Presentation on theme: "Why eduroam sucks, and how to fix it. Josh Howlett, UKERNA. TNC 2007, Copenhagen."— Presentation transcript:
Why eduroam sucks, and how to fix it. Josh Howlett, UKERNA. TNC 2007, Copenhagen.
eduroam doesn’t suck
eduroam rocks! it is one of the best ideas in academic networking in years. hundreds of Institutions already support it. it is revolutionising network service delivery. “So what’s this talk about?”
Outline eduroam has become a victim of its own success. explain the challenges. discuss how these are being addressed. I am not here to evangalise!
The ‘growing pains’ of eduroam Gartner hype-cycle eduroam relies on some poorly implemented technologies. 2.eduroam also relies on other technologies that weren’t designed for what eduroam is trying to achieve. 3.good policy is hard.
eduroam in a slide RADIUS server University B RADIUS server University A Network Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Guest Student VLAN Commercial VLAN Employee VLAN data signalling Trust based on RADIUS plus policy documents 802.1X (VLAN assigment)
Windows sucks (Windows’ supplicant, at least…)
Why Windows’ supplicant sucks Limited authentication options –EAP-TLS (user certificates suck) –EAP-PEAP (MS-CHAP sucks) Can’t authenticate against ‘hidden’ SSIDs Passwords cached in the registry The default configuration settings –~20 steps to implement a good configuration. –~4 sides of A4 including screenshots.
How we’re trying to fix it Our pain is the supplicant industry’s gain –Some good but costly commercial supplicants Open source supplicants (Windows) –SecureW2 An EAP-TTLS plug-in for the Windows supplicant Addresses some of the problems, but not all. –Open1x project Port of Xsupplicant to Windows Managed by OpenSEA Alliance (Extreme Networks, Identity Engines, Infoblox, Symantec Corporation, TippingPoint, Trapeze Networks and UKERNA)
PKI sucks (for wireless authentication…)
Why PKI sucks The only available secure EAP methods depend on PKI –No one understands PKI, least of all users. –Certificates rooted to CAs in Windows cost €. Certificate-based TLS handshake is highly verbose –Authentication is slow and fragile over a lossy network.
How we’re trying to fix it TERENA Server Certificate Service –Another excellent initiative from TERENA Proposed shared-secret methods –EAP-TLS-PSK –EAP-GPSK Use a reliable transport for EAP (more later)
RADIUS sucks (…or RADIUS wasn’t designed for this!)
Why RADIUS sucks eduroam is pushing RADIUS’ capabilities. –Routing is bound to the DNS hierarchy Who should manage.org,.edu or.net? –ukerna.ac.uk is changing to ja.net… –Hierarchical routing is fragile and slow EAP-PEAP: ~ ~ 250ms RTT (~2-4 sec) ~ 2-5% packet loss Retransmission driven by RADIUS server (3-5 sec timeouts) –Poor support for inter-domain authorisation user attributes are exposed to proxy servers RADIUS attributes are relatively inflexible (cf. SAML).
How we’re trying to fix it Routing –RADSec RADIUS over TLS over TCP. Unlikely to gain traction in IETF. –Diameter IETF’s proposed successor to RADIUS. Only one commercial implementation. –We need PKI for both... Authorisation –DAMe (GN JRA5) –RADIUS-SAML (Internet2 FWNA) –Perhaps we’re trying to be too clever? Would a small set of RADIUS attributes be sufficient to cover our use-cases?
Inconsistent policy sucks
Why inconsistent policy sucks Visible Services, Transparent Networks Consistency matters –Reduces costs and user satisfaction. eduroam confederation policy –“[Institutions] SHOULD provide open network access” –Great idea, but will the ‘SHOULD’ be ignored? If tcp/80 is the only common denominator then in practice eduroam becomes interweb only. eduroam has competitors –Commercial , GRPS, UMTS, , …
How we’re trying to fix it Opinions differ –26 NRENs, 100s Institutions… How should policy be balanced between Institutions, NRENs and confederation? –Perhaps we need more experience? I carry about a GPRS/UMTS dongle; a sign of things to come? Do we need to add more value?
Conclusions Most Institutions can deploy eduroam without problems today. There are technology issues for some Institutions, but we’re close to fixing these. There are scaling issues, but these will be fixed in the medium term. –This is not an excuse for delaying joining! The confederation policy may need some minor adjustments, but nothing significant. De we need to add more value?