3“So what’s this talk about?” eduroam rocks!it is one of the best ideas in academic networking in years.hundreds of Institutions already support it.it is revolutionising network service delivery.“So what’s this talk about?”
4Outline eduroam has become a victim of its own success. explain the challenges.discuss how these are being addressed.I am not here to evangalise!
5The ‘growing pains’ of eduroam eduroam relies on some poorly implemented technologies.eduroam also relies on other technologies that weren’t designed for what eduroam is trying to achieve.good policy is hard.Gartner hype-cycle 2006
6eduroam in a slide Network Commercial Employee VLAN VLAN Student VLAN SupplicantAuthenticator(AP or switch)RADIUS serverUniversity ARADIUS serverUniversity BUser DBUser DBGuestNetworkEmployeeVLANCommercialVLANCentral RADIUSProxy serverStudentVLANTrust based on RADIUS plus policy documents802.1X(VLAN assigment)signallingdata
7(Windows’ supplicant, at least…) sucks(Windows’ supplicant, at least…)
8Why Windows’ supplicant sucks Limited authentication optionsEAP-TLS (user certificates suck)EAP-PEAP (MS-CHAP sucks)Can’t authenticate against ‘hidden’ SSIDsPasswords cached in the registryThe default configuration settings~20 steps to implement a good configuration.~4 sides of A4 including screenshots.
9How we’re trying to fix it Our pain is the supplicant industry’s gainSome good but costly commercial supplicantsOpen source supplicants (Windows)SecureW2An EAP-TTLS plug-in for the Windows supplicantAddresses some of the problems, but not all.Open1x projectPort of Xsupplicant to WindowsManaged by OpenSEA Alliance (Extreme Networks, Identity Engines, Infoblox, Symantec Corporation, TippingPoint, Trapeze Networks and UKERNA)
11Why PKI sucks The only available secure EAP methods depend on PKI No one understands PKI, least of all users.Certificates rooted to CAs in Windows cost €.Certificate-based TLS handshake is highly verboseAuthentication is slow and fragile over a lossy network.
12How we’re trying to fix it TERENA Server Certificate ServiceAnother excellent initiative from TERENAProposed shared-secret methodsEAP-TLS-PSKEAP-GPSKUse a reliable transport for EAP (more later)
13(…or RADIUS wasn’t designed for this!) RADIUS sucks(…or RADIUS wasn’t designed for this!)
14Why RADIUS sucks eduroam is pushing RADIUS’ capabilities. Routing is bound to the DNS hierarchyWho should manage .org, .edu or .net?ukerna.ac.uk is changing to ja.net…Hierarchical routing is fragile and slowEAP-PEAP: ~ ~ 250ms RTT (~2-4 sec)~ 2-5% packet lossRetransmission driven by RADIUS server (3-5 sec timeouts)Poor support for inter-domain authorisationuser attributes are exposed to proxy serversRADIUS attributes are relatively inflexible (cf. SAML).
15How we’re trying to fix it RoutingRADSecRADIUS over TLS over TCP.Unlikely to gain traction in IETF.DiameterIETF’s proposed successor to RADIUS.Only one commercial implementation.We need PKI for both...AuthorisationDAMe (GN JRA5)RADIUS-SAML (Internet2 FWNA)Perhaps we’re trying to be too clever?Would a small set of RADIUS attributes be sufficient to cover our use-cases?
17Why inconsistent policy sucks Visible Services, Transparent NetworksConsistency mattersReduces costs and user satisfaction.eduroam confederation policy“[Institutions] SHOULD provide open network access”Great idea, but will the ‘SHOULD’ be ignored?If tcp/80 is the only common denominator then in practice eduroam becomes interweb only.eduroam has competitorsCommercial , GRPS, UMTS, , …
18How we’re trying to fix it Opinions differ 26 NRENs, 100s Institutions…How should policy be balanced between Institutions, NRENs and confederation?Perhaps we need more experience?I carry about a GPRS/UMTS dongle; a sign of things to come?Do we need to add more value?
19ConclusionsMost Institutions can deploy eduroam without problems today.There are technology issues for some Institutions, but we’re close to fixing these.There are scaling issues, but these will be fixed in the medium term.This is not an excuse for delaying joining!The confederation policy may need some minor adjustments, but nothing significant.De we need to add more value?