Distributing CRLs via CloudFlare

Transcript

1. National  Center  for  Supercomputing  Applications University  of  Illinois  at  Urbana–Champaign

   Distributing  CRLs  via  CloudFlare® Jim  Basney [email protected] TAGPMA  21 May  2015 Pittsburgh,  PA

2. The  Need • Constant  retrieval  load  on  web  servers •

   200k  requests  per  day • IPv6  accessibility • High  availability

3. First  Try • Constant  retrieval  load  on  web  servers •

   Contact  abusers  (Feb  2014) • Block  abusers  (Oct  2014) • IPv6  accessibility • Waiting  for  our  network  to  support  it… • High  availability • DOEGrids backup  for  CILogon CRLs  now  retired

4. Now • Constant  retrieval  load  on  web  servers • Solved:

    CloudFlare handles  >95%  CRL  requests  for  us • IPv6  accessibility • Solved:  CloudFlare serves  CRLs  over  IPv4/IPv6 • $  host  crl-­cilogon.ncsa-­security.net crl-­cilogon.ncsa-­security.net has  address  104.28.12.59 crl-­cilogon.ncsa-­security.net has  address  104.28.13.59 crl-­cilogon.ncsa-­security.net has  IPv6  address  2400:cb00:2048:1::681c:c3b crl-­cilogon.ncsa-­security.net has  IPv6  address  2400:cb00:2048:1::681c:d3b • High  availability • Solved:  CloudFlare serves  CRLs  when  NCSA  is  offline
5. None

6. CRL  requests  are  globally  distributed • Good  use  case  for

    global  CDN

7. Our  CRLs  are  small • CILogon and  NCSA  CRLs  are

    each  <1KB • CloudFlare will  cache  files  up  to  512MB  in  size • No  bandwidth  charges

8. How-­To • Register  new  DNS  domain  (eg.,  ncsa-­security.net) • Give

    DNS  control  for  that  domain  to  CloudFlare • Configure  source  URLs  in  CloudFlare (e.g.,  crl.cilogon.org /  crl.ncsa.illinois.edu) • Set  custom  caching  for  *.crl and  *.r0  files  (see  next  slide) • Register  new  CRL  URLs  with  IGTF $  cat  cilogon-­basic.crl_url http://crl-­cilogon.ncsa-­security.net/cilogon-­basic.crl http://crl.cilogon.org/cilogon-­basic.crl $  cat  NCSA-­tfca-­2013.crl_url   http://crl-­ncsa.ncsa-­security.net/tfca2013.crl http://crl.ncsa.illinois.edu/tfca2013.crl
9. None

10. Discussion • CRL  integrity  provided  by  digital  signature  on  CRL

     file • fetch-­crl will  not  install  CRL  with  invalid  signature • In  case  of  CloudFlare outage • fetch-­crl will  use  secondary  CRL  URL (e.g.,  crl.cilogon.org /  crl.ncsa.illinois.edu) • Synchronization • fetch-­crl:  Attempt  to  install  example.r0  failed  since  the  current   CRL  is  more  recent  than  the  one  that  was  downloaded. • So  far  so  good?  Anyone  seen  problems  with  our  CRLs  lately? • In  case  of  problems,  we  can  update  ncsa-­security.net to   point  back  to  NCSA  instead  of  CloudFlare

11. Acknowledgement Thanks  to  James  Eyrich and  Terry  Fleury at  NCSA.

    Thanks  to  CloudFlare®  for  providing  this  valuable  service!