Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.canarie.cawww.canarie.ca | www.restena.lu Presenters: Chris Phillips – CANARIE, Canada Stefan Winter – RESTENA, Luxembourg Looking into the Future:

Published byRodger Osborne Modified over 8 years ago

Similar presentations

Presentation on theme: "Www.canarie.cawww.canarie.ca | www.restena.lu Presenters: Chris Phillips – CANARIE, Canada Stefan Winter – RESTENA, Luxembourg Looking into the Future:"— Presentation transcript:

1 www.canarie.cawww.canarie.ca | www.restena.lu Presenters: Chris Phillips – CANARIE, Canada Stefan Winter – RESTENA, Luxembourg Looking into the Future: Exploring Enhancements to eduroam Infrastructure June 3,2013| TNC2013 | Maastricht, NL

2 www.canarie.cawww.canarie.ca | www.restena.lu Recent Stats Thousands (~10000+) points of presence for eduroam SSID 60 countries/regions in production, 27 in pilot 60,000,000+ successful transactions processed monthly Between 10-13% is international traffic

3 www.canarie.cawww.canarie.ca | www.restena.lu Eduroam Today Slide 3 id: pam@restena.lu realm: ubc.carealm: sfu.ca realm: ca Confederation Servers Federation Server realm: restena.lu realm: lu realm: uni.lu Predicting Growth – Hard, but let’s try Needed for preservation of quality & enough runway to act Crystal Ball  Assumptions: ratio 2:87:10000:50MM, or 10 countries/yr, ea. w/114 ‘domains’ & 575k signons/mth Adding another 30 countries, requires 1 more root server No one has any more devices than they do today There are 193 countries/regions worldwide..What does this look 3 years out then? Today: x87 countries Today: x2 roots svrs Today: 10,000+ sites +3yrs: x117 countries +3yrs: 3? roots svrs +3yrs: 13,348+ sites In 3 years from now..

4 www.canarie.cawww.canarie.ca | www.restena.lu Why do something different? Mobility’s explosive growth hard to predict (size/freq etc) TCO profile improvements to be made from new tech. Int’l roaming hierarchical model of TLD != geography/country oversight(e.g..edu/.org) Hierarchical structure transactional performance cost more pronounced as mobility increases Bottom line: Need to investigate ways to have optimal service performance & cost which break away from same curve as growth

5 www.canarie.cawww.canarie.ca | www.restena.lu Breaking it down…

6 www.canarie.cawww.canarie.ca | www.restena.lu The Three Steps for Authentication given the realm, find an IP address of the authentication server (@restena.lu -> tld1.eduroam.lu) find out if the discovered host is trustworthy (i.e. valid eduroam IdP) exchange authentication information securely Everything is in a text-based config file: realm restena.lu { server 158.64.1.26 secret not_on_the_slides } eduroam could only scale to world-wide operations by aggregating based on TLD. Classic RADIUS ‘Solution’

7 www.canarie.cawww.canarie.ca | www.restena.lu Digging Into The Authentication Steps Given the realm, find an IP address of the authentication server (@restena.lu -> tld1.eduroam.lu) DONE: NAPTR records in DNS for “x-eduroam” service Find out if the discovered host is trustworthy (i.e. valid eduroam IdP) DONE? PKI, DANE, Exchange authentication information securely DONE: RFC6614 (RADIUS over TLS) ✔ ✔ ?

8 www.canarie.cawww.canarie.ca | www.restena.lu Determining Trustworthiness Deployed solution - in production: PKI –issue eduroam (IdP|SP) certificates to operators –verify certificates during RADIUS/TLS connection setup Drawbacks: –PKIs are cumbersome! Central point needs to do identity vetting (PGP, select X.509 email certs) Certificate expiry, revocation handling, … more than one CA -> trust anchor management we are going the same way as Grids are

9 www.canarie.cawww.canarie.ca | www.restena.lu Operational Experience Most certificate requests fail because requester is not known to RA operator –e.g.: I didn't exchange PGP keys with the Chile NRO Sometimes, domain name requested does not match realm in eduroam extra checks with NRO personnel needed Underlying problem: someone "far far away" needs to rubber-stamp something that a local person could do much better If only we could de-centralise this...

10 www.canarie.cawww.canarie.ca | www.restena.lu http://www.flickr.com/photos/cubmundo/7174576572/http://www.flickr.com/photos/cubmundo/7174576572/ cubmundo, http://www.flickr.com/photos/konabish/5968465331/ Greg Bishophttp://www.flickr.com/photos/konabish/5968465331/ Future Contexts Reality: we’re no longer nimble: now have battleship turning radius Recommendations/explorations take time to do well, and have long shelf life  means planning horizons of 2,3,5yr for deployment+ Total Cost Ownership Always an eye on overall cost, want to explore new paths for trust management. PKIX already woven into today’s model, improvements to this? Approach2 years out3 years out5 years out Do mix of NAPTR,Shared Secret, RADSEC? Go toward stronger PKIX model? Leverage DNSSEC & DANE?

