Upload
danghuong
View
230
Download
0
Embed Size (px)
Citation preview
Connect. Communicate. Collaborate
GN2 JRA5: Roaming and Authorisation
Jürgen Rauschenbach, DFNTF-NGN Athens03/11/05
Connect. Communicate. CollaborateIntroduction• JRA5 builds a European Roaming Infrastructure (eduroam-
ng) taking into account existing experience from the roaming area and provides a first (simple, but operational) federation example
• JRA5 will pilot the federated support for existent Authentication and Authorisation Infrastructures for Research and Education, this will be called eduGAIN
• In some countries federated AAIs are already available, eduGAIN will be able to cooperate with them (Shibboleth, PAPI, Moria, A-Select)
• JRA5 fits into GÉANT2 project homogenously because AA solutions are needed in the GÉANT partner countries and because other activities will use JRA5 results
Connect. Communicate. CollaborateStructure and Partners• JRA5 consists of the following Work Item in the 4 project years:
• WI-1: Roaming• WI-2: Authentication and Authorisation Infrastructure• WI-3: Single Sign-On• WI-4: Integration of advanced Technologies
• Number of partners is 16 (NRENs), Number of participants is 97 (mailing list), with contributions of around 30-35 active persons
• Partners are SURFnet, DFN, RedIRIS, SWITCH, NORDUnet(University of Umea, UNI-C, UNINETT, CSC), RESTENA, ARNES, CARNET/SRCE, CESNET, FCCN, GRNET, HEAnet, HUNGARNET, ISTF, Ukerna, Dante
• Collaboration with many external groups: TF-Mobility, TF-EMC2, GN2 activities (JRA1, SA3), international groups like gwg, FWNA, Grids, …
Connect. Communicate. CollaborateWork item distribution Connect. Communicate. Collaborate
05
101520253035404550
1. Year 2. Year 3.Year 4.Year
RoamingAAISSONTProjMgmtAdmin sup
Connect. Communicate. CollaborateWork plan first 18 months• On our agenda (deliverables):
– 1: Terminology for Roaming (and AAI)– 2: AAI Requirements– 3: Roaming Requirements– 4: Roaming policy (legal material, policy document part1
and 2)– 5 Design of the AAI Architecture– 6: Architecture of eduroam-ng– 7: Requirements single sign-on
• All objectives in months 1-12 have been met J
Connect. Communicate. CollaborateYear 1 - Achievements• Work item 1 Roaming
– A-1: “Glossary of Terms” DJ5.1.1, a terminology document, scope roaming and AAI,to be extended with new terms
– A-2: was the “Roaming Requirements document” DJ5.1.2; security, standardisation and operational aspects
– A-3: have been contributions to the extension of the roaming pilot“eduroam”, both in the number of participants (NRENs) and also functionally (analysing the current infrastructure, eduroam-in-a-box, alternative architecture discussion).
– A-4: co-operational work with the TF Mobility, use eduroam as experimental platform in JRA5 as a step stone to eduroam-ng. Open discussion and dissemination on the mobility list.
– A-5: “legislation overview” for roaming services. DJ5.1.3-1federation policy is currently in an early draft state. DJ5.1.3-2
Connect. Communicate. CollaborateTechnology: bypassing the hierarchy overhead?
European Server
.nl .ac.uk …
uva.nl
.pl
Uni.torun.pl
Access Point Access Point User database
• AA traffic goes through all intermediate entries
• All links are peer-to-peer agreements / static routes / p2p secure
• DIAMETER? DNSsec? Work on-going in Telematica/JRA5 partners
Connect. Communicate. Collaborate
Limitations of the current roaming infrastructure• Technology
– All authN and authZ traffic flows through the complete hierarchy – Static trust (shared secrets in preconfigured p2p chain)– Single points of failure (even when doubling the top level RADIUS)
• Policy– Not suitable for full service yet
• Usability– eduroam is not flexible enough with SSIDs, ciphers and VLANs mapping– Do we need a specialised client? – Where are the access points? Can a data base be helpful here?
• Management & Monitoring– Are all servers up and running?– How to detect abuse of the service?
• eduGAIN– How can we integrate roaming with the European AAI eduGAIN?
