Why eduroam sucks, and how to fix it.

Slides:

Advertisements

Similar presentations

Joining eduroam Wireless Roaming for Education and Research.

Advertisements

RadSec – A better RADIUS protocol

Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.

High-quality Internet for higher education and research 5 th of April, Eurocamp, Ljubljana eduroam, security and authentication Paul Dekkers.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved Adaptive Trust Security Policies for Today’s Enterprise Mobility Pete Ryan – ClearPass.

Copyright JNT Association 2006 The JANET Roaming Service.

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.

EduRoam ESA workshop 17 December 2004 Utrecht.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005

EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.

Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

802.1x EAP Authentication Protocols

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014.

5/12/05CS118/Spring051 A Day in the Life of an HTTP Query 1.HTTP Brower application Socket interface 3.TCP 4.IP 5.Ethernet 2.DNS query 6.IP router 7.Running.

Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.

Wireless Security and Accounting with 802.1X. Introduction Background Why 802.1X? What is 802.1X? Implementing 802.1X at UTD The future of 802.1X and.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.

Lecture 12: WLAN Roaming Communities EDUROAM TM. eduroam TM eduroam (education roaming) is the secure, world-wide roaming access service developed for.

What about 802.1X? An overview of possibilities for safe access to fixed and wireless networks Amsterdam, October Erik Dobbelsteijn.

Windows 2003 and 802.1x Secure Wireless Deployments.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.

EduRoam Australia Project Experience in location independent wireless networking with international collaboration with TERENA EduRoam Project 19 th APAN.

Configuring Routing and Remote Access(RRAS) and Wireless Networking

WIRELESS LAN SECURITY Using

1 OpenSEA Alliance – Enabling Ubiquitous Secure Network Access | 9/15/2015 Opening Wireless Security at the Open1X Project Matthew Gast

Education roaming Secure Wireless Service for Research and Education.

By: Alex Feldman.  A mobile station is connected to the network wirelessly through another device.  In case of WiFi (IEEE ) this would be an access.

Connect. Communicate. Collaborate First steps in federation peering: eduGAIN and eduroam Diego R. Lopez - RedIRIS.

High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.

Michal Procházka, Jan Oppolzer CESNET.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,

A Practical Guide for Joining EduRoam EuroCAMP Torino A Practical Guide for Joining EduRoam 4 March 2005 Version 1.6.

Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)

High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005

July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

802.1X in SURFnet 22 May 2003.

EDUROAM Michael Helm ESnet/LBL 26 Mar EduroamTAGPMA 27 Mar What Is Eduroam? The Roaming Scholar vs the Restricted Wireless Network –I am in.

ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory.

High-quality Internet for higher education and research TF-Mobility, Zagreb, 2 February 2006 eduroam-ng architecture Test results and way forward

May 17, 2006TNC 2006, Catania1 eduroam.us: past, present, future Philippe Hanset University of Tennessee, Knoxville.

Connect. Communicate. Collaborate TERENA Networking Conference, 7 june 2005 Eduroam: past, present, and future.

Security for (Wireless) LANs 802.1X workshop 30 & 31 March 2004 Amsterdam.

Workshop roaming services: eduroam / govroam

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,

Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007.

Wireless Unification Theory William Arbaugh University of Maryland College Park.

19 May 2003 © The JNT Association Terena Technical Advisory Council Terena Mobility Task Force

Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010

IETF 78 Maastricht 27 July 2010 Josh Howlett, JANET(UK)

Federated Wireless Network Authentication Kevin Miller Duke University Internet2 Joint Techs Salt Lake City February, 2005.

Project Moonshot Daniel Kouřil EGI Technical Forum

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.

Copyright © 2009 Trusted Computing Group An Introduction to Federated TNC Josh Howlett, JANET(UK) 11 June, 2009.

10 Years of eduroam (from an idea to a product)

Module Overview Installing and Configuring a Network Policy Server

Cisco Real Exam Dumps IT-Dumps

TF-Mobility update TF-EMC2, Barcelona 9 September 2005.

The DAMe’s First Steps: eduroam and NAS-SAML

Presentation transcript:

Why eduroam sucks, and how to fix it. Josh Howlett, UKERNA. TNC 2007, Copenhagen.

eduroam doesn’t suck

“So what’s this talk about?” eduroam rocks! it is one of the best ideas in academic networking in years. hundreds of Institutions already support it. it is revolutionising network service delivery. “So what’s this talk about?”

