Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Nomadic Network Providing Secure, Scalable and Manageable Roaming, Remote and Wireless Data Services Josh Howlett & Nick Skelton Information Services,

Published byTheresa Harrington Modified over 9 years ago

Similar presentations

Presentation on theme: "The Nomadic Network Providing Secure, Scalable and Manageable Roaming, Remote and Wireless Data Services Josh Howlett & Nick Skelton Information Services,"— Presentation transcript:

1

2 The Nomadic Network Providing Secure, Scalable and Manageable Roaming, Remote and Wireless Data Services Josh Howlett & Nick Skelton Information Services, University of Bristol TNC 2003

3 Background ● 1999-2000: new technologies – Ratification of wireless 802.11b standard – New broadband technologies (cable, xDSL) – Increasing numbers of laptops (students & staff) ● 2001: we wanted to offer ● Wireless access on campus ● Wired access on campus ● VPN access from off campus

4 Background ● Summary of requirements – Integrated (wireless, wired, VPN) – Secure (AAA, encryption) – Easy for us to support (not many resources) – Easy for users (many OSes) – Future proof (bluetooth, etc) – Good service (does it do what the user wants)? – Cheap, and preferably free.

5 Background ● Decision to develop our own solution ● Linux-based router called a “roamnode” ( ) ● History – Development: started January 2001 – Pilot service: September 2001 ( ~100 users) – Supported service: September 2002 (now ~900 users) RN

6 Theory of operation: network ● All users are assigned to a “home-service” ● Home-service = an IP network + other info (DNS, WINS...) – User “einstein” – User “bohr” – User “marconi”Home-service “engineering” – User “darwin”Home-service “biology” ● A home-service is assigned to a “target network” – Home-service “physics”Physics network – Home-service “engineering”Engineering network – Home-service “biology”Biology network Home-service “physics”

7 Roamnode “RN 1” Theory of operation: network ● Each home-service is hosted on a roamnode – Home-service “physics” – Home-service “engineering” – Home-service “biology”Roamnode “RN 2” ● Or, diagramatically: RN Physics Biology Engineerin g RN 1 RN 2 Darwin Marconi Bohr Einstein

8 Theory of operation: network ● A user connects to his home-service using a VPN ● A user is allocated an IP address from the user's target network; for example: RN Physics Engineerin g “RN 1” x. y. a. 0 /24 x. y. b. 0 /24 x. y. b. 1 x. y. a. 1 Marconi Einstein

9 Theory of operation: network ● The user requires an IP address to establish the VPN session ● This IP address is allocated using “PPPoE” – The PPPoE session runs across an isolated network called the “roam LAN” – PPPoE provides a service “auto-discovery” function – User is allocated an RFC1918 address – An overlay network is constructed dynamically using IP-IP tunnels to route user home- service VPNs

10 Theory of operation: network PPPoE RFC 1918 Network RN Physics “RN 1” x. y. b. 0 /24 RN Roam LAN VPN x. y. b. 1 IP-IP tunnel Local-node Home-node Einstein

11 Theory of operation: network Network RN Physics RN Biology Engineerin g Roam LAN Roam LAN Roam LAN RN Roam LAN Einstein Marconi Darwin

12 Theory of operation: network Network RN Physics RN IP-IP tunnel Biology Engineerin g Roam LAN Roam LAN Roam LAN RN Roam LAN IP-IP tunnel Marconi Darwin Einstein

13 Theory of operation: network Network RN Physics RN IP-IP tunnel Biology Engineerin g Roam LAN Roam LAN Roam LAN RN Roam LAN IP-IP tunnel Einstein Marconi Darwin

14 Theory of operation: network Network RN Physics RN Biology Engineerin g Roam LAN Roam LAN Roam LAN RN Roam LAN IP-IP tunnel Einstein Marconi Darwin

15 Theory of operation: security ● Authentication & Authorisation – User is authenticated twice ● Localnode: credentials proxied to homenode ● Homenode: credentials proxied to RADIUS server – User is authorised twice ● Localnode (“is user allowed on this 'roam' network ?”) – To control access on basis of physical location ● Homenode (“is user allowed on this 'target' network ?”) – To control access on basis of logical network

16 Theory of operation: security ● Encryption – MPPE at 40 or 128 bits – Encryption is performed by the VPN (PPTP) – Data encrypted from user to home-node

17 Implementation ● Roamnode – All open-source software – Runs on Intel hardware – Boots and runs from CD-ROM – 8 MB ISO image: download from website ● Some people are interested in making an “embedded” box – All management via secure web interface

18

19

20 Implementation ● University of Bristol – Network ● Non-contiguous network at L2 across the Campus (legacy due to previous ATM back-bone) ● Therefore five roamnodes required – Authentication / Authorisation ● Microsoft Active Directory stores all users' credentials ● Roamnodes authenticate against MS RADIUS server (IAS)

21 City of Bristol

22 The Precinct Science Faculty & various administrative Arts & Social Science Faculties Physics Faculty of Medicine Chemistry Faculty of Engineering

23 Target VLAN Target VLAN Target VLAN Target VLAN Roam VLAN Roam VLAN Roam VLAN Roam VLAN Roam VLAN “Target” and “roam” networks trunked (802.1Q) into each roamnode Distribution L3 routed to distribution switches Cor e JANET Central backbone router connected to JANET RN Roamnode connected to each distribution switch “Roam” network trunked out to edge access devices (switches, access points) Edge L2 switched through distribution network

24 Implementation ● Other implementations – 5 Universities in the UK known to be piloting or implementing the roamnode – Main reasons given for interest ● Proven solution ● Flexible ● Free

25 Implementation ● University of Wales Swansea (implementing) – Outside of Bristol, the most advanced implementation – Main differences ● Contiguous network at L2, therefore only 1 roamnode ● Multiple authentication databases (NT domain, Novell, etc)

