Tweet
Tweet

Slide 1

Slide 1 text

National  Center  for  Supercomputing  Applications University  of  Illinois  at  Urbana–Champaign Distributing  CRLs  via  CloudFlare® Jim  Basney [email protected] TAGPMA  21 May  2015 Pittsburgh,  PA

Slide 2

Slide 2 text

The  Need • Constant  retrieval  load  on  web  servers • 200k  requests  per  day • IPv6  accessibility • High  availability

Slide 3

Slide 3 text

First  Try • Constant  retrieval  load  on  web  servers • Contact  abusers  (Feb  2014) • Block  abusers  (Oct  2014) • IPv6  accessibility • Waiting  for  our  network  to  support  it… • High  availability • DOEGrids backup  for  CILogon CRLs  now  retired

Slide 4

Slide 4 text

Now • Constant  retrieval  load  on  web  servers • Solved:  CloudFlare handles  >95%  CRL  requests  for  us • IPv6  accessibility • Solved:  CloudFlare serves  CRLs  over  IPv4/IPv6 • $  host  crl-­cilogon.ncsa-­security.net crl-­cilogon.ncsa-­security.net has  address  104.28.12.59 crl-­cilogon.ncsa-­security.net has  address  104.28.13.59 crl-­cilogon.ncsa-­security.net has  IPv6  address  2400:cb00:2048:1::681c:c3b crl-­cilogon.ncsa-­security.net has  IPv6  address  2400:cb00:2048:1::681c:d3b • High  availability • Solved:  CloudFlare serves  CRLs  when  NCSA  is  offline

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

CRL  requests  are  globally  distributed • Good  use  case  for  global  CDN

Slide 7

Slide 7 text

Our  CRLs  are  small • CILogon and  NCSA  CRLs  are  each  <1KB • CloudFlare will  cache  files  up  to  512MB  in  size • No  bandwidth  charges

Slide 8

Slide 8 text

How-­To • Register  new  DNS  domain  (eg.,  ncsa-­security.net) • Give  DNS  control  for  that  domain  to  CloudFlare • Configure  source  URLs  in  CloudFlare (e.g.,  crl.cilogon.org /  crl.ncsa.illinois.edu) • Set  custom  caching  for  *.crl and  *.r0  files  (see  next  slide) • Register  new  CRL  URLs  with  IGTF $  cat  cilogon-­basic.crl_url http://crl-­cilogon.ncsa-­security.net/cilogon-­basic.crl http://crl.cilogon.org/cilogon-­basic.crl $  cat  NCSA-­tfca-­2013.crl_url   http://crl-­ncsa.ncsa-­security.net/tfca2013.crl http://crl.ncsa.illinois.edu/tfca2013.crl

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

Discussion • CRL  integrity  provided  by  digital  signature  on  CRL  file • fetch-­crl will  not  install  CRL  with  invalid  signature • In  case  of  CloudFlare outage • fetch-­crl will  use  secondary  CRL  URL (e.g.,  crl.cilogon.org /  crl.ncsa.illinois.edu) • Synchronization • fetch-­crl:  Attempt  to  install  example.r0  failed  since  the  current   CRL  is  more  recent  than  the  one  that  was  downloaded. • So  far  so  good?  Anyone  seen  problems  with  our  CRLs  lately? • In  case  of  problems,  we  can  update  ncsa-­security.net to   point  back  to  NCSA  instead  of  CloudFlare

Slide 11

Slide 11 text

Acknowledgement Thanks  to  James  Eyrich and  Terry  Fleury at  NCSA. Thanks  to  CloudFlare®  for  providing  this  valuable  service!