SURFnet and access pilots
Download
Report
Transcript SURFnet and access pilots
Connect. Communicate. Collaborate
Eduroam: past, present, and
future
TERENA Networking Conference, 7
june 2005
[email protected]
Contents
•
•
•
•
•
What is Eduroam?
Current status of Eduroam
Is anything wrong with Eduroam?
Eduroam-ng and Géant 2
Conclusion
Connect. Communicate. Collaborate
Connect. Communicate. Collaborate
Users are mobile
Internation
al
connectivit
y
University
A
WLA
N
SURFnet
backbone
University
B
Access
Provide
r
GPRS/
UMTS
WLA
N
Access
Provid
er
Cable
Eduroam enables them to roam
seamlessly
Access
Provid
er
WLAN
Access
Provid
er
ADSL
EduRoam architecture
Connect. Communicate. Collaborate
•
Security based on 802.1X (or web-based redirect)
– Identity-based networking
– Different authentication mechanisms possible
– Prevents session hijacking
– Mutual authentication possible
– Protection of credentials
– Integration with VLAN assignment
– Provides basis for new wireless security standards WPA and 802.11i
•
Roaming based on RADIUS proxying
– Remote Authentication Dial In User Service
– Transport-protocol for authentication information
•
Trust fabric based on:
– Technical: RADIUS hierarchy
– Policy: Documents/contracts that define the responsibilities of user,
institution, NREN and the EduRoam federation
EduRoam
Connect. Communicate. Collaborate
Supplicant
Authenticator
(AP or switch)
RADIUS server
RADIUS server
User
DB
University A
Gast
University B
SURFnet
piet@university_b.nl
Employee
VLAN
Student
VLAN
Commercial
VLAN
Central RADIUS
Proxy server
•
Trust based on RADIUS plus policy
documents
signaling
•
802.1X
data
•
(VLAN assigment)
User
DB
Tunneled authentication
(PEAP/TTLS)
•
Connect. Communicate. Collaborate
Uses TLS/SSL tunnel to protect data
– The TLS tunnel is set up using the server certificate, thus
authenticating the server and preventing man-in-the-middle attacks
– The user sends his credentials through the secure tunnel to the
server, thus authenticating the user
User authentication
Protected by Tunnel
Server authentication
TLS tunnel
`
802.1X Client
•
EAP RADIUS Server
Can use dynamic session keys for ‘in the air’ encryption
© Alfa&Ariss
Status of EduRoam
Connect. Communicate. Collaborate
• USA will follow shortly
•
Over 350 institutions in
Europe and Australia
Limitations
•
Technology
– Static trust
– Single points of failure
– All authN and authZ traffic flows through hierarchy
•
Policy
– Not suitable for full service yet
•
Usability
– Eduroam comes in many flavours
– Where are the access points?
•
Management & Monitoring
– Are all servers up and running?
– Who is abusing the service?
•
AAI
– How to integrate with the European AAI
Connect. Communicate. Collaborate
Connect. Communicate. Collaborate
Eduroam-ng
Technology: bypassing the hierarchy
overhead?
Connect. Communicate. Collaborate
European Server
.nl
.ac.uk
…
uva.nl
Access Point
.pl
Uni.torun.pl
Access Point
User database
[email protected]
• AA traffic goes through all intermediate entries
• All links are peer-to-peer agreements / static routes / p2p secure
• DIAMETER? DNSsec? (See: Henk Eertink, Future directions in
mobility)
Roaming policy
•
•
•
•
•
Minimal security level
Levels of assertion
SLA’s
Incident response
Policy board
Connect. Communicate. Collaborate
Usability: standardisation,
localisation, expansion
Connect. Communicate. Collaborate
• Standardisation
– Limited set of encryption and SSID choices
• Encryption: 802.1X+WEP, WPA+TKIP, WPA2
• SSID: eduroam
• Localisation
– Eduroam-around-the-corner (See: Martijn Arts)
• Expansion
– Integration with commercial roaming services (See:
Martin Bech)
Managing&Monitoring:
usertracking & weathermap
Connect. Communicate. Collaborate
(See also : Kostas Kalevras, Large
scale WLAN deployments)
AAI Integration: offload AuthZ?
Connect. Communicate. Collaborate
European Server
.nl
.ac.uk
…
.es
uva.nl
Access Point
uclm.es
A-Select
[email protected]
PAPI
UCLM user database
• How do all these applications communicate? (SAML?)
• Or should we do it inline?
(See: Diego Lopez, AAI Infratructures)
Conclusions
Connect. Communicate. Collaborate
• 802.1X plus RADIUS provide a secure and future proof solution
for access to the institutional network
• Infra stucture not perfect yet but…
– It works ™
– It is ready for the future
– Géant2 JRA5 will make it even better
• Joining EduRoam is a small step for administrator-kind but a
giant leap for the users, so…..
Time to join…..
Connect. Communicate. Collaborate
More information
Connect. Communicate. Collaborate
•
EduRoam in SURFnet
– http://www.eduroam.nl
•
EduRoam in Europa
– http://www.eduroam.org
•
TERENA TF-Mobility
– http://www.terena.nl/mobility
•
Géant2 Joint Research Activity 5 (authorisation and roaming)
– http://www.geant2.net/ (click on research)
•
The unofficial IEEE802.11 security page
– http://www.drizzle.com/~aboba/IEEE