AIMS’99 Workshop Heidelberg, 11-12 May 1999 P805: Internet Roaming Giuseppe Sisto - Telecom Italia / CSELT Project participants:

Slides:

Advertisements

Similar presentations

Authentication.

Advertisements

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.

Security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

AIMS Workshop Heidelberg, 9-11 March /20 A Telecom and IP Project from ETSI Gerald Meyer

6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Configuring Virtual Private Networks for Remote Clients and Networks.

History Since created in 1995, RADIUS has been used to provide authentication, authorization and generate accounting information for dial-in users. However,

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Internet Protocol Security (IPSec)

Peer WLAN Consortium: A P2P Case Study Mobile Multimedia Laboratory Department of Informatics Athens University of Economics & Business Athens MMAPPS Meeting,

Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

Remote Networking Architectures

Using RADIUS Within the Framework of the School Environment Ed Register Consultant April 6, 2011.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

Windows 2003 and 802.1x Secure Wireless Deployments.

InterSwyft Technology presentation. Introduction InterSwyft brings secured encrypted transmission of SMS messages for internal and external devices such.

Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.

Guide to Operating System Security Chapter 9 Web, Remote Access, and VPN Security.

Remedies Use of encrypted tunneling protocols (e.g. IPSec, Secure Shell) for secure data transmission over an insecure networktunneling protocolsIPSecSecure.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.

1 Open Pluggable Edge Services OPES Abbie Barbir, Ph.D.

AIMS Workshop Heidelberg, 9-11 March 1998 P717 & P805: SIRTE Study for Internet Roaming Throughout Europe Franco Guadagni - Telecom Italia / CSELT

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.

70-411: Administering Windows Server 2012

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos “Securing.

Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.

1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.

Module 11: Remote Access Fundamentals

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.

Appendix A UM in Microsoft® Exchange Server 2010.

3Com Confidential Proprietary 3G CDMA AAA Function Yingchun Xu 3COM.

Module 9: Fundamentals of Securing Network Communication.

Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

France Télécom R&D Advanced Interactive Content Olivier Avaro Chairman MPEG Systems and AIC Initiative France Telecom R&D.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Internet Authentication Service.

EAP Authentication for SIP & HTTP V. Torvinen (Ericsson), J. Arkko (Ericsson), A. Niemi (Nokia),

AIMS Workshop Heidelberg, 9-11 March EURESCOM P616 ENHANCED ATM IMPLEMENTATION ISSUES OVERALL RESULTS Augusto Casaca Portugal Telecom.

The HEP White Pages Project Ray Jackson CERN / IT - Internet Services Group 23rd April HEPiX/HEPNT Conference, LAL-Orsay, France.

ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

Workshop roaming services: eduroam / govroam

RADIUS What it is Remote Authentication Dial-In User Service

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.

Chapter 7 : Web Security Lecture #1-Week 12 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.

Securing Access to Data Using IPsec Josh Jones Cosc352.

VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.

Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)

Port Based Network Access Control

Virtual Private Networks

Securing the Network Perimeter with ISA 2004

EA C451 Vishal Gupta.

Goals Introduce the Windows Server 2003 family of operating systems

Presentation transcript:

AIMS’99 Workshop Heidelberg, May 1999 P805: Internet Roaming Giuseppe Sisto - Telecom Italia / CSELT Project participants: Deutsche Telecom Finnet Group France Telecom MATAV Telecom Italia

AIMS’99 Workshop Heidelberg, May 1999 Scope Objectives Technical approach P805 results P914 expected results AGENDA

AIMS’99 Workshop Heidelberg, May 1999 The Scope (from P717) Multiple ISPs in each country Problem similar to GSM roaming Same model for roaming solution Based on bilateral agreements between parties No central clearing point Distributed solution: Scaleable and robust

AIMS’99 Workshop Heidelberg, May 1999 Roaming Service Reference Model Home ISP’s Roaming User Traditional, Centralized Solution: 3rd Party Clearing Point Traditional, Centralized Solution: 3rd Party Clearing Point P805 Solution: Direct A-A Interface The Internet Remote ISP Home ISP Authentication Server for Remote ISP NAS: Network Access Service Authentication Server for Home ISP

AIMS’99 Workshop Heidelberg, May 1999 Terminal-network interface: –should work for PSTN and ISDN –should work for most common devices and configurations Network-network interface (A-A protocol) –should allow transport of all necessary parameters –should be secure (encryption, mutual validation) –should run over IP Compatible with existing third party solutions The Requirements

AIMS’99 Workshop Heidelberg, May 1999 The Possible Solutions The solutions examined HTTP based RADIUS Based DIAMETER RADIUS/LDAP Integration

