Presentation is loading. Please wait.

Presentation is loading. Please wait.

Why eduroam sucks, and how to fix it.

Similar presentations

Presentation on theme: "Why eduroam sucks, and how to fix it."— Presentation transcript:

1 Why eduroam sucks, and how to fix it.
Josh Howlett, UKERNA. TNC 2007, Copenhagen.

2 eduroam doesn’t suck

3 “So what’s this talk about?”
eduroam rocks! it is one of the best ideas in academic networking in years. hundreds of Institutions already support it. it is revolutionising network service delivery. “So what’s this talk about?”

4 Outline eduroam has become a victim of its own success.
explain the challenges. discuss how these are being addressed. I am not here to evangalise!

5 The ‘growing pains’ of eduroam
eduroam relies on some poorly implemented technologies. eduroam also relies on other technologies that weren’t designed for what eduroam is trying to achieve. good policy is hard. Gartner hype-cycle 2006

6 eduroam in a slide Network Commercial Employee VLAN VLAN Student VLAN
Supplicant Authenticator (AP or switch) RADIUS server University A RADIUS server University B User DB User DB Guest Network Employee VLAN Commercial VLAN Central RADIUS Proxy server Student VLAN Trust based on RADIUS plus policy documents 802.1X (VLAN assigment) signalling data

7 (Windows’ supplicant, at least…)
sucks (Windows’ supplicant, at least…)

8 Why Windows’ supplicant sucks
Limited authentication options EAP-TLS (user certificates suck) EAP-PEAP (MS-CHAP sucks) Can’t authenticate against ‘hidden’ SSIDs Passwords cached in the registry The default configuration settings ~20 steps to implement a good configuration. ~4 sides of A4 including screenshots.

9 How we’re trying to fix it
Our pain is the supplicant industry’s gain Some good but costly commercial supplicants Open source supplicants (Windows) SecureW2 An EAP-TTLS plug-in for the Windows supplicant Addresses some of the problems, but not all. Open1x project Port of Xsupplicant to Windows Managed by OpenSEA Alliance (Extreme Networks, Identity Engines, Infoblox, Symantec Corporation, TippingPoint, Trapeze Networks and UKERNA)

10 (for wireless authentication…)
PKI sucks (for wireless authentication…)

11 Why PKI sucks The only available secure EAP methods depend on PKI
No one understands PKI, least of all users. Certificates rooted to CAs in Windows cost €. Certificate-based TLS handshake is highly verbose Authentication is slow and fragile over a lossy network.

12 How we’re trying to fix it
TERENA Server Certificate Service Another excellent initiative from TERENA Proposed shared-secret methods EAP-TLS-PSK EAP-GPSK Use a reliable transport for EAP (more later)

13 (…or RADIUS wasn’t designed for this!)
RADIUS sucks (…or RADIUS wasn’t designed for this!)

14 Why RADIUS sucks eduroam is pushing RADIUS’ capabilities.
Routing is bound to the DNS hierarchy Who should manage .org, .edu or .net? is changing to… Hierarchical routing is fragile and slow EAP-PEAP: ~ ~ 250ms RTT (~2-4 sec) ~ 2-5% packet loss Retransmission driven by RADIUS server (3-5 sec timeouts) Poor support for inter-domain authorisation user attributes are exposed to proxy servers RADIUS attributes are relatively inflexible (cf. SAML).

15 How we’re trying to fix it
Routing RADSec RADIUS over TLS over TCP. Unlikely to gain traction in IETF. Diameter IETF’s proposed successor to RADIUS. Only one commercial implementation. We need PKI for both... Authorisation DAMe (GN JRA5) RADIUS-SAML (Internet2 FWNA) Perhaps we’re trying to be too clever? Would a small set of RADIUS attributes be sufficient to cover our use-cases?

16 Inconsistent policy sucks

17 Why inconsistent policy sucks
Visible Services, Transparent Networks Consistency matters Reduces costs and user satisfaction. eduroam confederation policy “[Institutions] SHOULD provide open network access” Great idea, but will the ‘SHOULD’ be ignored? If tcp/80 is the only common denominator then in practice eduroam becomes interweb only. eduroam has competitors Commercial , GRPS, UMTS, , …

18 How we’re trying to fix it
Opinions differ  26 NRENs, 100s Institutions… How should policy be balanced between Institutions, NRENs and confederation? Perhaps we need more experience? I carry about a GPRS/UMTS dongle; a sign of things to come? Do we need to add more value?

19 Conclusions Most Institutions can deploy eduroam without problems today. There are technology issues for some Institutions, but we’re close to fixing these. There are scaling issues, but these will be fixed in the medium term. This is not an excuse for delaying joining! The confederation policy may need some minor adjustments, but nothing significant. De we need to add more value?

20 Thank you for your attention
Any questions?

Download ppt "Why eduroam sucks, and how to fix it."

Similar presentations

Ads by Google