Embed Size (px)
Citation preview
High-quality Internet for higher education and research
TF-Mobility, Zagreb, 2 February 2006
eduroam-ng architecture
Test results and way forward
High-quality Internet for higher education and research
Current architecture
Toplevel server
.nl … .au
uva.nl … rug.nl
Main (technical) issues:
• No (real) authorisation DAMe
• Static routing based on realm parsing
• Credentials pass through intermediate systems
• Transitive trust based on shared secrets
• Dead peers hard to detect
High-quality Internet for higher education and research
Evaluation of a number of approaches
• Diameter: nearly shipping (for many years now ;-)
• DNSsec: hardly deployed, new• RadSec: new, single vendor (Radiator), but not
much more than a combination of existing technologies
• DNSroam: see above
High-quality Internet for higher education and research
RadSec/DNSROAM
• Radius packet format• Transport: TCP (or SCTP) • Encryption: TLS (optional)
• TLS => PKI
• DNSROAM combines RadSec with DNS for dynamically locating the peer
High-quality Internet for higher education and research
Test setup
• Participants: CESNET, ISTF, TELIN (NL), ARNES, ACAD (BG), UNINETT, RESTENA, Radiator (AU), SURFnet.
RadSec
RADIUS
Institute level RadSec/RADIUS
(site 1)
NREN level RadSec/RADIUS
(site 2)
NREN level RadSec/RADIUS
(site 3)
Institute level RadSec/RADIUS
(site 4)
High-quality Internet for higher education and research
Test set• Authentication related tests
– Known user– Unknown user– Wrong credentials
• PKI related tests– Certificate signed by unknown CA– Multiple CAs– Revoked certificate– Mismatch between peer name and CN– Wrong subjectAltName or CN in the certificate
• DNS related tests– NAPTR lookup failure– SRV lookup failure– A lookup failure– Default handling after lookup failure
• Fallback/defaulting to RADIUS• Fallback/defaulting to static RadSec
• Configuration related tests– CA certificate not installed– Loop prevention (purposely introduce a loop and see if it can be stopped by introducing
different config)• Connectivity related tests
– Peer unreachable• Performance related measurements
– Overhead of multiple DNS queries
High-quality Internet for higher education and research
Fully hierarchical
RadSec
RadSec
RADIUS
RadSec RadSec RadSec
RadSec RadSec
RadSec
Country-level
EU-level
EU hierarchy root
• One PKI, split PKI?
High-quality Internet for higher education and research
Meshed toplevel
RadSec
RadSec
RADIUS
RadSec RadSec RadSec
RadSec RadSec
Country-level
EU-level
• Central DNS zone?
High-quality Internet for higher education and research
Fully meshed (DNSROAM)
RadSec
RADIUS
RadSec RadSec RadSec RadSec
Country-level
EU-level
• Big trust issues: multiple PKI’s, bucket of certificates, revocation lists• Multiple federation membership?• Issues with sites having to open up their servers for ‘the world’ • How about a secure peer lookup service instead of DNS (eduGAIN?)
High-quality Internet for higher education and research
Legacy model
RadSec
RadSec
RADIUS
RADIUS RadSec RADIUS
RadSec RadSec
Country-level
EU-level
High-quality Internet for higher education and research
Measurements
High-quality Internet for higher education and research
Results
• All scenario’s can be made to work, but…
• DNSROAM is not yet production grade• Static RADSEC is (thanks to us) stable enough to
warrant using it when possible because of its advantages over plain RADIUS:– Failure detection– TCP– Peer authentication
• Trust (PKI) issues are key factor in making this work
High-quality Internet for higher education and research
What now?
Toplevel server
APAN
..au
…
.tw
uva.nl … rug.nl
Toplevel server
Europe
.nl … .hr
uva.nl … rug.nl
RadSec
DNSROAM
?