26 Implementation ● Genome Campus, Cambridge (piloting) – Consists of three seperate institutions ● Sanger Institute ● European Bioinformatics Institute ● Human Genome Project Resource Centre – Researchers need to be able to roam between each institution, as well as shared facilities (libraries, etc)

27 Theory of mobility ● Roaming – Different access points ● Handled transparently at L2 if APs on same network RN Network RN Target Network

28 Theory of mobility ● Roaming – Different access points ● Handled transparently at L2 if APs on same network RN Network RN Target Network

29 Theory of mobility ● Roaming – Different access points ● Handled transparently at L2 if APs on same network RN Network RN Target Network

30 Theory of mobility ● Roaming – Different roamnodes on same Nomadic network ● PPPoE & VPN sessions active RN Network RN Target Network

31 Theory of mobility ● Roaming – Different roamnodes on same Nomadic network ● PPPoE & VPN sessions terminated, and IP-IP tunnel down RN Network RN Target Network

32 Theory of mobility ● Roaming – Different roamnodes on same Nomadic network ● PPPoE & VPN sessions re-started RN Network RN Target Network

33 Theory of mobility ● Roaming – Different Nomadic networks ● Roaming on “home” organisation RN Internet RN Target Network

34 Theory of mobility ● Roaming – Different Nomadic networks ● Authentication request forwarded via RADIUS RN Internet RN Target Network ? “User @ home-service”

35 Theory of mobility ● Roaming – Different Nomadic networks ● PPPoE session accepted & IP-IP tunnel up RN Internet RN Target Network OK!

36 Theory of mobility ● Roaming – Different Nomadic networks ● VPN session started RN Internet RN Target Network

37 Mobility implementation ● Roaming between Bristol & Swansea campuses – Based on trust relationships ● Bristol trusts node “X” ● Swansea trusts node “X” ● Thus, they will accept each others' users RN X

38 Mobility implementation ● Hierarchial design – Scales well – Delegated management RN

39 Current development ● Resilience – Resilient roamnode clusters ● Redundant roamnodes within a cluster ● Load-sharing and fail-over ● Mostly complete RN Network Target Network Target Network Roam Network

40 Current development ● Locating users – Where is a user connected? – Many potential applications: ● Provisioning: “where do we need more access points?” ● Web: ie. http://www.bristol.ac.uk/where-am-i – Re-directs web browser to “nearest” web-site (ie. Library catalogue, if user is in the library) ● Automatic selection of the nearest network printer – More than 30 public printers, some 20 kilometers apart

41 Current development ● Federated authentication – Proxy authentication of network services (ie. Web) RN JANET WWW RN Http://www Username: “Bob” Password: “****” Username: “Bob” Password: “****” Username: “Bob” Password: “****” OK “Hello Bob”

42 Future proof ? ● Any media that supports ethernet encapsulation – Copper / wireless ethernet; Bluetooth (BNEP); etc. ● VPN is currently PPTP but could support others ● Dynamic overlay network will move to IPv6

43 To find out more... ● Website: – Documentation & software (8MB iso image) – http://www.bris.ac.uk/is/services/computers/nwservices/nomadic/dow nload ● Or email josh.howlett@bris.ac.uk

Download ppt "The Nomadic Network Providing Secure, Scalable and Manageable Roaming, Remote and Wireless Data Services Josh Howlett & Nick Skelton Information Services,"

Similar presentations

NETWORK TRANSFORMATION THROUGH VIRTUALIZATION

NETWORK TRANSFORMATION THROUGH VIRTUALIZATION
Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.
1 Intel / Shiva VPN Solutions Stephen Wong System Engineer.

1 Intel / Shiva VPN Solutions Stephen Wong System Engineer.
TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Cisco 3 - Switches Perrine - Brierley Page 15/10/2015 Module 5 Switches LAN Design LAN Switches.

Cisco 3 - Switches Perrine - Brierley Page 15/10/2015 Module 5 Switches LAN Design LAN Switches.
IPv6 over xDSL: The DIODOS Proposal Athanassios Liakopoulos Greek Research & Technology Network International IPv6 Workshop, Kopaonik,

IPv6 over xDSL: The DIODOS Proposal Athanassios Liakopoulos Greek Research & Technology Network International IPv6 Workshop, Kopaonik,
Www.ja.net/roaming Copyright JNT Association 2006 The JANET Roaming Service.

Copyright JNT Association 2006 The JANET Roaming Service.
TIA Electronic Tools Standards Development Susan Hoyler Director, Standards Development and Promotion GSC/EWG Meeting Sydney, Australia November 2001.

TIA Electronic Tools Standards Development Susan Hoyler Director, Standards Development and Promotion GSC/EWG Meeting Sydney, Australia November 2001.
DSL Access Architectures and Protocols. xDSL Architecture.

DSL Access Architectures and Protocols. xDSL Architecture.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Network Access and 802.1X Klaas Wierenga SURFnet

Network Access and 802.1X Klaas Wierenga SURFnet
Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.

Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Lesson 3 – UNDERSTANDING NETWORKING. Network relationship types Network features OSI Networking model Network hardware components OVERVIEW.

Lesson 3 – UNDERSTANDING NETWORKING. Network relationship types Network features OSI Networking model Network hardware components OVERVIEW.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.
Flexible Network Access Overview. Flexible Access an Integral part of Universal Access Policy Universal Access to Campus IT Resources Managed LAN portsFlexible.

Flexible Network Access Overview. Flexible Access an Integral part of Universal Access Policy Universal Access to Campus IT Resources Managed LAN portsFlexible.
Remote Networking Architectures

Remote Networking Architectures

Similar presentations

Ads by Google