Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Distributing CRLs via CloudFlare

Distributing CRLs via CloudFlare

An informal talk about how CloudFlare helps CILogon and NCSA distribute CRLs.
Presented at the 21st TAGPMA Face-to-Face Meeting, Pittsburgh, PA, U.S.A. May 27-29 2015.

Jim Basney

May 27, 2015
Tweet

More Decks by Jim Basney

Other Decks in Technology

Transcript

  1. National  Center  for  Supercomputing  Applications
    University  of  Illinois  at  Urbana–Champaign
    Distributing  CRLs  via  CloudFlare®
    Jim  Basney
    [email protected]
    TAGPMA  21
    May  2015
    Pittsburgh,  PA

    View full-size slide

  2. The  Need
    • Constant  retrieval  load  on  web  servers
    • 200k  requests  per  day
    • IPv6  accessibility
    • High  availability

    View full-size slide

  3. First  Try
    • Constant  retrieval  load  on  web  servers
    • Contact  abusers  (Feb  2014)
    • Block  abusers  (Oct  2014)
    • IPv6  accessibility
    • Waiting  for  our  network  to  support  it…
    • High  availability
    • DOEGrids backup  for  CILogon CRLs  now  retired

    View full-size slide

  4. Now
    • Constant  retrieval  load  on  web  servers
    • Solved:  CloudFlare handles  >95%  CRL  requests  for  us
    • IPv6  accessibility
    • Solved:  CloudFlare serves  CRLs  over  IPv4/IPv6
    • $  host  crl-­cilogon.ncsa-­security.net
    crl-­cilogon.ncsa-­security.net has  address  104.28.12.59
    crl-­cilogon.ncsa-­security.net has  address  104.28.13.59
    crl-­cilogon.ncsa-­security.net has  IPv6  address  2400:cb00:2048:1::681c:c3b
    crl-­cilogon.ncsa-­security.net has  IPv6  address  2400:cb00:2048:1::681c:d3b
    • High  availability
    • Solved:  CloudFlare serves  CRLs  when  NCSA  is  offline

    View full-size slide

  5. CRL  requests  are  globally  distributed
    • Good  use  case  for  global  CDN

    View full-size slide

  6. Our  CRLs  are  small
    • CILogon and  NCSA  CRLs  are  each  <1KB
    • CloudFlare will  cache  files  up  to  512MB  in  size
    • No  bandwidth  charges

    View full-size slide

  7. How-­To
    • Register  new  DNS  domain  (eg.,  ncsa-­security.net)
    • Give  DNS  control  for  that  domain  to  CloudFlare
    • Configure  source  URLs  in  CloudFlare
    (e.g.,  crl.cilogon.org /  crl.ncsa.illinois.edu)
    • Set  custom  caching  for  *.crl and  *.r0  files  (see  next  slide)
    • Register  new  CRL  URLs  with  IGTF
    $  cat  cilogon-­basic.crl_url
    http://crl-­cilogon.ncsa-­security.net/cilogon-­basic.crl
    http://crl.cilogon.org/cilogon-­basic.crl
    $  cat  NCSA-­tfca-­2013.crl_url  
    http://crl-­ncsa.ncsa-­security.net/tfca2013.crl
    http://crl.ncsa.illinois.edu/tfca2013.crl

    View full-size slide

  8. Discussion
    • CRL  integrity  provided  by  digital  signature  on  CRL  file
    • fetch-­crl will  not  install  CRL  with  invalid  signature
    • In  case  of  CloudFlare outage
    • fetch-­crl will  use  secondary  CRL  URL
    (e.g.,  crl.cilogon.org /  crl.ncsa.illinois.edu)
    • Synchronization
    • fetch-­crl:  Attempt  to  install  example.r0  failed  since  the  current  
    CRL  is  more  recent  than  the  one  that  was  downloaded.
    • So  far  so  good?  Anyone  seen  problems  with  our  CRLs  lately?
    • In  case  of  problems,  we  can  update  ncsa-­security.net to  
    point  back  to  NCSA  instead  of  CloudFlare

    View full-size slide

  9. Acknowledgement
    Thanks  to  James  Eyrich and  Terry  Fleury at  NCSA.
    Thanks  to  CloudFlare®  for  providing  this  valuable  service!

    View full-size slide