eduroam-ng architecture Test results and way forward Klaas

eduroam-ng architecture Test results and way forward Klaas. Wierenga@surfnet. nl TF-Mobility, Zagreb, 2 February 2006 High-quality Internet for higher education and research

Current architecture Toplevel server . nl uva. nl … … rug. nl Main (technical) issues: • No (real) authorisation DAMe • Static routing based on realm parsing • Credentials pass through intermediate systems • Transitive trust based on shared secrets • Dead peers hard to detect High-quality Internet for higher education and research . au

Evaluation of a number of approaches • Diameter: nearly shipping (for many years now ; -) • DNSsec: hardly deployed, new • Rad. Sec: new, single vendor (Radiator), but not much more than a combination of existing technologies • DNSroam: see above High-quality Internet for higher education and research

Rad. Sec/DNSROAM • Radius packet format • Transport: TCP (or SCTP) • Encryption: TLS (optional) • TLS => PKI • DNSROAM combines Rad. Sec with DNS for dynamically locating the peer High-quality Internet for higher education and research

Test setup • Participants: CESNET, ISTF, TELIN (NL), ARNES, ACAD (BG), UNINETT, RESTENA, Radiator (AU), SURFnet. High-quality Internet for higher education and research

Test set • • • Authentication related tests – Known user – Unknown user – Wrong credentials PKI related tests – Certificate signed by unknown CA – Multiple CAs – Revoked certificate – Mismatch between peer name and CN – Wrong subject. Alt. Name or CN in the certificate DNS related tests – NAPTR lookup failure – SRV lookup failure – A lookup failure – Default handling after lookup failure • Fallback/defaulting to RADIUS • Fallback/defaulting to static Rad. Sec Configuration related tests – CA certificate not installed – Loop prevention (purposely introduce a loop and see if it can be stopped by introducing different config) Connectivity related tests – Peer unreachable Performance related measurements – Overhead of multiple DNS queries High-quality Internet for higher education and research

Fully hierarchical • One PKI, split PKI? High-quality Internet for higher education and research

Meshed toplevel • Central DNS zone? High-quality Internet for higher education and research

Fully meshed (DNSROAM) • • Big trust issues: multiple PKI’s, bucket of certificates, revocation lists Multiple federation membership? Issues with sites having to open up their servers for ‘the world’ How about a secure peer lookup service instead of DNS (edu. GAIN? ) High-quality Internet for higher education and research

Legacy model High-quality Internet for higher education and research

Measurements High-quality Internet for higher education and research

Results • All scenario’s can be made to work, but… • DNSROAM is not yet production grade • Static RADSEC is (thanks to us) stable enough to warrant using it when possible because of its advantages over plain RADIUS: – Failure detection – TCP – Peer authentication • Trust (PKI) issues are key factor in making this work High-quality Internet for higher education and research

What now? ? Toplevel server Europe APAN . nl uva. nl … … rug. nl . hr . . au uva. nl … . tw rug. nl DNSROAM High-quality Internet for higher education and research Rad. Sec …