Partitioning Trust in Network Testbeds
Proceedings of the Hawaii International Conference on System Sciences (HICSS) 2012.
Traditionally, testbeds for networking and systems research have been designed as monolithic facilities: they contain a single root of trust. The resources in the facility are assumed to be administered by a single entity or a set of mutually-trusting entities. All user management, including vouching for users' identities and taking responsibility for their actions, is done using a flat trust structure or a simple hierarchy with the facility itself as the root. This design is not a good match for testbeds that are composed of multiple autonomous facilities, or in which different parts of the testbed operate under different trust models. In this paper, we argue that partitioned trust is increasingly important in large scale and security-sensitive testbeds. We present a design that accomplishes this partitioning by using multiple trust roots. The trust domains created by these roots may decide, independently, how much trust to place in each other, and can apply policies based on the domain or principal that originates a request. The domains could represent separately administered facilities (as in a federated testbed), or they could represent sections within a single facility that run with different trust models (for example, with differing levels of security.) We have implemented this design in ProtoGENI, a control framework for federated testbeds; we include details of this implementation and share experiences from using it in an active deployment with hundreds of users.