Partitioning Trust in Network Testbeds

Traditionally, test beds for networking and systems research have been designed as monolithic facilities: they contain a single root of trust. The resources in the facility are assumed to be administered by a single entity or a set of mutually-trusting entities. All user management, including vouching for users´ identities and taking responsibility for their actions, is done using a flat trust structure or a simple hierarchy with the facility itself as the root. This design is not a good match for test beds that are composed of multiple autonomous facilities, or in which different parts of the test bed operate under different trust models. In this paper, we argue that partitioned trust is increasingly important in large scale and security-sensitive test beds. We present a design that accomplishes this partitioning by using multiple trust roots. The trust domains created by these roots may decide, independently, how much trust to place in each other, and can apply policies based on the domain or principal that originates a request. The domains could represent separately administered facilities (as in a federated test bed), or they could represent sections within a single facility that run with different trust models (for example, with differing levels of security.) We have implemented this design in ProtoGENI, a control framework for federated test beds, we include details of this implementation and share experiences from using it in an active deployment with hundreds of users.