tnc2013_slides_Tnc2013SlidesTnc2013SlidesCAF-TNC2013-LookingIntoTheFut

Views:
 
Category: Entertainment
     
 

Presentation Description

No description available.

Comments

Presentation Transcript

PowerPoint Presentation:

Presenters: Chris Phillips – CANARIE, Canada Stefan Winter – RESTENA, Luxembourg Looking into the Future: Exploring Enhancements to eduroam Infrastructure June 3 ,2013| TNC2013 | Maastricht, NL

PowerPoint Presentation:

Recent Stats Thousands (~10000+) points of presence for eduroam SSID 60 countries/regions in production, 27 in pilot 60,000,000+ successful transactions processed monthly Between 10-13% is international traffic

Eduroam Today :

Eduroam Today Slide 3 id: pam @restena.lu realm: ubc.ca realm: sfu.ca realm: ca Confederation Servers Federation Server realm: restena.lu realm: lu realm: uni.lu Predicting Growth – Hard, but let’s try Needed for preservation of quality & enough runway to act Crystal Ball  Assumptions : ratio 2:87:10000:50MM, or 10 countries/ yr , ea. w/114 ‘domains’ & 575k signons / mth Adding another 30 countries, requires 1 more root server No one has any more devices than they do today  There are 193 countries/regions worldwide ..What does this look 3 years out then? Today: x87 countries Today: x2 roots svrs Today: 10,000+ sites +3yrs: x117 countries +3yrs: 3? roots svrs +3yrs: 13,348+ sites In 3 years from now..

PowerPoint Presentation:

Why do something different? Mobility’s explosive growth hard to predict (size/ freq etc ) TCO profile improvements to be made from new tech. Int’l roaming hierarchical model of TLD != geography/country oversight(e.g. . edu /.org) Hierarchical structure transactional performance cost more pronounced as mobility increases Bottom line: Need to investigate ways to have optimal service performance & cost which break away from same curve as growth

Breaking it down…:

Breaking it down…

The Three Steps for Authentication:

The Three Steps for Authentication given the realm, find an IP address of the authentication server ( @restena.lu -> tld1.eduroam.lu ) find out if the discovered host is trustworthy (i.e. valid eduroam IdP ) exchange authentication information securely Everything is in a text-based config file: realm restena.lu { server 158.64.1.26 secret not_on_the_slides } eduroam could only scale to world-wide operations by aggregating based on TLD. Classic RADIUS ‘Solution’

Digging Into The Authentication Steps:

Digging Into The Authentication Steps G iven the realm, find an IP address of the authentication server ( @restena.lu -> tld1.eduroam.lu ) DONE: NAPTR records in DNS for “x-eduroam” service F ind out if the discovered host is trustworthy (i.e. valid eduroam IdP ) DONE? PKI, DANE, E xchange authentication information securely DONE: RFC6614 (RADIUS over TLS) ✔ ✔ ?

Determining Trustworthiness:

Determining Trustworthiness Deployed solution - in production: PKI issue eduroam (IdP|SP) certificates to operators verify certificates during RADIUS/TLS connection setup Drawbacks: PKIs are cumbersome! Central point needs to do identity vetting (PGP, select X.509 email certs) Certificate expiry, revocation handling, … more than one CA -> trust anchor management we are going the same way as Grids are

Operational Experience:

Operational Experience Most certificate requests fail because requester is not known to RA operator e.g.: I didn't exchange PGP keys with the Chile NRO Sometimes, domain name requested does not match realm in eduroam extra checks with NRO personnel needed Underlying problem: someone "far far away" needs to rubber-stamp something that a local person could do much better If only we could de-centralise this ...

PowerPoint Presentation:

http://www.flickr.com/photos/cubmundo/7174576572 / cubmundo , http://www.flickr.com/photos/konabish/5968465331 / Greg Bishop Future Contexts Reality: we’re no longer nimble: now have battleship turning radius Recommendations/explorations take time to do well, and have long shelf life means planning horizons of 2,3,5yr for deployment+ Total Cost Ownership Always an eye on overall cost, want to explore new paths for trust management. PKIX already woven into today’s model, improvements to this? Approach 2 years out 3 years out 5 years out Do mix of NAPTR,Shared Secret, RADSEC? Go toward stronger PKIX model? Leverage DNSSEC & DANE?

DNSSEC + DANE: Why can it make PKI obsolete (for us)?:

DNSSEC + DANE: Why can it make PKI obsolete (for us)? Requires: trustworthy (branch of) DNS, i.e. DNSSEC for idp.eduroam.org sp.eduroam.org Provides: keying material for RADIUS/TLS after NAPTR find hostname/IP of authentication server, try to find keying material at tld1 .eduroam.lu.idp.eduroam.org If found -> valid IdP ! Someone needs to put these keys into the DNS tree this is a known, decentralisable , and solved problem

30,000ft overview: DANE records:

30 , 00 0 ft overview: DANE records idp.eduroam.org can become DNSSEC sub-branch es < TLD>. idp . eduroam.org & <TLD>. idp.eduroam.org can be delegated to eduroam NRO NROs can collect certificates/keys from their IdPs and update their DNS sub-branch find a way to update gTLD sub-branches (.edu, .org, .com) can be made a burden for eduroam OT ✔ ✔ ✔ ✔

eduroam augmented with DANE :

e duroam augmented with DANE Slide 13 id: pam @restena.lu realm: ubc.ca Host: hotspot.ubc.ca realm: sfu.ca realm: ca Confederation Servers Federation Server realm: restena.lu realm: lu realm: uni.lu e duroam.org DNSSec zone for e duroam.org i dp.eduroam.org s p.eduroam.org tld1.eduroam.lu.idp.eduroam.org Hotspot.ubc.ca.sp.eduroam.org ‘Host’ In DNS & has cert? Yes, here it is! tld1.eduroam.lu, can I have your key? Yes, here it is! Yup, key offered matches that in DNSSec tree,you shall pass, carry on!

Call for Participation to Validate approach:

Call for Participation to Validate approach RADIUS server needs to do NAPTR lookups based on realm RADIUS server needs to lookup DANE IdP keys via DNSSEC query based on discovered hostname (needs CODE for FLR servers ) as server: during RADIUS/TLS connection setup, must verify TLS data vs. DANE data (needs CODE ) as client: during RADIUS/TLS connection setup, needs to extract name from client cert, and lookup DANE SP keys (needs SPECIFICATION , similar to this one[1] ) [1] https:// datatracker.ietf.org/doc/draft-ietf-dane-srv /?include_text=1 ✔ 0 0 0

Where to get involved:

Where to get involved TNC2013 Openspaces sessions TBD e duroam BOF June 3, 18:00-19:30 Rm D https://tnc2013.terena.org/core/event/ 8 Ongoing: TF-Mobility group: http ://www.terena.org/activities/tf-mobility/ mailinglist.html Engage your regional operator Thank you! [email protected] [email protected]

Useful References:

Useful References The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA http:// tools.ietf.org/html/rfc6698 Use Cases and Requirements for DNS-Based Authentication of Named Entities (DANE) http :// tools.ietf.org/html/rfc639 4 Useful reference about expected responses and SMTP and DANE https://datatracker.ietf.org/doc/draft-ietf-dane-srv/?include_text=1 RADSEC whitepaper http://www.open.com.au/radiator/radsec-whitepaper.pdf Interesting other enhancements/ideas about certificates and related security http:// www.certificate-transparency.org/faq

authorStream Live Help