EduRoam: movilidad por Europa... y España

Toledo, 29 de octubre de 2004

Klaas.Wierenga@surfnet.nl

2

Contents

• Past• Present• Future

Past

Why did we do it?

4

Threats (Kismet+Airsnort)

root@ibook:~# tcpdump -n -i eth1

19:52:08.995104 10.0.1.2 > 10.0.1.1: icmp: echo request

19:52:08.996412 10.0.1.1 > 10.0.1.2: icmp: echo reply

19:52:08.997961 10.0.1.2 > 10.0.1.1: icmp: echo request

19:52:08.999220 10.0.1.1 > 10.0.1.2: icmp: echo reply

19:52:09.000581 10.0.1.2 > 10.0.1.1: icmp: echo request

19:52:09.003162 10.0.1.1 > 10.0.1.2: icmp: echo reply ^C

5

Opportunities

AccessProvider

POTS

Institution A

WLAN

Institution B

WLAN

AccessProvider

ADSL

International connectivity

AccessProviderWLAN

AccessProvider

GPRS

SURFnet backbone

6

Requirements definition

• Enable NREN users to use the Internet (WLAN and wired) everywhere in Europe with:

– Minimal administrative overhead (per roaming user)– Good usability– Maintaining required security for all partners.– Scalable!

• Results– Web: Scalable, Unsafe– VPN: Not Scalable, Safe– 802.1X: Safe, Scalable…. but new

7

EduRoam

RADIUS server

Institution B

RADIUS server

Institution A

Internet

Central RADIUS

Proxy server

Authenticator

(AP or switch) User DB

User DB

Supplicant

Guest

piet@institution_b.nl

StudentVLAN

GuestVLAN

EmployeeVLAN

data

signalling

• Trust fabric based on RADIUS

• 802.1X and EAP

• (802.1Q VLAN assignment)

8

Tunneled Authentication (TTLS/PEAP)

• Uses TLS tunnel to protect data– The TLS tunnel is established using the Server certificate,

automatically authenticating the server and preventing man-in-the-middle attacks

• Allows use of dynamic session keys for line encryption

© Alfa&Ariss

`

802.1X Client EAP RADIUS Server

TLS tunnel

User authentication

Protected by TunnelServer authentication

Present

Where are we now?

10

EduRoam participants

• June 2004: 275 participating institutions

• Soon: USA and Australia

11

EduRoam.nl

Future

What’s next?

13

EduRoam - Limitations

European Server

.nl .ac.uk …

uva.nl

.es

uclm.es

Access Point Access Point User database

User@uclm.es

• AA traffic goes through all intermediate entries

• All links are peer-to-peer agreements / static routes

• Authentication = authorization

14

RADIUSserver

RADIUSserver

proxy for other realms

cliente.g. 802.11

access point

Alternative – RADIUS / PKI

visiting

visit.org user account db

home

home.org user

account db

infra

p2p

1authenticate /

authorize user@home.org OK

roam.org

visit.org

home.org

5

3

2

Certificate Authority

2a

4

verify certificate radius.home.org

setup IPSEC / TLS connection

2b2c 2d

verify certificate radius.visit.org

All parties in the roaming domain use certificates issued by the roam.org CA

© Telematica Instituut

15

Alternative Solutions - DIAMETER

visiting

cliente.g. 802.11

access point

DIAMETERserver

relay for other realms

visit.org user account db

home

DIAMETERserver

home.org user

account db

infra

static route

1authenticate /

authorize user@home.org

6OK

roam.org

visit.org

home.org

7

5

2

DIAMETERserver

redirector (broker)

3

4

redirect to diameter.home.org

See section 2.8.3 of RFC 3588 “Diameter Base Protocol”

static route

dynamic route; setup secure conn.

All connections between entities secured with IPSEC or TLS (using shared secret, PKI, …)

© Telematica Instituut

16

Alternative - RADIUS-DNSSEC

visiting

cliente.g. 802.11

access point

RADIUSserver

proxy for other realms

visit.org user account db

home

RADIUSserver

home.org user

account db

infra

DNS serverauthoritativefor roam.org

p2p

1authenticate / authorize user@home.org

6

2

3

4

5

OK

roam.org

visit.org

home.org

DNS servercaching forwarder

secure lookup radius server associated with

home.org.roam.org

7

establish connection dynamically

89

A:111.222.111.222 CERT:key=a;sd98yhq3ra

secure lookup radius server associated with

home.org.roam.org

© Telematica Instituut

17

EduRoam – Authorization?

European Server

.nl .ac.uk …

Elsevier.nl

.es

uclm.es

User databaseUser@uclm.es

• Will you authenticate Rodrigo for access to Elsevier?

• Has Diego passed his PAPI exam?

• In general: How to pass attributes back and forth (SAML?)

18

EduRoam – Access to applications?

European Server

.nl .ac.uk …

uva.nl

.es

uclm.es

Shibboleth A-Select PAPI

User@uva.nl Resource

• How do all these applications communicate? (SAML?)

• But the user tries to connect to the remote resource, not to the home Shibboleth….

• How can you protect credentials? Tunneled authentication?

19

Conclusions

• Europe goes EduRoam• The USA and Asian-Pacific region will follow• Infrastucture not perfect but…

– It works ™– It is ready for the future– Changes affect the ‘backplane’ not the

institutional part

• So………

20

Time to join…..

.es

More information: http://www.terena.nl/mobility or

Klaas.Wierenga@surfnet.nl / Rodrigo.Castro@rediris.es