140 likes | 322 Views
Eduroam-ng. Klaas.Wierenga@surfnet.nl GN2 JRA5 Meeting Barcelona, 7 September 2005. The current eduroam hierarchy. AA traffic goes through all intermediate entries All links are peer-to-peer agreements / static routes Authentication = authorization. Authenticate for everything?.
E N D
Eduroam-ng Klaas.Wierenga@surfnet.nl GN2 JRA5 Meeting Barcelona, 7 September 2005
The current eduroam hierarchy • AA traffic goes through all intermediate entries • All links are peer-to-peer agreements / static routes • Authentication = authorization
Service attributes • eduroam-service-provider • SURFnet.nl • UVA.nl • eduroam-service-identifier • SVP • A-Select • WLAN • Dial-Up • eduroam-av-pair • Currently not used
Service attributes implementation • In RADIUS dictionary • VENDORATTR 1076 surfnet-avpair 1 string VENDORATTR 1076 service-identifier 2 string VENDORATTR 1076 service-provider 3 string • In the logging: Code: Access-Request […] service-identifier = “WLAN” service-provider = “uva.nl”
The tudelft.net/es.net/alfa-ariss.com/ysu.edu case • Where to connect? • Who is going to manage that?
Towards p2p trust? • Diameter • Implements everything we wants, or so it seems • Implementations not ready for production • DNSsec • New, hardly tested, requires adaptions to RADIUS servers • DNSROAM+RadSec • New, limited testing experience, supported in Radiator, not (yet?) in FreeRADIUS • How about eduGAIN?
RadSec + DNSROAM • RadSec: Secure Reliable Transport for RADIUS requests over TCP/IP using TLS • Encryption • Security • Message integrity • Strong mutual authentication • DNSROAM • Use DNS resource records to locate the peer
DNS-Roam? RADSEC • DNSsec instead?
DNS-Roam mix and match RADSEC
Status • Policy • Evaluation of possible roaming technologies
Planning Deliverables • M15 DJ5.1.4 Roaming policy • M17 DJ5.1.5 Inter-NREN roaming technical specification document • M21 DJ5.1.6 Inter-NREN roaming infrastructure and service support description (cookbook 1st version) Milestones • M15 MJ5.1.1 Evaluation of possible roaming technologies and creation of Inter-NREN roaming architecture • M19 MJ5.1.3 Inter-NREN roaming infrastructure pilot • M22 MJ5.1.4 Inter-NREN roaming infrastructure rollout, test, and evaluation plan • M30 MJ5.1.5 Inter-NREN roaming pilot infrastructure operational Manpower • 37 MM of co-financed manpower. • The work item will be lead by SURFnet with participation from ARNES, CARNet, CESNET, DFN, FCCN, GRNET, HEAnet, HUNGARNET, ISTF, NORDUnet, RedIRIS, RESTENA, SWITCH and UKERNA.
Inter-NREN technical specification document • Architectural overview • Operational definitions • Protocols and profiles • Use cases • Security and privacy considerations