Upload
charles-bulan
View
6
Download
0
Embed Size (px)
DESCRIPTION
radsecproxy
Citation preview
connect communicate collaborate
radsecproxyA swiss army knife for eduroam
[ Why does eduroam work on the buses to the venue? ]
Stefan Winter, RESTENATNC 2009, 09 june 2009
connect communicate collaborate
Overview
What is radsecproxy?
HistoryWhy radsecproxy?Timeline
FeaturesRADIUS/UDP, .../TCP, .../DTLS, RadSec, dynamic discovery
Standardisation ImpactIETF drafts
Deployment
connect communicate collaborate
What is radsecproxy?
Product of Uninettparticularly Stig Vens
Universal proxy for several RADIUS transportsRADIUS over UDPRADIUS over TCPTLS-encrypted RADIUS over TCPDTLS-encrypted RADIUS over UDP
Translates bidirectionally from all to all transports
EitherSupplements Access Points which don't speak RadSec or ...a local front-end to older classic RADIUS servers or ...a complete small-footprint eduroam national (FLR) or international (TLR) proxy server
connect communicate collaborate
radsecproxy, the FLR
.lu radsecproxy
(to ETLR)
org1.lu org2.lu org3.lu
RADIUSRadSec
connect communicate collaborate
radsecproxy, the local frontend
.lu
(to ETLR)
org1.lu
org2.lu org3.lu
RADIUSRadSec
radsecproxy(@localhost)
connect communicate collaborate
radsecproxy and the buses (1)
(to some eduroamRadSec server)
APRADIUSRadSec
radsecproxy(@localhost)
connect communicate collaborate
radsecproxy and the buses
(to some eduroamRadSec server)
AP
radsecproxy(@localhost)
UMTS
connect communicate collaborate
Say cheese...
connect communicate collaborate
Why radsecproxy?(or: Aren't there enough RADIUS servers already?)
eduroam requirements for RADIUS servers are high: only a few really good implementations
any attempt to use RadSec narrowed choice down to one implementation (Radiator)
Radiator has a large customer base, can't be used for code experiments
GN2-JRA5 needed up-to-date reference implementation of latest IETF drafts
Work started: 2 Jan 2007(first SVN commit)1.0: Sep 21, 20071.3: Mar 12, 2009
connect communicate collaborate
Feature Set
Transports: two usual suspectsClassic RADIUS: RADIUS datagrams, transmitted over UDPRadSec: TLS encryption for RADIUS, transmitted over TCP
and two newcomersRADIUS, transmitted over TCP (no contemporary encryption!)[IETF spin-off of RadSec, stand-alone use not recommended]RADIUS datagrams, encrypted with TLS-like DTLS, transmitted over UDP[new IETF idea]
Dynamic discovery: find AAA server from arbitrary metadata repository( next slide)
connect communicate collaborate
Dynamic discovery: nothing new :-)(it delivers your mail since decades)
From: [email protected] To: [email protected]
MTAMailboxServer(bob.lu)
DNS
MX?2001:db8::c001
MTA(doe.de)
Mail for you!
Thanks!
connect communicate collaborate
RADIUS: no dynamics in sight
root Server
.fr .lu .nl .de . ...
bob.lu ... .lu doe.de
authenticator1 authenticator2
[email protected]@dep1.uni.au
AuthServer
(doe.de)
connect communicate collaborate
Dynamic discovery and RADIUS
MTAEduroam
IdP(doe.de)
DNS/metadata
eduroam?2001:db8::beef
EduroamSP
(bob.lu)
Authenticate guy?
Yes, is okay!
Login: [email protected]
connect communicate collaborate
Standardisation Impact
IETF drafts forRADIUS/TCP transport [A. DeKok]RADIUS/TLS [S. Winter et.al.]RADIUS/DTLS [A. DeKok]NAI-based server discovery [S. Winter]
connect communicate collaborate
Time for bashing!
(a.k.a. Questions?)
connect communicate collaborate
and why the buses sometimes didn't work
It doesn't help to have 7 buses equipped with eduroam, but they are sitting in the depot [Sunday morning]
Rebooting the bus (ignition power loss) creates race conditions [Sunday, Monday]
UMTS uplink takes ~ 2 minutes to get actual network connectionAP takes seconds only, gives up earlyAnd catching all seven buses in turn to fix that is time-consuming if you are supposed attend/organise a conference simultaneously
UMTS isn't a fiber backbone, flaky connection on handover can disrupt you/delay authentication [always]
Plus lesson learned: AP manufacturers, we hate you for not equipping your devices with a hardware clock!
MAIN PRESENTATION TITLE SPACE CAN BE TWO LINES What is GANT?Folie 3Folie 4Folie 5Folie 6Folie 7Folie 8Folie 9Folie 10Folie 11Folie 12Folie 13Folie 14Folie 15Folie 16