Presentation is loading. Please wait.

Presentation is loading. Please wait.

High-quality Internet for higher education and research TF-Mobility, Zagreb, 2 February 2006 eduroam-ng architecture Test results and way forward

Published byElmer Pierce Modified over 8 years ago

Similar presentations

Presentation on theme: "High-quality Internet for higher education and research TF-Mobility, Zagreb, 2 February 2006 eduroam-ng architecture Test results and way forward"— Presentation transcript:

1 High-quality Internet for higher education and research TF-Mobility, Zagreb, 2 February 2006 eduroam-ng architecture Test results and way forward Klaas.Wierenga@surfnet.nl

2 High-quality Internet for higher education and research Current architecture Toplevel server.nl uva.nl…rug.nl ….au Main (technical) issues: No (real) authorisation  DAMe Static routing based on realm parsing Credentials pass through intermediate systems Transitive trust based on shared secrets Dead peers hard to detect

3 High-quality Internet for higher education and research Evaluation of a number of approaches Diameter: nearly shipping (for many years now ;-) DNSsec: hardly deployed, new RadSec: new, single vendor (Radiator), but not much more than a combination of existing technologies DNSroam: see above

4 High-quality Internet for higher education and research RadSec/DNSROAM Radius packet format Transport: TCP (or SCTP) Encryption: TLS (optional) TLS => PKI DNSROAM combines RadSec with DNS for dynamically locating the peer

5 High-quality Internet for higher education and research Test setup Participants: CESNET, ISTF, TELIN (NL), ARNES, ACAD (BG), UNINETT, RESTENA, Radiator (AU), SURFnet.

6 High-quality Internet for higher education and research Test set Authentication related tests –Known user –Unknown user –Wrong credentials PKI related tests –Certificate signed by unknown CA –Multiple CAs –Revoked certificate –Mismatch between peer name and CN –Wrong subjectAltName or CN in the certificate DNS related tests –NAPTR lookup failure –SRV lookup failure –A lookup failure –Default handling after lookup failure Fallback/defaulting to RADIUS Fallback/defaulting to static RadSec Configuration related tests –CA certificate not installed –Loop prevention (purposely introduce a loop and see if it can be stopped by introducing different config) Connectivity related tests –Peer unreachable Performance related measurements –Overhead of multiple DNS queries

7 High-quality Internet for higher education and research Fully hierarchical One PKI, split PKI?

8 High-quality Internet for higher education and research Meshed toplevel Central DNS zone?

9 High-quality Internet for higher education and research Fully meshed (DNSROAM) Big trust issues: multiple PKI’s, bucket of certificates, revocation lists Multiple federation membership? Issues with sites having to open up their servers for ‘the world’ How about a secure peer lookup service instead of DNS (eduGAIN?)

10 High-quality Internet for higher education and research Legacy model

11 High-quality Internet for higher education and research Measurements

12 High-quality Internet for higher education and research Results All scenario’s can be made to work, but… DNSROAM is not yet production grade Static RADSEC is (thanks to us) stable enough to warrant using it when possible because of its advantages over plain RADIUS: –Failure detection –TCP –Peer authentication Trust (PKI) issues are key factor in making this work

13 High-quality Internet for higher education and research What now? Toplevel server APAN..au uva.nl…rug.nl ….tw Toplevel server Europe.nl uva.nl…rug.nl ….hr RadSec DNSROAM ?

Download ppt "High-quality Internet for higher education and research TF-Mobility, Zagreb, 2 February 2006 eduroam-ng architecture Test results and way forward"

Similar presentations

Authentication.

Authentication.
RadSec – A better RADIUS protocol

RadSec – A better RADIUS protocol
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Enhancing international roaming performance : NAPTR Records in DNS

Enhancing international roaming performance : NAPTR Records in DNS
Eduroam-ng TF-Mobility, Barcelona, 6 September 2005.

Eduroam-ng TF-Mobility, Barcelona, 6 September 2005.
High-quality Internet for higher education and research 5 th of April, Eurocamp, Ljubljana eduroam, security and authentication Paul Dekkers.

High-quality Internet for higher education and research 5 th of April, Eurocamp, Ljubljana eduroam, security and authentication Paul Dekkers.
Connect communicate collaborate Eduroam debugging Gurvinder Singh and Gunnar Bøe, Campus Networks and Systems, UNINETT AMRES Wireless workshop Belgrade,

Connect communicate collaborate Eduroam debugging Gurvinder Singh and Gunnar Bøe, Campus Networks and Systems, UNINETT AMRES Wireless workshop Belgrade,
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Why eduroam sucks, and how to fix it.

Why eduroam sucks, and how to fix it.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Diameter Base Protocol (RFC6733)

Diameter Base Protocol (RFC6733)
Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF 80 31 March, Prague.

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.
High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005

High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005

Similar presentations

Ads by Google