$30 off During Our Annual Pro Sale. View Details »

Distributing CRLs via CloudFlare

Distributing CRLs via CloudFlare

An informal talk about how CloudFlare helps CILogon and NCSA distribute CRLs.
Presented at the 21st TAGPMA Face-to-Face Meeting, Pittsburgh, PA, U.S.A. May 27-29 2015.

Jim Basney

May 27, 2015
Tweet

More Decks by Jim Basney

Other Decks in Technology

Transcript

  1. National  Center  for  Supercomputing  Applications University  of  Illinois  at  Urbana–Champaign

    Distributing  CRLs  via  CloudFlare® Jim  Basney [email protected] TAGPMA  21 May  2015 Pittsburgh,  PA
  2. The  Need • Constant  retrieval  load  on  web  servers •

    200k  requests  per  day • IPv6  accessibility • High  availability
  3. First  Try • Constant  retrieval  load  on  web  servers •

    Contact  abusers  (Feb  2014) • Block  abusers  (Oct  2014) • IPv6  accessibility • Waiting  for  our  network  to  support  it… • High  availability • DOEGrids backup  for  CILogon CRLs  now  retired
  4. Now • Constant  retrieval  load  on  web  servers • Solved:

     CloudFlare handles  >95%  CRL  requests  for  us • IPv6  accessibility • Solved:  CloudFlare serves  CRLs  over  IPv4/IPv6 • $  host  crl-­cilogon.ncsa-­security.net crl-­cilogon.ncsa-­security.net has  address  104.28.12.59 crl-­cilogon.ncsa-­security.net has  address  104.28.13.59 crl-­cilogon.ncsa-­security.net has  IPv6  address  2400:cb00:2048:1::681c:c3b crl-­cilogon.ncsa-­security.net has  IPv6  address  2400:cb00:2048:1::681c:d3b • High  availability • Solved:  CloudFlare serves  CRLs  when  NCSA  is  offline
  5. Our  CRLs  are  small • CILogon and  NCSA  CRLs  are

     each  <1KB • CloudFlare will  cache  files  up  to  512MB  in  size • No  bandwidth  charges
  6. How-­To • Register  new  DNS  domain  (eg.,  ncsa-­security.net) • Give

     DNS  control  for  that  domain  to  CloudFlare • Configure  source  URLs  in  CloudFlare (e.g.,  crl.cilogon.org /  crl.ncsa.illinois.edu) • Set  custom  caching  for  *.crl and  *.r0  files  (see  next  slide) • Register  new  CRL  URLs  with  IGTF $  cat  cilogon-­basic.crl_url http://crl-­cilogon.ncsa-­security.net/cilogon-­basic.crl http://crl.cilogon.org/cilogon-­basic.crl $  cat  NCSA-­tfca-­2013.crl_url   http://crl-­ncsa.ncsa-­security.net/tfca2013.crl http://crl.ncsa.illinois.edu/tfca2013.crl
  7. Discussion • CRL  integrity  provided  by  digital  signature  on  CRL

     file • fetch-­crl will  not  install  CRL  with  invalid  signature • In  case  of  CloudFlare outage • fetch-­crl will  use  secondary  CRL  URL (e.g.,  crl.cilogon.org /  crl.ncsa.illinois.edu) • Synchronization • fetch-­crl:  Attempt  to  install  example.r0  failed  since  the  current   CRL  is  more  recent  than  the  one  that  was  downloaded. • So  far  so  good?  Anyone  seen  problems  with  our  CRLs  lately? • In  case  of  problems,  we  can  update  ncsa-­security.net to   point  back  to  NCSA  instead  of  CloudFlare
  8. Acknowledgement Thanks  to  James  Eyrich and  Terry  Fleury at  NCSA.

    Thanks  to  CloudFlare®  for  providing  this  valuable  service!