Outline eduroam has become a victim of its own success. explain the challenges. discuss how these are being addressed. I am not here to evangalise!

The ‘growing pains’ of eduroam eduroam relies on some poorly implemented technologies. eduroam also relies on other technologies that weren’t designed for what eduroam is trying to achieve. good policy is hard. Gartner hype-cycle 2006

eduroam in a slide Network Commercial Employee VLAN VLAN Student VLAN Supplicant Authenticator (AP or switch) RADIUS server University A RADIUS server University B User DB User DB Guest piet@university_b.nl Network Employee VLAN Commercial VLAN Central RADIUS Proxy server Student VLAN Trust based on RADIUS plus policy documents 802.1X (VLAN assigment) signalling data

(Windows’ supplicant, at least…) sucks (Windows’ supplicant, at least…)

Why Windows’ supplicant sucks Limited authentication options EAP-TLS (user certificates suck) EAP-PEAP (MS-CHAP sucks) Can’t authenticate against ‘hidden’ SSIDs Passwords cached in the registry The default configuration settings ~20 steps to implement a good configuration. ~4 sides of A4 including screenshots.

How we’re trying to fix it Our pain is the supplicant industry’s gain Some good but costly commercial supplicants Open source supplicants (Windows) SecureW2 An EAP-TTLS plug-in for the Windows supplicant Addresses some of the problems, but not all. Open1x project Port of Xsupplicant to Windows Managed by OpenSEA Alliance (Extreme Networks, Identity Engines, Infoblox, Symantec Corporation, TippingPoint, Trapeze Networks and UKERNA)

(for wireless authentication…) PKI sucks (for wireless authentication…)

Why PKI sucks The only available secure EAP methods depend on PKI No one understands PKI, least of all users. Certificates rooted to CAs in Windows cost €. Certificate-based TLS handshake is highly verbose Authentication is slow and fragile over a lossy network.

How we’re trying to fix it TERENA Server Certificate Service Another excellent initiative from TERENA Proposed shared-secret methods EAP-TLS-PSK EAP-GPSK Use a reliable transport for EAP (more later)

(…or RADIUS wasn’t designed for this!) RADIUS sucks (…or RADIUS wasn’t designed for this!)

Why RADIUS sucks eduroam is pushing RADIUS’ capabilities. Routing is bound to the DNS hierarchy Who should manage .org, .edu or .net? ukerna.ac.uk is changing to ja.net… Hierarchical routing is fragile and slow EAP-PEAP: ~ 10-15 round-trips @ ~ 250ms RTT (~2-4 sec) ~ 2-5% packet loss Retransmission driven by RADIUS server (3-5 sec timeouts) Poor support for inter-domain authorisation user attributes are exposed to proxy servers RADIUS attributes are relatively inflexible (cf. SAML).

How we’re trying to fix it Routing RADSec RADIUS over TLS over TCP. Unlikely to gain traction in IETF. Diameter IETF’s proposed successor to RADIUS. Only one commercial implementation. We need PKI for both... Authorisation DAMe (GN JRA5) RADIUS-SAML (Internet2 FWNA) Perhaps we’re trying to be too clever? Would a small set of RADIUS attributes be sufficient to cover our use-cases?

Inconsistent policy sucks

Why inconsistent policy sucks Visible Services, Transparent Networks Consistency matters Reduces costs and user satisfaction. eduroam confederation policy “[Institutions] SHOULD provide open network access” Great idea, but will the ‘SHOULD’ be ignored? If tcp/80 is the only common denominator then in practice eduroam becomes interweb only. eduroam has competitors Commercial 802.11, GRPS, UMTS, 802.16, 802.20…

How we’re trying to fix it Opinions differ  26 NRENs, 100s Institutions… How should policy be balanced between Institutions, NRENs and confederation? Perhaps we need more experience? I carry about a GPRS/UMTS dongle; a sign of things to come? Do we need to add more value?

Conclusions Most Institutions can deploy eduroam without problems today. There are technology issues for some Institutions, but we’re close to fixing these. There are scaling issues, but these will be fixed in the medium term. This is not an excuse for delaying joining! The confederation policy may need some minor adjustments, but nothing significant. De we need to add more value?

Thank you for your attention Any questions?