1 / 14

Eduroam-ng

Eduroam-ng. Klaas.Wierenga@surfnet.nl GN2 JRA5 Meeting Barcelona, 7 September 2005. The current eduroam hierarchy. AA traffic goes through all intermediate entries All links are peer-to-peer agreements / static routes Authentication = authorization. Authenticate for everything?.

analu
Download Presentation

Eduroam-ng

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Eduroam-ng Klaas.Wierenga@surfnet.nl GN2 JRA5 Meeting Barcelona, 7 September 2005

  2. The current eduroam hierarchy • AA traffic goes through all intermediate entries • All links are peer-to-peer agreements / static routes • Authentication = authorization

  3. Authenticate for everything?

  4. Service attributes • eduroam-service-provider • SURFnet.nl • UVA.nl • eduroam-service-identifier • SVP • A-Select • WLAN • Dial-Up • eduroam-av-pair • Currently not used

  5. Service attributes implementation • In RADIUS dictionary • VENDORATTR 1076 surfnet-avpair 1 string VENDORATTR 1076 service-identifier 2 string VENDORATTR 1076 service-provider 3 string • In the logging: Code: Access-Request […] service-identifier = “WLAN” service-provider = “uva.nl”

  6. The tudelft.net/es.net/alfa-ariss.com/ysu.edu case • Where to connect? • Who is going to manage that?

  7. Towards p2p trust? • Diameter • Implements everything we wants, or so it seems • Implementations not ready for production • DNSsec • New, hardly tested, requires adaptions to RADIUS servers • DNSROAM+RadSec • New, limited testing experience, supported in Radiator, not (yet?) in FreeRADIUS • How about eduGAIN?

  8. RadSec + DNSROAM • RadSec: Secure Reliable Transport for RADIUS requests over TCP/IP using TLS • Encryption • Security • Message integrity • Strong mutual authentication • DNSROAM • Use DNS resource records to locate the peer

  9. DNS-Roam? RADSEC • DNSsec instead?

  10. DNS-Roam mix and match RADSEC

  11. Discussion?

  12. Status • Policy • Evaluation of possible roaming technologies

  13. Planning Deliverables • M15 DJ5.1.4 Roaming policy • M17 DJ5.1.5 Inter-NREN roaming technical specification document • M21 DJ5.1.6 Inter-NREN roaming infrastructure and service support description (cookbook 1st version) Milestones • M15 MJ5.1.1 Evaluation of possible roaming technologies and creation of Inter-NREN roaming architecture • M19 MJ5.1.3 Inter-NREN roaming infrastructure pilot • M22 MJ5.1.4 Inter-NREN roaming infrastructure rollout, test, and evaluation plan • M30 MJ5.1.5 Inter-NREN roaming pilot infrastructure operational Manpower • 37 MM of co-financed manpower. • The work item will be lead by SURFnet with participation from ARNES, CARNet, CESNET, DFN, FCCN, GRNET, HEAnet, HUNGARNET, ISTF, NORDUnet, RedIRIS, RESTENA, SWITCH and UKERNA.

  14. Inter-NREN technical specification document • Architectural overview • Operational definitions • Protocols and profiles • Use cases • Security and privacy considerations

More Related