenters have different roles and permissions:.
Sponsored by the National Science Foundation. slice. project. aggregate. experimenter. resource. Cloud Security Curriculum Workshop – July . 13, 2016. www.geni.net. An . experimenter. . is . a researcher who uses .
Experience. . Violet . R. . Syrotiuk. NSF Workshop on GENI in Education. 26 October 2013 in Brooklyn, New York, U.S.A. My Graduate Networking . Class. (. probably much like yours!). Goals:. To become familiar with .
July 7, 2011. Larry Landweber. GENI Project Office. John P. . Morgridge. Professor, Emeritus. University of Wisconsin - Madison. The Post-Internet Era. Why?. TCP/IP is broken at gigabit speeds. IP is not the protocol of choice for .
Download Presentation - The PPT/PDF document "Attribution for GENI" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Attribution for GENI
Presentation on theme: "Attribution for GENI"— Presentation transcript:
Attribution for GENI
Jeffrey Hunker, JHA LLC
Matt Bishop, UC
Carrie Gates, CA LabsSlide2
we are doing
framework for attribution
negotiation a key part of this
Terminology varies among projects
So we’ll define ours next
(One goal of our project is an ontology of the terminology to make life easier!)Slide4
the association of data with an entity
This is a high-level view!
Approach has benefits
Attribution (dictionary definition):
the ascribing of a work (as of literature or art) to a particular author or
an ascribed quality, character, or rightdetermining the identity or location of an attacker or an attacker’s intermediary
“First Origin” policy
Technical context: net
to point of distribution; generally considered goodPolitical context: repressive gov’ts can track messages of dissent to point of origin; generally considered bad
Is privacy good or bad?
Consider the circumstances
Result: different networks with different levels of attribution
How We Think About It
Level of attribution
Perfect non-attribution, false attribution, etc.
Target of attribution
Person, IP address, organization
Confidence in attribution
Attribution assurance, level of assurance (
LoA)Adequacy of attributionDepends on purposeComposition of attribution
Sender, receiver policies may vary
Set of actors
What is being attributed
Assurance of attribution
Policy negotiation system
randomized false attribution
perfect selective attribution
Generalized Attribution System
Policy specification: usually
Transaction: what you actually do
(eg. Message M
Policy defines what data is tied to what entity and who has access to that data. It is determined by negotiation or agreed
Follows policy specifiedSlide9
Goals of Work
Provide a unified view of attributes and attribution
Code to manage attributes
Code to help specify policy negotiation (but understanding that humans will be involved in this)
Ontology of terminology to help mediate and reconcile different workSlide10
Make assumptions explicit
sers of the services understand exactly what you are offering
ou don't get criticized for not meeting what you weren't trying to do, but others thought you were
Can adapt your services with minimal effort to work with other services and to provide higher or lower levels of authentication/identity/authorization/etc. when new folks come on line and need themSupport your services, experiments
Attribution framework provides ways to negotiate policies, manage attributes
So meaning of terms is clearSlide11
GENI projects related to attribution
ABAC (authorization for GENI)
Shibboleth (identity management)
ORCA (trust structure)
May be others …Slide12
What are the entities that you need or want attribution for?
What sort of policies do you need for your experiments and/or services?
What organizational agreements are needed?
What attributes do you need?
What level of assurance do you need?Slide13
Can this view of attribution support your framework?
If not, what elements of an attribution framework that would help you are missing?
What would encourage developers to use this framework?
What types of attribution will be most useful to you (individual, host, organization, ISP, etc)?Slide14
Authentication of User by Local Institution
Authorization for Resource Access by Service Provider
Defines local identity or access management for
P(1) specifies attributes A(1) required to determine authorization to access resource R(1)
Provides attributes A(1, U) required by P(1)
Access to R(1) according to P(1)
Attribute Based Access Control
Attributes can be assigned or delegated
: entity assigned attributes
: what a principal is authorized to do
(or what determines what a principal is authorized to do?)
used to assign attributes and create delegation rules