Edu Roam movilidad por Europa y

Edu. Roam: movilidad por Europa. . . y España Toledo, 29 de octubre de 2004 Klaas. Wierenga@surfnet. nl

Contents • Past • Present • Future 2

Past Why did we do it?

Threats (Kismet+Airsnort) root@ibook: ~# tcpdump -n -i eth 1 19: 52: 08. 995104 10. 0. 1. 2 > 10. 0. 1. 1: icmp: echo request 19: 52: 08. 996412 10. 0. 1. 1 > 10. 0. 1. 2: icmp: echo reply 19: 52: 08. 997961 10. 0. 1. 2 > 10. 0. 1. 1: icmp: echo request 19: 52: 08. 999220 10. 0. 1. 1 > 10. 0. 1. 2: icmp: echo reply 19: 52: 09. 000581 10. 0. 1. 2 > 10. 0. 1. 1: icmp: echo request 19: 52: 09. 003162 10. 0. 1. 1 > 10. 0. 1. 2: icmp: echo reply ^C 4

Opportunities International connectivity Institution A WLAN Access Provider WLAN SURFnet backbone Institution B WLAN Access Provider GPRS Access Provider POTS Access Provider ADSL 5

Requirements definition • Enable NREN users to use the Internet (WLAN and wired) everywhere in Europe with: – Minimal administrative overhead (per roaming user) – Good usability – Maintaining required security for all partners. – Scalable! • Results – Web: Scalable, Unsafe – VPN: Not Scalable, Safe – 802. 1 X: Safe, Scalable…. but new 6

Edu. Roam Supplicant Authenticator (AP or switch) RADIUS server User DB Institution A Guest Institution B User DB Internet piet@institution_b. nl Employee VLAN Guest VLAN Student VLAN Central RADIUS Proxy server • signalling data Trust fabric based on RADIUS • 802. 1 X and EAP • (802. 1 Q VLAN assignment) 7

Tunneled Authentication (TTLS/PEAP) • Uses TLS tunnel to protect data – The TLS tunnel is established using the Server certificate, automatically authenticating the server and preventing man-in-the-middle attacks • Allows use of dynamic session keys for line encryption © Alfa&Ariss 8

Present Where are we now?

Edu. Roam participants • June 2004: 275 participating institutions • Soon: USA and Australia 10

Edu. Roam. nl 11

Future What’s next?

Edu. Roam - Limitations European Server . nl . ac. uk … uva. nl Access Point . es uclm. es Access Point User database User@uclm. es • AA traffic goes through all intermediate entries • All links are peer-to-peer agreements / static routes • Authentication = authorization 13

Alternative – RADIUS / PKI infra All parties in the roaming domain use certificates issued by the roam. org CA roam. org Certificate Authority verify certificate radius. home. org 2 a visiting 2 b 2 c visit. org RADIUS server authenticate / authorize 1 user@home. org client e. g. 802. 11 access point 2 setup IPSEC / TLS connection proxy for other realms 3 4 5 p 2 p verify certificate radius. visit. org OK 2 d home. org RADIUS server visit. org user account db home. org user account db © Telematica Instituut 14

Alternative Solutions - DIAMETER infra roam. org See section 2. 8. 3 of RFC 3588 “Diameter Base Protocol” All connections between entities secured with IPSEC or TLS (using shared secret, PKI, …) DIAMETER server 2 visiting visit. org redirector (broker) static route redirect to 3 diameter. home. org DIAMETER server authenticate / authorize 1 user@home. org client e. g. 802. 11 access point relay for other realms 4 dynamic route; setup secure conn. 5 6 7 static route OK home. org DIAMETER server visit. org user account db home. org user account db © Telematica Instituut 15

Alternative - RADIUS-DNSSEC infra roam. org secure lookup radius server associated with home. org. roam. org DNS server authoritative for roam. org 3 visiting visit. org 4 DNS server A: 111. 222 CERT: key=a; sd 98 yhq 3 ra caching forwarder secure lookup radius 2 server associated with home. org. roam. org 5 establish connection dynamically 6 RADIUS server authenticate / authorize 1 user@home. org client e. g. 802. 11 access point proxy for other realms 9 7 8 home. org RADIUS server OK p 2 p visit. org user account db home. org user account db © Telematica Instituut 16

Edu. Roam – Authorization? European Server. nl . ac. uk … . es Elsevier. nl uclm. es User@uclm. es User database • Will you authenticate Rodrigo for access to Elsevier? • Has Diego passed his PAPI exam? • In general: How to pass attributes back and forth (SAML? ) 17

Edu. Roam – Access to applications? European Server . nl . ac. uk uva. nl Shibboleth User@uva. nl … . es uclm. es PAPI A-Select Resource • How do all these applications communicate? (SAML? ) • But the user tries to connect to the remote resource, not to the home Shibboleth…. • How can you protect credentials? Tunneled authentication? 18

Conclusions • Europe goes Edu. Roam • The USA and Asian-Pacific region will follow • Infrastucture not perfect but… – It works ™ – It is ready for the future – Changes affect the ‘backplane’ not the institutional part • So……… 19

Time to join…. . . es More information: http: //www. terena. nl/mobility or Klaas. Wierenga@surfnet. nl / Rodrigo. Castro@rediris. es 20