11 www.canarie.cawww.canarie.ca | www.restena.lu DNSSEC + DANE: Why can it make PKI obsolete (for us)? Requires: trustworthy (branch of) DNS, i.e. DNSSEC for –idp.eduroam.org –sp.eduroam.org Provides: keying material for RADIUS/TLS –after NAPTR find hostname/IP of authentication server, try to find keying material at tld1.eduroam.lu.idp.eduroam.org –If found -> valid IdP! Someone needs to put these keys into the DNS tree –this is a known, decentralisable, and solved problem

12 www.canarie.cawww.canarie.ca | www.restena.lu 30,000ft overview: DANE records idp.eduroam.org can become DNSSEC sub-branches.idp.eduroam.org &.idp.eduroam.org can be delegated to eduroam NRO NROs can collect certificates/keys from their IdPs and update their DNS sub-branch find a way to update gTLD sub-branches (.edu,.org,.com) can be made a burden for eduroam OT ✔ ✔ ✔ ✔

13 www.canarie.cawww.canarie.ca | www.restena.lu eduroam augmented with DANE Slide 13 id: pam@restena.lu realm: ubc.ca Host: hotspot.ubc.ca realm: sfu.ca realm: ca Confederation Servers Federation Server realm: restena.lu realm: lu realm: uni.lu eduroam.org DNSSec zone for eduroam.org idp.eduroam.org sp.eduroam.org tld1.eduroam.lu.idp.eduroam.org Hotspot.ubc.ca.sp.eduroam.org ‘Host’ In DNS & has cert? Yes, here it is! tld1.eduroam.lu, can I have your key? Yes, here it is! Yup, key offered matches that in DNSSec tree,you shall pass, carry on!

14 www.canarie.cawww.canarie.ca | www.restena.lu Call for Participation to Validate approach RADIUS server needs to do NAPTR lookups based on realm RADIUS server needs to lookup DANE IdP keys via DNSSEC query based on discovered hostname (needs CODE for FLR servers) as server: during RADIUS/TLS connection setup, must verify TLS data vs. DANE data (needs CODE) as client: during RADIUS/TLS connection setup, needs to extract name from client cert, and lookup DANE SP keys (needs SPECIFICATION, similar to this one[1]) [1] https://datatracker.ietf.org/doc/draft-ietf-dane-srv/?include_text=1datatracker.ietf.org/doc/draft-ietf-dane-srv/?include_text=1✔ 0 0 0

15 www.canarie.cawww.canarie.ca | www.restena.lu Where to get involved TNC2013 –Openspaces sessions TBD –eduroam BOF June 3, 18:00-19:30 Rm D https://tnc2013.terena.org/core/event/8 Ongoing: –TF-Mobility group: http://www.terena.org/activities/tf-mobility/mailinglist.html –Engage your regional operator Thank you! Chris.phillips@canarie.ca Stefan.winter@restena.lu

16 www.canarie.cawww.canarie.ca | www.restena.lu Useful References The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA http://tools.ietf.org/html/rfc6698 Use Cases and Requirements for DNS-Based Authentication of Named Entities (DANE) http://tools.ietf.org/html/rfc6394http://tools.ietf.org/html/rfc6394 Useful reference about expected responses and SMTP and DANE https://datatracker.ietf.org/doc/draft-ietf-dane-srv/?include_text=1 RADSEC whitepaper http://www.open.com.au/radiator/radsec-whitepaper.pdf Interesting other enhancements/ideas about certificates and related security http://www.certificate-transparency.org/faq

Download ppt "Www.canarie.cawww.canarie.ca | www.restena.lu Presenters: Chris Phillips – CANARIE, Canada Stefan Winter – RESTENA, Luxembourg Looking into the Future:"

Similar presentations

RadSec – A better RADIUS protocol

RadSec – A better RADIUS protocol
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
DNS-centric PKI Sean Turner Russ Housley Tim Polk.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Connect. Communicate. Collaborate Combining RADIUS with Secure DNS for Dynamic Trust Establishment between Domains Henk Eertink †, Arjan Peddemors †, Roy.

Connect. Communicate. Collaborate Combining RADIUS with Secure DNS for Dynamic Trust Establishment between Domains Henk Eertink †, Arjan Peddemors †, Roy.
Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.

Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.
IETF82, TAIWAN Meilian LU, Xiangyang GONG, Wendong WANG

IETF82, TAIWAN Meilian LU, Xiangyang GONG, Wendong WANG
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.

Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.
Secure Credential Manager Claes Nilsson - Sony Ericsson 2009-12-15.

Secure Credential Manager Claes Nilsson - Sony Ericsson
1 Is DNSSEC a Burden? Thus far, DNSSEC adoption has been slow –In part, immaturity of the standards has been a past issue –Many trials, and some signed.

1 Is DNSSEC a Burden? Thus far, DNSSEC adoption has been slow –In part, immaturity of the standards has been a past issue –Many trials, and some signed.

Similar presentations

Ads by Google