
c79d2cdfd2ecde26a80a14b38aa71c83.ppt
- Количество слайдов: 20
Edu. Roam: movilidad por Europa. . . y España Toledo, 29 de octubre de 2004 Klaas. Wierenga@surfnet. nl
Contents • Past • Present • Future 2
Past Why did we do it?
Threats (Kismet+Airsnort) root@ibook: ~# tcpdump -n -i eth 1 19: 52: 08. 995104 10. 0. 1. 2 > 10. 0. 1. 1: icmp: echo request 19: 52: 08. 996412 10. 0. 1. 1 > 10. 0. 1. 2: icmp: echo reply 19: 52: 08. 997961 10. 0. 1. 2 > 10. 0. 1. 1: icmp: echo request 19: 52: 08. 999220 10. 0. 1. 1 > 10. 0. 1. 2: icmp: echo reply 19: 52: 09. 000581 10. 0. 1. 2 > 10. 0. 1. 1: icmp: echo request 19: 52: 09. 003162 10. 0. 1. 1 > 10. 0. 1. 2: icmp: echo reply ^C 4
Opportunities International connectivity Institution A WLAN Access Provider WLAN SURFnet backbone Institution B WLAN Access Provider GPRS Access Provider POTS Access Provider ADSL 5
Requirements definition • Enable NREN users to use the Internet (WLAN and wired) everywhere in Europe with: – Minimal administrative overhead (per roaming user) – Good usability – Maintaining required security for all partners. – Scalable! • Results – Web: Scalable, Unsafe – VPN: Not Scalable, Safe – 802. 1 X: Safe, Scalable…. but new 6
Edu. Roam Supplicant Authenticator (AP or switch) RADIUS server User DB Institution A Guest Institution B User DB Internet piet@institution_b. nl Employee VLAN Guest VLAN Student VLAN Central RADIUS Proxy server • signalling data Trust fabric based on RADIUS • 802. 1 X and EAP • (802. 1 Q VLAN assignment) 7
Tunneled Authentication (TTLS/PEAP) • Uses TLS tunnel to protect data – The TLS tunnel is established using the Server certificate, automatically authenticating the server and preventing man-in-the-middle attacks • Allows use of dynamic session keys for line encryption © Alfa&Ariss 8
Present Where are we now?
Edu. Roam participants • June 2004: 275 participating institutions • Soon: USA and Australia 10
Edu. Roam. nl 11
Future What’s next?
Edu. Roam - Limitations European Server . nl . ac. uk … uva. nl Access Point . es uclm. es Access Point User database User@uclm. es • AA traffic goes through all intermediate entries • All links are peer-to-peer agreements / static routes • Authentication = authorization 13
Alternative – RADIUS / PKI infra All parties in the roaming domain use certificates issued by the roam. org CA roam. org Certificate Authority verify certificate radius. home. org 2 a visiting 2 b 2 c visit. org RADIUS server authenticate / authorize 1 user@home. org client e. g. 802. 11 access point 2 setup IPSEC / TLS connection proxy for other realms 3 4 5 p 2 p verify certificate radius. visit. org OK 2 d home. org RADIUS server visit. org user account db home. org user account db © Telematica Instituut 14
Alternative Solutions - DIAMETER infra roam. org See section 2. 8. 3 of RFC 3588 “Diameter Base Protocol” All connections between entities secured with IPSEC or TLS (using shared secret, PKI, …) DIAMETER server 2 visiting visit. org redirector (broker) static route redirect to 3 diameter. home. org DIAMETER server authenticate / authorize 1 user@home. org client e. g. 802. 11 access point relay for other realms 4 dynamic route; setup secure conn. 5 6 7 static route OK home. org DIAMETER server visit. org user account db home. org user account db © Telematica Instituut 15
Alternative - RADIUS-DNSSEC infra roam. org secure lookup radius server associated with home. org. roam. org DNS server authoritative for roam. org 3 visiting visit. org 4 DNS server A: 111. 222 CERT: key=a; sd 98 yhq 3 ra caching forwarder secure lookup radius 2 server associated with home. org. roam. org 5 establish connection dynamically 6 RADIUS server authenticate / authorize 1 user@home. org client e. g. 802. 11 access point proxy for other realms 9 7 8 home. org RADIUS server OK p 2 p visit. org user account db home. org user account db © Telematica Instituut 16
Edu. Roam – Authorization? European Server. nl . ac. uk … . es Elsevier. nl uclm. es User@uclm. es User database • Will you authenticate Rodrigo for access to Elsevier? • Has Diego passed his PAPI exam? • In general: How to pass attributes back and forth (SAML? ) 17
Edu. Roam – Access to applications? European Server . nl . ac. uk uva. nl Shibboleth User@uva. nl … . es uclm. es PAPI A-Select Resource • How do all these applications communicate? (SAML? ) • But the user tries to connect to the remote resource, not to the home Shibboleth…. • How can you protect credentials? Tunneled authentication? 18
Conclusions • Europe goes Edu. Roam • The USA and Asian-Pacific region will follow • Infrastucture not perfect but… – It works ™ – It is ready for the future – Changes affect the ‘backplane’ not the institutional part • So……… 19
Time to join…. . . es More information: http: //www. terena. nl/mobility or Klaas. Wierenga@surfnet. nl / Rodrigo. Castro@rediris. es 20