eduroam: movilidad por europa... y españa toledo, 29 de octubre de 2004 [email protected]
Post on 19-Dec-2015
216 views
TRANSCRIPT
2
Contents
• Past• Present• Future
Past
Why did we do it?
4
Threats (Kismet+Airsnort)
root@ibook:~# tcpdump -n -i eth1
19:52:08.995104 10.0.1.2 > 10.0.1.1: icmp: echo request
19:52:08.996412 10.0.1.1 > 10.0.1.2: icmp: echo reply
19:52:08.997961 10.0.1.2 > 10.0.1.1: icmp: echo request
19:52:08.999220 10.0.1.1 > 10.0.1.2: icmp: echo reply
19:52:09.000581 10.0.1.2 > 10.0.1.1: icmp: echo request
19:52:09.003162 10.0.1.1 > 10.0.1.2: icmp: echo reply ^C
5
Opportunities
AccessProvider
POTS
Institution A
WLAN
Institution B
WLAN
AccessProvider
ADSL
International connectivity
AccessProviderWLAN
AccessProvider
GPRS
SURFnet backbone
6
Requirements definition
• Enable NREN users to use the Internet (WLAN and wired) everywhere in Europe with:
– Minimal administrative overhead (per roaming user)– Good usability– Maintaining required security for all partners.– Scalable!
• Results– Web: Scalable, Unsafe– VPN: Not Scalable, Safe– 802.1X: Safe, Scalable…. but new
7
EduRoam
RADIUS server
Institution B
RADIUS server
Institution A
Internet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
Guest
piet@institution_b.nl
StudentVLAN
GuestVLAN
EmployeeVLAN
data
signalling
• Trust fabric based on RADIUS
• 802.1X and EAP
• (802.1Q VLAN assignment)
8
Tunneled Authentication (TTLS/PEAP)
• Uses TLS tunnel to protect data– The TLS tunnel is established using the Server certificate,
automatically authenticating the server and preventing man-in-the-middle attacks
• Allows use of dynamic session keys for line encryption
© Alfa&Ariss
`
802.1X Client EAP RADIUS Server
TLS tunnel
User authentication
Protected by TunnelServer authentication
Present
Where are we now?
10
EduRoam participants
• June 2004: 275 participating institutions
• Soon: USA and Australia
11
EduRoam.nl
Future
What’s next?
13
EduRoam - Limitations
European Server
.nl .ac.uk …
uva.nl
.es
uclm.es
Access Point Access Point User database
• AA traffic goes through all intermediate entries
• All links are peer-to-peer agreements / static routes
• Authentication = authorization
14
RADIUSserver
RADIUSserver
proxy for other realms
cliente.g. 802.11
access point
Alternative – RADIUS / PKI
visiting
visit.org user account db
home
home.org user
account db
infra
p2p
1authenticate /
authorize [email protected] OK
roam.org
visit.org
home.org
5
3
2
Certificate Authority
2a
4
verify certificate radius.home.org
setup IPSEC / TLS connection
2b2c 2d
verify certificate radius.visit.org
All parties in the roaming domain use certificates issued by the roam.org CA
© Telematica Instituut
15
Alternative Solutions - DIAMETER
visiting
cliente.g. 802.11
access point
DIAMETERserver
relay for other realms
visit.org user account db
home
DIAMETERserver
home.org user
account db
infra
static route
1authenticate /
authorize [email protected]
6OK
roam.org
visit.org
home.org
7
5
2
DIAMETERserver
redirector (broker)
3
4
redirect to diameter.home.org
See section 2.8.3 of RFC 3588 “Diameter Base Protocol”
static route
dynamic route; setup secure conn.
All connections between entities secured with IPSEC or TLS (using shared secret, PKI, …)
© Telematica Instituut
16
Alternative - RADIUS-DNSSEC
visiting
cliente.g. 802.11
access point
RADIUSserver
proxy for other realms
visit.org user account db
home
RADIUSserver
home.org user
account db
infra
DNS serverauthoritativefor roam.org
p2p
1authenticate / authorize [email protected]
6
2
3
4
5
OK
roam.org
visit.org
home.org
DNS servercaching forwarder
secure lookup radius server associated with
home.org.roam.org
7
establish connection dynamically
89
A:111.222.111.222 CERT:key=a;sd98yhq3ra
secure lookup radius server associated with
home.org.roam.org
© Telematica Instituut
17
EduRoam – Authorization?
European Server
.nl .ac.uk …
Elsevier.nl
.es
uclm.es
User [email protected]
• Will you authenticate Rodrigo for access to Elsevier?
• Has Diego passed his PAPI exam?
• In general: How to pass attributes back and forth (SAML?)
18
EduRoam – Access to applications?
European Server
.nl .ac.uk …
uva.nl
.es
uclm.es
Shibboleth A-Select PAPI
[email protected] Resource
• How do all these applications communicate? (SAML?)
• But the user tries to connect to the remote resource, not to the home Shibboleth….
• How can you protect credentials? Tunneled authentication?
19
Conclusions
• Europe goes EduRoam• The USA and Asian-Pacific region will follow• Infrastucture not perfect but…
– It works ™– It is ready for the future– Changes affect the ‘backplane’ not the
institutional part
• So………
20
Time to join…..
.es
More information: http://www.terena.nl/mobility or