Presentation on theme: "Eduroam-ng TF-Mobility, Barcelona, 6 September 2005."— Presentation transcript:
Eduroam-ng Klaas.Wierenga@surfnet.nl TF-Mobility, Barcelona, 6 September 2005
2 The current hierarchy Toplevel server.nl uva.nl…rug.nl ….au AA traffic goes through all intermediate entries All links are peer-to-peer agreements / static routes Authentication = authorization
3 Authenticate for everything? Toplevel server.nl uva.nl…rug.nlT-mobile.comKindergarten.nl ….au
4 Service attributes Provider-id –SURFnet.nl –UVA.nl Service-id –SVP –A-Select –WLAN –Dial-Up –Is this too fine-grained?
5 The tudelft.net/es.net/alfa-ariss.com case Toplevel server.nl uva.nl…rug.nltudelft.net ….au Where to connect? Who is going to manage that?
6 Towards p2p trust Diameter –Implementations not ready for production, or are they? DNSsec –New, hardly tested, requires adaptions to RADIUS servers DNSROAM+RadSec –New, limited testing experience, supported in Radiator, not (yet?) in FreeRADIUS
7 RadSec + DNSROAM RadSec: Secure Reliable Transport for RADIUS requests over TCP/IP using TLS –Encryption –Security –Message integrity –Strong mutual authentication DNSROAM –Use DNS service records to locate the peer
8 DNS-Roam? “eduroam PKI”.nl RA uva.nl ….au RA qut.edu.au RADSEC DNSsec instead?
9 DNS-Roam transition phase “eduroam PKI”.nl RA uva.nl ….au RA qut.edu.au RADSEC