Download presentation
Presentation is loading. Please wait.
1
EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004 Klaas.Wierenga@surfnet.nl
2
2 Contents Past Present Future
3
Past Why did we do it?
4
4 Threats (Kismet+Airsnort) root@ibook:~# tcpdump -n -i eth1 19:52:08.995104 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:08.996412 10.0.1.1 > 10.0.1.2: icmp: echo reply 19:52:08.997961 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:08.999220 10.0.1.1 > 10.0.1.2: icmp: echo reply 19:52:09.000581 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:09.003162 10.0.1.1 > 10.0.1.2: icmp: echo reply ^C
5
5 Opportunities Access Provider POTS Institution A WLAN Institution B WLAN Access Provider ADSL International connectivity Access Provider WLAN Access Provider GPRS SURFnet backbone
6
6 Requirements definition Enable NREN users to use the Internet (WLAN and wired) everywhere in Europe with: –Minimal administrative overhead (per roaming user) –Good usability –Maintaining required security for all partners. –Scalable! Results –Web: Scalable, Unsafe –VPN: Not Scalable, Safe –802.1X: Safe, Scalable…. but new
7
7 EduRoam RADIUS server Institution B RADIUS server Institution A Internet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Guest piet@institution_b.nl Student VLAN Guest VLAN Employee VLAN data signalling Trust fabric based on RADIUS 802.1X and EAP (802.1Q VLAN assignment)
8
8 Tunneled Authentication (TTLS/PEAP) Uses TLS tunnel to protect data –The TLS tunnel is established using the Server certificate, automatically authenticating the server and preventing man-in-the-middle attacks Allows use of dynamic session keys for line encryption © Alfa&Ariss
9
Present Where are we now?
10
10 EduRoam participants June 2004: 275 participating institutions Soon: USA and Australia
11
11 EduRoam.nl
12
Future What’s next?
13
13 EduRoam - Limitations European Server.nl uva.nl Access Point User@uclm.es Access Point.ac.uk….es uclm.es User database AA traffic goes through all intermediate entries All links are peer-to-peer agreements / static routes Authentication = authorization
14
14 RADIUS server RADIUS server proxy for other realms client e.g. 802.11 access point Alternative – RADIUS / PKI visiting visit.org user account db home home.org user account db infra p2p 1 authenticate / authorize user@home.org OK roam.org visit.org home.org 5 3 2 Certificate Authority 2a 4 verify certificate radius.home.org setup IPSEC / TLS connection 2b 2c 2d verify certificate radius.visit.org All parties in the roaming domain use certificates issued by the roam.org CA © Telematica Instituut
15
15 Alternative Solutions - DIAMETER visiting client e.g. 802.11 access point DIAMETER server relay for other realms visit.org user account db home DIAMETER server home.org user account db infra static route 1 authenticate / authorize user@home.org 6 OK roam.org visit.org home.org 7 5 2 DIAMETER server redirector (broker) 3 4 redirect to diameter.home.org See section 2.8.3 of RFC 3588 “Diameter Base Protocol” static route dynamic route; setup secure conn. All connections between entities secured with IPSEC or TLS (using shared secret, PKI, …) © Telematica Instituut
16
16 Alternative - RADIUS-DNSSEC visiting client e.g. 802.11 access point RADIUS server proxy for other realms visit.org user account db home RADIUS server home.org user account db infra DNS server authoritative for roam.org p2p 1 authenticate / authorize user@home.org 6 2 3 4 5 OK roam.org visit.org home.org DNS server caching forwarder secure lookup radius server associated with home.org.roam.org 7 establish connection dynamically 89 A:111.222.111.222 CERT:key=a;sd98yhq3ra secure lookup radius server associated with home.org.roam.org © Telematica Instituut
17
17 EduRoam – Authorization? European Server.nl Elsevier.nl User@uclm.es.ac.uk….es uclm.es User database Will you authenticate Rodrigo for access to Elsevier? Has Diego passed his PAPI exam? In general: How to pass attributes back and forth (SAML?)
18
18 EduRoam – Access to applications? European Server.nl uva.nl Shibboleth User@uva.nl A-Select.ac.uk….es uclm.es PAPI Resource How do all these applications communicate? (SAML?) But the user tries to connect to the remote resource, not to the home Shibboleth…. How can you protect credentials? Tunneled authentication?
19
19 Conclusions Europe goes EduRoam The USA and Asian-Pacific region will follow Infrastucture not perfect but… –It works ™ –It is ready for the future –Changes affect the ‘backplane’ not the institutional part So………
20
20 Time to join…...es More information: http://www.terena.nl/mobility or Klaas.Wierenga@surfnet.nl / Rodrigo.Castro@rediris.es
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.