eduroam JP and development of UPKI roaming Yoshikazu Watanabe*, Satoru Yamano* Hideaki Goto**, Hideaki Sone** * NEC Corporation, Japan ** Tohoku University, Japan APAN24, Xi’an, 28 Aug. 2007

2 Contents UPKI project and network roaming eduroam in Japan Problems and solutions Access control of roaming users regarding local resources Summary

3 UPKI project and network roaming UPKI: University PKI (also referred to as: Inter- University Authentication and Authorization Platform) –Campus Ubiquitous Network (Tohoku Univ.) R&D of authentication/policy-based network control mechanism –Introduction of eduroam to Japan –R&D of UPKI roaming system Collaborative research by Tohoku Univ. and NEC

4 eduroam in Japan Aug. 31, Tohoku University connected to Asia-Pacific eduroam Sep. 28, eduroam JP website opened Dec., Connected to Asia-Pacific eduroam secondary server in Hong Kong Dec., Four organizations federated High Energy Accelerator Research Organization (KEK), National Institute of Informatics (NII), Hokkaido Univ., and Kyoto Univ. June, Kyushu University federated Eduroam HP :

5 eduroam JP network JP Secondary JP Primary Hokkaido Univ. Tohoku Univ. Kyoto Univ. KEKNII AP Primary AP Secondary Hong KongAustralia Europe Kyushu Univ. The first eduroam AP in Japan

6 Scale –Lots of universities and colleges (87 national, 76 public, 571 private, and colleges; 1,200+ total as of Apr. 2006) –Large universities (some have 30,000+ people) Operational policy –Guest use of IP addresses owned by a visited institution for the Internet access is not acceptable ( ≒ illegal) in many cases. –Each institution has different network administration policies. Circumstance in Japan

7 Problem about scale Problem –Lots of universities and colleges → Configuring radius proxies is so hard Solution –Utilizing realms regular expression patch for FreeRADIUS A patch that enables to configure proxying with regular expressions Adopted to recent ver. of FreeRADIUS –RadSec is also expected to solve this problem, and further to enhance the flexibility of configuration.

8 Problem about operational policy Problem 1.Guest use of IP addresses in a visited institution is not acceptable. Responsible bodies become unclear. Visited institutions are often involved to resolve troubles. (e.g. cracking, illegal access) Cause a violation of subscription conditions of IP address-based licensing (e.g. online journals). 2.Each institution has different network administration policies. → Visited institutions need a way to authorize roaming guests’ accesses to local resources. VPN-only policy (for the Internet access) Exchange of user class information and access control for local resources

9 Proposed solutions (Campus Ubiquitous Network) RADIUS Local Resources (VPN) AP FW Clien t Home institution Visited institution Clien t supplicant S/W The Internet FW RADIUS Local Resources VPN AP FW supplicant S/W After authentication at AP, a user access VPN server and go outside. (Use a home IP address) 1.VPN-only policy Roaming users must use a home VPN server to access the Internet. (A direct access to the Internet from the visited institution network is prohibited.) Exchange of authorization information and access control 2.Exchange of user class information and access control for local resources Extension to eduroam authentication Our recent main theme

10 Exchange of user class information and access control for local resources Basic idea –Extend eduroam authentication procedure –A home radius server attaches user class information to a radius access-accept packet. –A radius server in a visited institution authorizes user accesses to local resources according to the received user class and local policies. → Realize access control for local resources Prototype implementation is done

11 User class Classification of users by common criteria in eduroam federation Each institution assigns user class to each user of the institution in advance.

12 Example of access control for local resources by user class local service (e.g. printer) AP Clien t Visited institution The Internet FW campus network FW user class Users (class 1) cannot access local resources Users (class 2) can access only local network Users (class 3) can access campus network, but cannot access the internet directrly Users (class 4) can access the Internet directly

13 RADIUS Local Resources AP Clien t Visited Institution supplicant S/W FW Procedure : Access-Request Home Institution Clien t The Internet RADIUS Local Resources AP FW supplicant S/W FW A normal radius access request packet as usual in eduroam Start 802.1x authentication Authenticate and authorize the user Use eduroam to authenticate the user Send a radius access-request

14 RADIUS Local Resources AP Clien t Visited Institution supplicant S/W FW Procedure : Access-Accept Home Institution Clien t The Internet RADIUS Local Resources AP FW supplicant S/W FW A radius access accept packet with the user class information Retrieve the user class for the user, and send a radius access accept packet Authorize accesses to local resources using the user class and local policies

15 RADIUS Local Resources AP Clien t Visited Institution supplicant S/W FW Procedure : Access-Accept (cont.) Home Institution Clien t The Internet RADIUS Local Resources AP FW supplicant S/W FW 802.1x authentication succeeds Send a radius access-accept packet with information of authorized local resources Send an access-accept packet without information of authorized resources Set filtering rules according to the received information

16 RADIUS Local Resources AP Clien t Visited Institution supplicant S/W FW Procedure : access to local resources Home Institution Clien t The Internet RADIUS Local Resources AP FW supplicant S/W FW Filter traffic to local resources (block un-authorized accesses) Access to local resources

17 Issues to be examined The definition of the “user class” in eduroam –Representation, granularity, and so on How to realize and control the communication between roaming users and local resources Et cetera

18 Summary 6 institutions are participating in eduroam JP. Issues regarding roaming are revealed through the deployment of eduroam JP. Examining access control of roaming users regarding local resources

19 Thank you for your kind attention.

20 References

21 The problem about traceability visito r The Internet illegal access What if a visitor with IP address of visited institution did some attacks to servers outside ??? Visited Institution Home Institution Guest users using host’s IP addresses are recognized as members of the institution. A visitor cannot access the user’s home resources Host IP address

22 Traceability : case study 1 In univ-B, NW manager has to analyze the roaming logs, and contact univ-A to search for the user. University B is subscribing to an electronic journal X, while another university A is not. A student at univ-A goes to univ-B so he/she can download journal X using the WLAN roaming. Since the student downloaded too many articles at once, the publisher thought it was a violation of the subscription condition and sent a complaint to univ-B. User tracking and communications between universities are laborious. Even between departments in a university, such a user tracking is very difficult. It is also much more difficult between countries.

23 Traceability : case study 2 Some resources such as local web servers in univ-B are protected by an address-based access restriction. When people in univ-A visited univ-B, they could gain access to the resources using the WLAN roaming system. Even if the administrators of the web servers examine the access logs, the outsiders’ accesses cannot be noticed because the “local” IP addresses are used.

24 Possible solution for roaming issues Dedicated network Dedicated network might be useful for solving the responsibility problems. –User tracking remains difficult. WLAN users cannot use local resources. –can be either merit or demerit Internet campus LAN dedicated network Visited university Home university Publisher

25 VPN only solution Permitted protocols for roaming users VPN –PPTP (GRE(47) ， (TCP/1723)) –OpenVPN (UDP/1194) –SSH (TCP/22) –IPsec NAT-traversal (UDP/4500) –Cisco IPsec (TCP/10000) –L2TP (UDP/1701) Others –pop3 (TCP/110) –pop3s (TCP/995) –imap4 (TCP/143) –imaps (TCP/993) –ssmtp (TCP/465) –msa (TCP/587)