AIMS’99 Workshop Heidelberg, May 1999 HTTP-based Solution SIR: Secure Internet Roaming specification (i-Pass consortium) good security level (use of encryption and digital certificates) based on a “centralized” model (MSS= Message Switching Server): out of our scope Home ISP (H-ISP) NAS RSAP Remote ISP (R-ISP) H-ISP’s Roaming User MSS VNAS Authorizing entity Encrypted communication with HTTP on SSL PPP with CHAP

AIMS’99 Workshop Heidelberg, May 1999 RADIUS-based Solution No end-to-end security in case of untrusted intermediate proxies Protocol not extensible: need for a new protocol Home ISP (H-ISP) NAS Remote ISP (R-ISP) AAA-Server (RADIUS) H-ISP’s Roaming User AAA-Server (RADIUS) Intermediate ISP (I-ISP) AAA-Server (RADIUS) PPP with CHAP

AIMS’99 Workshop Heidelberg, May 1999 RADIUS Protocol DIAMETER Protocol Home ISP (H-ISP) NAS H-ISP’s Roaming User DIAMETER (proxy) Server PPP with CHAP DIAMETER (proxy) Server Remote ISP (R-ISP) DIAMETER Framework for any service which requires AAA/Policy support flexible/ extensible Wide range of security solutions (including X.509 certificates) Roaming scenario not yet available in ‘98 Only one “experimental” implementation from Merit Not yet officially recognized by IETF

AIMS’99 Workshop Heidelberg, May 1999 A Directory Enabled Solution Directory Enabled Networks: a single common directory to support all applications, services and infrastructure Directory Service Directory Service Network Operating System Network Operating System Other Applications Other Applications LDAP v. 3 (Lightweight Directory Access Protocol): IETF standard for Internet Directories (RFC2251) Client/Server Model, Distributed Service, Security Framework (Access Control / TLS / SASL)

AIMS’99 Workshop Heidelberg, May 1999 LDAP-based roaming model H-ISP Roaming User RADIUS Server LDAP Client R-ISP LDAP Server 2. Referral to H-ISP LDAP server 1. LDAP Inquiry AAA Server NAS Password Remote ISP (R-ISP) H-ISP LDAP Server 3. Inquiry to H-ISP LDAP Server Home ISP (H-ISP) RADIUS

AIMS’99 Workshop Heidelberg, May 1999 Directory information modeling (referral entry) Uid=ISPnAuthorisedUser ISP1 O = ISP1 (i.e. o=TIN.IT) Uid=ISP1User 1 Uid=ISP1User 2 Uid=ISP1User N O=ISP2 (referral entry) O=ISP n “... ….... O=ISP1AdminUsers Pointers to other ISPs’ LDAP servers

AIMS’99 Workshop Heidelberg, May 1999 The Pilot

AIMS’99 Workshop Heidelberg, May 1999 Implementation description Merit AAA Server (basic version) Netscape Directory Server Project Development of RADIUS/LDAP gateway Set up of a Certification Authority to issue X.509 certificates for the use of SSL (sn=SIRTE CA,o=CSELT, c=IT)

AIMS’99 Workshop Heidelberg, May 1999 The Trials Functionality tests whole chain from roaming end-user to home ISP’s directory server Performance tests local access vs. remote access of a user secure connections vs. non secure connections between LDAP servers influence of DB size “Near Operational” tests All participants simultaneously authenticating themselves both locally and remotely over a period of time

AIMS’99 Workshop Heidelberg, May 1999 Results from the Trials Functionality tests: the model works! Performance tests Local access:  non-secure connections: delay of few tenths of a second  secure connections: delay of ~ 1/3 vs. non secure  no influence of DB size Remote access  network delay of few seconds: the delay introduced by use of SSL not relevant. “Near Operational” tests: influenced by network conditions

AIMS’99 Workshop Heidelberg, May 1999 Recommendations from the Pilot ISPs:  before signing contracts for centralised solutions with third party providers, first identify the participation costs to the consortia;  do not sign “exclusive” contracts for centralised solutions with third party providers; keep the possibility to offer at the same time a de-centralised solution!  keep under observation the research activity, which may provide important innovations the near future,

AIMS’99 Workshop Heidelberg, May 1999 P914: Study and Trials for Internet Roaming in Europe Two new participants: Portugal Telecom and Telefonica España  Enhancements to the Roaming Solution: management aspects, accounting mechanisms, security, directory phonebook  Client Interface for Roaming users  Support DIAMETER work; development and trial of a DIAMETER- based roaming solution (EURESCOM now member of Merit AAA consortium, members active participants to IETF Roamops and AAA Groups). Scope & Activities