28 th TF-Mobility and Network Middleware Meeting A4-Mesh: Authentication, Authorization, Accounting, and Auditing in Wireless Mesh Networks Torsten Braun Communication and Distributed Systems Institute of Computer Science and Applied Mathematics Universität Bern

Overview  Project Introduction  Application Scenario  Wireless Mesh Network  Authentication and Authorization  Accounting  Conclusions and Outlook Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Project Introduction

Project Partners  Institut für Informatik und Angewandte Mathematik  Geographisches Institut  Informatikdienste  Institut d’Informatique  Service Informatique et Télématique Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Project Goals and Objectives  Goal —Provide low-cost broadband network access to researchers and students at remote locations  Objectives —Cost-efficient network access —Easily deployable wireless mesh network (WMN) —Integrated into regular authentication and authorization infrastructure of Swiss higher education (SWITCHaai) Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Wireless Mesh Networks (WMNs) Application Scenarios 1. Environmental Monitoring 2. Campus Network Extension Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

AAAA for WMNs  Authentication and Authorization of 1.wireless mesh nodes entering the WMN 2.mobile users accessing the Internet via the WMN (using SWITCH AAI mechanisms)  Accounting of traffic generated by 1.wireless mesh nodes and sensors 2.individual mobile users (for charging and monitoring purposes)  Auditing functions —detect inconsistent or erroneous node states —perform recovery mechanisms or trigger alarms  Indoor testbed and pilot networks at 1.Crans Montana 2.University campuses at Bern and Neuchâtel Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Application Scenario: MontanAqua

Requirements by Environmental Monitoring  Support of scientists (hydrology researchers) to collect sensor data from environmental measurements.  Scientists use data for generating and verifying models of the environment.  Specific measurements to cover certain areas or to collect specific sensor data are needed. Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

MontanAqua Investigation Area Sion Sierre Tseuzier storage lake Plaine Morte glacier © Weingartner Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Modelling Water Resources PIHM - Penn State Integrated Hydrologic Model cc scenarios 2050 WATER RESOURCES 2010 LAND USE © Martina Kauzlaric module GLACIER module KARST Jeannin ice thickness 0 m 100 m 200 m © Matthias Huss © Weingartner PHIM high data demand for modelling water balance and fluxes Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Weather Stations and Rain Gauges wind velocity & direction air temperature & relative humidity solar radiation rainfall Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Runoff Station Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Soil Measurements soil moisture sensorstensiometers lysimeter Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Data Transfer Alternatives GSM Modem for weather stations lost GSM Signal GPRS Modem for weather stations data access only via server of producer of weather station Manually for rain gauges, runoff gauges, weather station Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Serial Port Tunneling Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Benefits for Scientists  Real-time access on logger (software up-dates, failure checking) →reduced frequency of maintenance  Real-time data access (data verification, monitoring of sensors)  Data stored on server at University and logger in the field →reduction of data loss risk (destruction of sensors/loggers) →independent of GSM/GPRS network availability →high data-transfer rates (web cam) Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Sensor Readings Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Wireless Mesh Network

MontanAqua Sensors and A4-Mesh Network webcam Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

A4-Mesh Topology © Atlas of Switzerland 3 Plaine Morte Glacier Sion Sierre Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Wireless Mesh Node Technology IP66 steel enclosure 1-2x Alix 3D2 system boards 1x Alix 6F2 system board 1-4x n mini PCI cards 1x g mini PCI card 1x UMTS mini PCI-Express card I 2 C twin relay 2x2 MIMO, 25dBi, dual polarization panel antennas ADAM Linux Optimized Link State Routing / s Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Deployment of Nodes 4a/b Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Deployment of Nodes 3/7 Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Deployment of Node 8 Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Authentication and Authorization

Authentication and Authorisation  Network resources can only be accessed by authenticated and authorized end users and wireless mesh nodes: —Wireless mesh nodes entering the WMN – Mechanism tailored to WMNs supporting easy and secure inter- organizational access to network resources using a separate Shibboleth federation. —Mobile users accessing the Internet via the WMN – Implementation based on web-based captive portal protected by SWITCHaai Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks 27

A 4 -Mesh AAAA Architecture Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Machine Authentication and Authorization Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks 29 Request VPN key Authentication request with X.509 certificate Machine attributes is authorized ?authorized VPN key Open firewall VPN tunnel establishment

User Authentication and Authorization (Captive Portal) Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks 30

Accounting

 Traffic monitoring at each mesh node (NetFlow, RFC 3954)  Central storage of flow statistics at A 4 -Mesh gateway  Data enrichment at A 4 -Mesh gateway (IP, IP NAT, time, UniqueID) Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Accounting Aggregator Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Network Monitoring  Monitoring agent at each mesh node (Zabbix agent)  Central server at A 4 -Mesh gateway (Zabbix server) Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

Conclusions and Outlook

Conclusions  WMN is valuable for researchers working in the field.  Implementation of SWITCHaai-based authentication and authorization for WMN nodes and end users  Implementation of monitoring functions for WMN nodes  Outlook: integration and tests Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks 36

a4-mesh.unibe.ch Zürich, Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks