High-quality Internet for higher education and research TF-Mobility, Zagreb, 2 February 2006 eduroam-ng architecture Test results and way forward

Slides:

Advertisements

Similar presentations

Authentication.

Advertisements

RadSec – A better RADIUS protocol

Internet Protocol Security (IP Sec)

Enhancing international roaming performance : NAPTR Records in DNS

Eduroam-ng TF-Mobility, Barcelona, 6 September 2005.

High-quality Internet for higher education and research 5 th of April, Eurocamp, Ljubljana eduroam, security and authentication Paul Dekkers.

Connect communicate collaborate Eduroam debugging Gurvinder Singh and Gunnar Bøe, Campus Networks and Systems, UNINETT AMRES Wireless workshop Belgrade,

MyProxy: A Multi-Purpose Grid Authentication Service

Guide to Network Defense and Countermeasures Second Edition

Why eduroam sucks, and how to fix it.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Diameter Base Protocol (RFC6733)

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.

1 Configuring Virtual Private Networks for Remote Clients and Networks.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005

A Survey of WAP Security Architecture Neil Daswani

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

PKI 2: Protezione del traffico Web tramite SSL Fabrizio Grossi.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

Internet Protocol Security (IPSec)

Multicast Security CS239 Advanced Network Security April 16 th, 2003 Yuken Goto.

ABFAB Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

Windows 2003 and 802.1x Secure Wireless Deployments.

1 Introduction on the Architecture of End to End Multihoming Masataka Ohta Tokyo Institute of Technology

Course 201 – Administration, Content Inspection and SSL VPN

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Services Working at a Small-to-Medium Business or ISP – Chapter 7.

Connect. Communicate. Collaborate Combining RADIUS with Secure DNS for Dynamic Trust Establishment between Domains Henk Eertink †, Arjan Peddemors †, Roy.

An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.

High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.

1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Web Security : Secure Socket Layer Secure Electronic Transaction.

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005

Cullen Jennings Certificate Directory for SIP.

Building Security into Your System Bill Major Gregory Ponto.

Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

DNS SRV and NAPTR Use for SPEERMINT - Tom Creighton, Gaurav Khandpur Comcast SPEERMINT Intermin Meeting Philadelphia Sept

Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

Connect. Communicate. Collaborate TERENA Networking Conference, 7 june 2005 Eduroam: past, present, and future.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats – integrity – confidentiality.

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.

1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.

University of Stuttgart University of Murcia

Working at a Small-to-Medium Business or ISP – Chapter 7

Working at a Small-to-Medium Business or ISP – Chapter 7

Server-to-Client Remote Access and DirectAccess

Working at a Small-to-Medium Business or ISP – Chapter 7

Technical Approach Chris Louden Enspier

Presentation transcript:

High-quality Internet for higher education and research TF-Mobility, Zagreb, 2 February 2006 eduroam-ng architecture Test results and way forward

High-quality Internet for higher education and research Current architecture Toplevel server.nl uva.nl…rug.nl ….au Main (technical) issues: No (real) authorisation  DAMe Static routing based on realm parsing Credentials pass through intermediate systems Transitive trust based on shared secrets Dead peers hard to detect

High-quality Internet for higher education and research Evaluation of a number of approaches Diameter: nearly shipping (for many years now ;-) DNSsec: hardly deployed, new RadSec: new, single vendor (Radiator), but not much more than a combination of existing technologies DNSroam: see above

High-quality Internet for higher education and research RadSec/DNSROAM Radius packet format Transport: TCP (or SCTP) Encryption: TLS (optional) TLS => PKI DNSROAM combines RadSec with DNS for dynamically locating the peer

High-quality Internet for higher education and research Test setup Participants: CESNET, ISTF, TELIN (NL), ARNES, ACAD (BG), UNINETT, RESTENA, Radiator (AU), SURFnet.

High-quality Internet for higher education and research Test set Authentication related tests –Known user –Unknown user –Wrong credentials PKI related tests –Certificate signed by unknown CA –Multiple CAs –Revoked certificate –Mismatch between peer name and CN –Wrong subjectAltName or CN in the certificate DNS related tests –NAPTR lookup failure –SRV lookup failure –A lookup failure –Default handling after lookup failure Fallback/defaulting to RADIUS Fallback/defaulting to static RadSec Configuration related tests –CA certificate not installed –Loop prevention (purposely introduce a loop and see if it can be stopped by introducing different config) Connectivity related tests –Peer unreachable Performance related measurements –Overhead of multiple DNS queries

High-quality Internet for higher education and research Fully hierarchical One PKI, split PKI?

High-quality Internet for higher education and research Meshed toplevel Central DNS zone?

High-quality Internet for higher education and research Fully meshed (DNSROAM) Big trust issues: multiple PKI’s, bucket of certificates, revocation lists Multiple federation membership? Issues with sites having to open up their servers for ‘the world’ How about a secure peer lookup service instead of DNS (eduGAIN?)

High-quality Internet for higher education and research Legacy model

High-quality Internet for higher education and research Measurements

High-quality Internet for higher education and research Results All scenario’s can be made to work, but… DNSROAM is not yet production grade Static RADSEC is (thanks to us) stable enough to warrant using it when possible because of its advantages over plain RADIUS: –Failure detection –TCP –Peer authentication Trust (PKI) issues are key factor in making this work

High-quality Internet for higher education and research What now? Toplevel server APAN..au uva.nl…rug.nl ….tw Toplevel server Europe.nl uva.nl…rug.nl ….hr RadSec DNSROAM ?