Connect. Communicate. CollaborateArchitecture alternatives• DIAMETER (RFC 3588)
– Protocol defines different routing models to find the peer (redirect agent, redirect + PKI, DNS NAPTR/SRV + PKI)
– For inter-domain DNS based model looks promising– DNSSec would be an alternative here (not part of the standard)– Integration with “legacy” RADIUS by translation agents, gradual
transition would be possible, but RADIUS have to stay– Problem: no DIAMETER “quality” implementation so far
• RadSec (Radiator team)– Trust establishment very similar to the DIAMETER + DNS and PKI– Not a standard solution, not all RADIUS implementations– Experimental work has started
Connect. Communicate. CollaborateArchitecture alternatives (2)• RADIUS/DNSSec
– Look-up through secure DNS– Visiting RADIUS establishes a TLS connection to the home
RADIUS to negotiate a shared secret (RKE protocol): dynamic p2pconnectivity
– Then it works like a normal RADIUS connection– Dedicated roaming domain secure DNS tree needed
• RADDNSSEC– Modified RADIUS/DNSSec, TLS handshake instead of RKE
• No smooth and easy deployment for the alternatives• DIAMETER ranks high, but RadSec seems to be available faster
Connect. Communicate. CollaborateYear 1 – Achievements (2)
• Work item 2 AAI– A-6: “AAI Requirements document” DJ5.2.1 setting the
scope of an AAI solution and defining first building blocks and general federation functionality, illustrated in examples and use cases
– A-7: AAI architecture document DJ5.2.2 (published last week)
• Work item 3 SSO– No real work done so far
Connect. Communicate. CollaborateAAI operations• Authentication request• Authentication response• HLS request• HLS response• Attribute request• Attribute response• Authorisation request• Authorisation response• Operations formally defined (SAML 1.1), openSAML for
implementation (SAML 2.0 is announced already)• Web services (WS) context
Connect. Communicate. CollaborateAAI – basic components Connect. Communicate. Collaborate
Remote eduGAIN Federation Peering Point
Home eduGAIN Federation Peering Point
Common eduGAIN ServicesHome Location Service
HomeLocation
AuthNAttributes
Remote Domain
AuthNAuthZ
Resource
AuthNAttributes
Home DomainIdentity Repository
HLS Interface
Home Bridging Element Remote Bridging Element
HLS
Connect. Communicate. CollaborateAbstract AAI operation Connect. Communicate. Collaborate
Identity Repository
Responder @ HI
Resource
Requester
<soap:Envelope... ><soap:Header/><soap:Body>
<samlp:Request RequestID=”foo” …><samlp:AttributeQuery>
<saml:Subject>bar </saml:Subject>…
</samlp:AttributeQuery></samlp:Request>
</soap:Body> </soap:Envelope ...>
TLS-Tunnel(s)
Connect. Communicate. CollaborateConclusions/Summary
• Eduroam pilot infrastructure is growing into eduroam-ng, discussion of the new architecture also with groups from Australia, USA and more partners in the global working group on eduroam.
• There are a number of national operational federations in place, and a test platform for eduGAIN will be built upon these AAIs. To be set up in the coming months.
• Interest is growing in both roaming and AAI• work is not easy, but a lot of fun
Connect. Communicate. CollaborateDIAMETER with DNS, CA Connect. Communicate. Collaborate
DIAMETERServer
DIAMETERServer
cliente.g. 802.11
access pointvisiting
visit.org user account db
home
home.org user
account db
infra
p2p(static)
1authenticate /
authorize [email protected]
eduroam.org
visit.org
home.org
Certificate Authority
DNS based peer discovery and PKI based roaming domain
DNSserver
2
3
4
6p2p
(dynamic)
lookup DIAMETER server for home.org
exists: is…
logic
4a 4b
4c
4d
5
logic
.org DNSserver
DNSserver
2a2d
2b2c
get CA key
get CA key
Connect. Communicate. CollaborateRadSec Connect. Communicate. Collaborate
cliente.g. 802.11 access point
p2p(dynamic)
RADIUSServer
logic
p2p(dynamic)
RADIUSServer
logic
visiting
visit.org user account db
home
home.org user
account db
infra
p2p(static)
1authenticate /
authorize [email protected]
eduroam.org
visit.org
home.org
Certificate Authority
DNS based peer discovery and PKI based roaming domain
DNSserver
2
3
4
6p2p
(dynamic)
lookup RADIUS server for home.org
exists: is… 4a 4b
4c
4d
5
.org DNSserver
DNSserver
2a2d
2b2c
get CAkey
get CA key
Connect. Communicate. CollaborateRADIUS + DNSSec Connect. Communicate. Collaborate
c lie n te .g . 80 2 .1 1 a c c e s s p o in t
p 2 p(d y n a m ic )
R A D IU SS e rv e r
lo g ic
p 2 p(d y n a m ic)
R A D IU SS e rv e r
lo g ic
v is it in g
v is it.o rg u s e r a c c o u n t d b
h o m e
h o m e .o rg u s e r
a c c o u n t d b
in f ra
p 2 p(s ta tic )
1a u th en tic a te /
a u th o riz e u s e r@ h o m e .o rg
e d u roam .o rg
v is it.o rg
h o m e .o rg
D N S b a s e d p e e r d is c o v e ry a n d D N S b a s e d d e te rm in a tio n w h e th e r p e e r is pa rt o f ro a m in g d om a in
D N Ss e rv e r
2 3
4
6
lo o k u p R A D IU S
s e rv e r fo r h o m e .o rg
4 a
4 c 4 d
5
D N Ss e rv e r
D N Ss e rv e r
p 2 p(d yn a m ic )
4 blo o k u p
p e e r k e y
lo o k u p p e e r k e y
2 a2 b
Connect. Communicate. Collaborate
Additional slide:AAI – components LFA/LA Connect. Communicate. Collaborate
Site
Resource
Site Access Management
Other Sites
Local Federation Adaptor
R FPPLocal Interface
Federation Limits
Federation Services
H FPPRemote Interface
Local Adaptor
Connect. Communicate. CollaborateEduRoam
RADIUS server
University B
RADIUS server
University A
SURFnet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
Gast
piet@university_b.nl
StudentVLAN
CommercialVLAN
EmployeeVLAN
data
signaling
• Trust based on RADIUS plus policy documents
• 802.1X
• (VLAN assigment)