Secure and Accountable Measurement Infrastructure

The Secure and Accountable Measurement Infrastructure (SAMI) is a collection of software tools designed to aid researchers and engineers in managing internet measurements from various vantage points within the internet. The project, previously funded by DARPA and currently by the National Science Foundation under National Middle-ware Initiative grant #1120281, is based on the National Internet Measurement Infrastructure (NIMI), and thus, it is not incorrect to refer to it as NIMI v2.

SAMI is designed to be secure, accountable, scalable and dynamic. SAMI is secure in that only authorized researchers/engineers are able to access extended resources on a probe. (Note, however, that there is a default authorization ACL which grants limited use of some resources.) SAMI is accountable in that each request of a resource is authenticated via X.509 credentials. It is scalable in that NIMI probes can be delegated to administration managers for configuration information and measurement coordination. And it is dynamic in that the measurement tools are external to the SAMI probe as third party packages that can be added as needed.

The NMI charter to develop NIMI/SAMI requested GRID compatibility. SAMI currently works with certificates generated by the PSC TeraGrid KCA, and adding additional TeraGrid members for certificate acceptance into the infrastructure is trivial.

SAMI uses Akenti, developed at LBNL, for authorization of user requests. Currently, SAMI supports the Akenti use-condition constraints ‘lifetime’ and ‘disk-quota’.

SAMI comprises four unique applications, multiple networking tools, and their corresponding ‘tool wrapper’ scripts, grouped in three functional areas:

  1. The SAMI probe The SAMI probe consists of the samid, scheduled, master-script, and networking tools (with wrappers). It enables a host to act as a resource supplier for authorized users seeking to use those networking tools on/from that specific site.
  2. The Configuration Point of Contact (CPOC) The CPOC is the administrative contact for all SAMI probes under its domain. It is responsible for providing SAMI probes with configuration files (e.g., CA certificates) and tools with their wrapper scripts. The CPOC is also responsible for generating ‘capability certificates’, describing what a user seeking resources can do on the probes within its domain.
  3. The Measurement Client (MC) and Data Analysis Client (DAC) The MC is used by the researcher/engineer to make requests on remote SAMI probes. The MC seamlessly requests capability certificates from the appropriate CPOC and then uses that capability certificate for authorization on the SAMI probe where a resource (e.g., invocation of a measurement tool) is requested.The DAC is a daemonized version of MC that simply waits for the results of a SAMI request to return and saves them to disk. Usually, the DAC is only used if the requests are scheduled far enough in advance that it would be inconvenient to leave the MC running.