Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Phase 1: Initial infrastructure – This phase will encourage/facilitate participant NRENs in implementing a Trust Router architecture or enhancing existing eduroam architecture including the scaling up of international eduroam infrastructure.
Phase 2: Policies and wider roll out - This phase will develop the required Moonshot policies and technical peering requirements to facilitate non-web SSO interfederation. It will also include the development of advice and guidance for NRENs in what is required to implement an NREN-wide Moonshot infrastructure. This work will build on the existing eduGAIN policies.
Phase 3: Use Case implementation – This phase will facilitate the Moonshooting of specific community required services and applications. For example, Moonshooting distributed file systems to support the GRID community.

Image Added

 

Offering

A GÉANT Moonshot interfederation service will enable education and research users across the world to login to non-web applications and services using their institution credentials. This simplifies their authentication, reducing the complexity of managing additional login credentials and so increases security.
Moonshot solves use cases that have no current deployable federated solution; that have a user experience that can be significantly improved upon; or that have existing deployment models whose cost and effort can be reduced. Examples include:
Convergence of network and application SSO infrastructures
Easy integration to apps such as file transfer, SSH, Openstack, remote desktop
Moonshot capabilities deployed at national level provide the underlying infrastructure. Policy and interfederation aspects are aligned with eduGAIN for a consistent user experience.


Reason to Act

  • Using Moonshot, NRENs are able to lower the barriers to collaboration within their communities; reduce the cost and time to create new services; drive down operational costs for the NREN and their members/customers.
  • Joining a GÉANT Moonshot interfederation service means common policies and governance aligned with eduGAIN, which will reduce the time, effort and cost of dealing with multiple federations on a bilateral basis.
  • Feedback from the international community suggests a GÉANT Moonshot interfederation service would be of value to organisations wishing to obtain secure access to out-sourcing and cloud providers who are increasingly providing services (such as storage, compute, email, calendaring and instant messaging) to the education and research community; the Grid Computing community who are interested in enhancing the usability of their services; and even to the school sector who are interested in federating desktops to enable peripatetic and supply teachers to log on to local networks with federated credentials.


Customer Experience

NRENs are potential deployers of the Moonshot infrastructure.
NREN community users are customers of applications and services that use Moonshot for authentication.
A typical example of the latter is “researchers who want quick and secure access to their data and systems”.

Examples of community users from Janet include HPC consortia, Diamond Light Source and international research groups, many of whom have been expressing interest in Moonshot technology and a desire for a Moonshot service for the past few years. Similar interest has been seen from fellow NRENs.

Moonshot technology has previously been explored by a number of countries, with colleagues from CESNET, RedIRIS, RESTENA and CARNet engaged in the development process and also interest from Internet2 and CANARIE.
NORDUnet (CSC), RENATER, CARNet, SWITCH, NIIFI, CESNET, RedIRIS and Janet all have use cases that they wish to pilot within GN3+ with a view to developing a GÉANT Moonshot interfederation service.


Benefits

Moonshot provides a common interface, to allow users to federate anything and everything.
Security is designed in from the beginning
RadSec - Secure AAA Transport
EAP - Protection for credentials
Ability to convey complex information for authorisation decisions
SAML - Rich identity information
Infrastructure is based on tried and tested technologies proven to scale and already used to deliver NREN production eduroam and identity federations.

Providing an international service simplifies non-web access management for global research groups that span multiple countries.


Costs

Costs to NRENs are mainly in staff resources to implement the technical infrastructure, plus VMs for hosting the infrastructure.
Typical estimate 1 MM to understand and set up Trust Router + 1VM
Skillsets in RADIUS and SAML an advantage, required in pilot stage

Costs to users are in integration work for connecting their applications and are highly dependent on existing skill sets and the complexity of the target application.
Costs can vary from 0.5 days to install the libraries on Exchange Server and test, to 1MM+ to implement on an HPC cluster.

Costs to institutions are to implement some technical infrastructure
Moonshot currently requires a FreeRADIUS server.
Target of 1 MM to set up and configure campus IdP and RADIUS proxy.
Institutions that don’t yet run FreeRADIUS and may lack Linux expertise may require longer to implement.


Time
End sites and NRENs can implement Moonshot now.
NRENs can either install their own Trust Router or can join the Janet Trust Router infrastructure that is now available. V1.4 of Trust Router was released 26 September 2014 and includes peering to faciliated interfederation. This will be tested in Q4 2014.
A full GÉANT Moonshot interfederation service is planned for GN4 Phase 1.


Alternatives

The EC-funded AAA Study led by TERENA and composed by University of Amsterdam, LIBER and the University of Debrecen provides recommendations for the development and deployment of a Scientific Data e-Infrastructure (SDI) to enable access to heterogonous data for researchers and citizens. Of the current and emerging services reviewed, no other solution has been identified that solves the use cases and meets the customer requirements of Moonshot.

National SAML federations provide a similar service, but these are restricted to web authentication only. Moonshot technology is a candidate to enhance or provide an additional option rather than an alternative.

The CILogon Service (https://cilogon.org) allows users to authenticate with their home organisation and obtain a certificate for secure access to Cyber Infrastructure. The technology translates a SAML token to an x509 certificate to bridge from a web browser to command line and other non web apps, but is not as well developed or as functional as Moonshot. The CILogon Service has support for the SAML Enhanced Client Profile (ECP) for non-browser access. ECP is a SAML v.2.0 profile which allows for the exchange of SAML attributes outside the context of a web browser. Although SAML ECP shares a similar technical approach to Moonshot, it does not address customer requirements as comprehensively as Moonshot does. For example, it does not provide a network access authentication mechanism. It also lacks an easily extensible authentication framework - an issue that may impede the use of future authentication innovations (such as biometrics). There are no known plans for an interfederation SAML ECP service and no consistent deployment footprint.


Advantages

Unlike SAML ECP, which typically has access to a user’s credentials, Moonshot does not.
Moonshot uses technology standards that have been proven to be highly scalable.
Moonshot technology is an implementation of the ABFAB IETF standard.


Engagement
The idea of Moonshot has been socialised for more than three years and the technology has been tested and trialled by a number of institutions in multiple countries.

As the technology and service wrap develops, peer review will help it develop even further.

Development of the GÉANT pilot deployments is explicitly coupled with concrete use cases.

The technologies in Moonshot have been actively developed within the IETF.

 

KPIs

Kpi nameRAGKPI RAG
FoobarSuccessful implementation of Moonshot infrastructure in at least 3 NRENs.Green
Status
colourGreen
DingbatSuccessful interoperation of Moonshot between each of these NRENsGreen
Status
colourGreen
Broken KPI
Successful demonstration of Moonshot as a non-web SSO solution to at least 3 agreed community use cases – including SSH and filestore.

Green

Red

Status
colourRed
Another onepurple
Status
colourYellowGreen