Connect. Communicate. Collaborate

GN2 JRA5: Roaming and Authorisation

Jürgen Rauschenbach, DFNTF-NGN Athens03/11/05

Connect. Communicate. CollaborateIntroduction• JRA5 builds a European Roaming Infrastructure (eduroam-

ng) taking into account existing experience from the roaming area and provides a first (simple, but operational) federation example

• JRA5 will pilot the federated support for existent Authentication and Authorisation Infrastructures for Research and Education, this will be called eduGAIN

• In some countries federated AAIs are already available, eduGAIN will be able to cooperate with them (Shibboleth, PAPI, Moria, A-Select)

• JRA5 fits into GÉANT2 project homogenously because AA solutions are needed in the GÉANT partner countries and because other activities will use JRA5 results

Connect. Communicate. CollaborateStructure and Partners• JRA5 consists of the following Work Item in the 4 project years:

• WI-1: Roaming• WI-2: Authentication and Authorisation Infrastructure• WI-3: Single Sign-On• WI-4: Integration of advanced Technologies

• Number of partners is 16 (NRENs), Number of participants is 97 (mailing list), with contributions of around 30-35 active persons

• Partners are SURFnet, DFN, RedIRIS, SWITCH, NORDUnet(University of Umea, UNI-C, UNINETT, CSC), RESTENA, ARNES, CARNET/SRCE, CESNET, FCCN, GRNET, HEAnet, HUNGARNET, ISTF, Ukerna, Dante

• Collaboration with many external groups: TF-Mobility, TF-EMC2, GN2 activities (JRA1, SA3), international groups like gwg, FWNA, Grids, …

Connect. Communicate. CollaborateWork item distribution Connect. Communicate. Collaborate

05

101520253035404550

1. Year 2. Year 3.Year 4.Year

RoamingAAISSONTProjMgmtAdmin sup

Connect. Communicate. CollaborateWork plan first 18 months• On our agenda (deliverables):

– 1: Terminology for Roaming (and AAI)– 2: AAI Requirements– 3: Roaming Requirements– 4: Roaming policy (legal material, policy document part1

and 2)– 5 Design of the AAI Architecture– 6: Architecture of eduroam-ng– 7: Requirements single sign-on

• All objectives in months 1-12 have been met J

Connect. Communicate. CollaborateYear 1 - Achievements• Work item 1 Roaming

– A-1: “Glossary of Terms” DJ5.1.1, a terminology document, scope roaming and AAI,to be extended with new terms

– A-2: was the “Roaming Requirements document” DJ5.1.2; security, standardisation and operational aspects

– A-3: have been contributions to the extension of the roaming pilot“eduroam”, both in the number of participants (NRENs) and also functionally (analysing the current infrastructure, eduroam-in-a-box, alternative architecture discussion).

– A-4: co-operational work with the TF Mobility, use eduroam as experimental platform in JRA5 as a step stone to eduroam-ng. Open discussion and dissemination on the mobility list.

– A-5: “legislation overview” for roaming services. DJ5.1.3-1federation policy is currently in an early draft state. DJ5.1.3-2

Connect. Communicate. CollaborateTechnology: bypassing the hierarchy overhead?

European Server

.nl .ac.uk …

uva.nl

.pl

Uni.torun.pl

Access Point Access Point User database

tomasz@uni.torun.pl

• AA traffic goes through all intermediate entries

• All links are peer-to-peer agreements / static routes / p2p secure

• DIAMETER? DNSsec? Work on-going in Telematica/JRA5 partners

Connect. Communicate. Collaborate

Limitations of the current roaming infrastructure• Technology

– All authN and authZ traffic flows through the complete hierarchy – Static trust (shared secrets in preconfigured p2p chain)– Single points of failure (even when doubling the top level RADIUS)

• Policy– Not suitable for full service yet

• Usability– eduroam is not flexible enough with SSIDs, ciphers and VLANs mapping– Do we need a specialised client? – Where are the access points? Can a data base be helpful here?

• Management & Monitoring– Are all servers up and running?– How to detect abuse of the service?

• eduGAIN– How can we integrate roaming with the European AAI eduGAIN?

Connect. Communicate. CollaborateArchitecture alternatives• DIAMETER (RFC 3588)

– Protocol defines different routing models to find the peer (redirect agent, redirect + PKI, DNS NAPTR/SRV + PKI)

– For inter-domain DNS based model looks promising– DNSSec would be an alternative here (not part of the standard)– Integration with “legacy” RADIUS by translation agents, gradual

transition would be possible, but RADIUS have to stay– Problem: no DIAMETER “quality” implementation so far

• RadSec (Radiator team)– Trust establishment very similar to the DIAMETER + DNS and PKI– Not a standard solution, not all RADIUS implementations– Experimental work has started

Connect. Communicate. CollaborateArchitecture alternatives (2)• RADIUS/DNSSec

– Look-up through secure DNS– Visiting RADIUS establishes a TLS connection to the home

RADIUS to negotiate a shared secret (RKE protocol): dynamic p2pconnectivity

– Then it works like a normal RADIUS connection– Dedicated roaming domain secure DNS tree needed

• RADDNSSEC– Modified RADIUS/DNSSec, TLS handshake instead of RKE

• No smooth and easy deployment for the alternatives• DIAMETER ranks high, but RadSec seems to be available faster

Connect. Communicate. CollaborateYear 1 – Achievements (2)

• Work item 2 AAI– A-6: “AAI Requirements document” DJ5.2.1 setting the

scope of an AAI solution and defining first building blocks and general federation functionality, illustrated in examples and use cases

– A-7: AAI architecture document DJ5.2.2 (published last week)

• Work item 3 SSO– No real work done so far

Connect. Communicate. CollaborateAAI operations• Authentication request• Authentication response• HLS request• HLS response• Attribute request• Attribute response• Authorisation request• Authorisation response• Operations formally defined (SAML 1.1), openSAML for

implementation (SAML 2.0 is announced already)• Web services (WS) context

Connect. Communicate. CollaborateAAI – basic components Connect. Communicate. Collaborate

Remote eduGAIN Federation Peering Point

Home eduGAIN Federation Peering Point

Common eduGAIN ServicesHome Location Service

HomeLocation

AuthNAttributes

Remote Domain

AuthNAuthZ

Resource

AuthNAttributes

Home DomainIdentity Repository

HLS Interface

Home Bridging Element Remote Bridging Element

HLS

Connect. Communicate. CollaborateAbstract AAI operation Connect. Communicate. Collaborate

Identity Repository

Responder @ HI

Resource

Requester

<soap:Envelope... ><soap:Header/><soap:Body>

<samlp:Request RequestID=”foo” …><samlp:AttributeQuery>

<saml:Subject>bar </saml:Subject>…

</samlp:AttributeQuery></samlp:Request>

</soap:Body> </soap:Envelope ...>

TLS-Tunnel(s)

Connect. Communicate. CollaborateConclusions/Summary

• Eduroam pilot infrastructure is growing into eduroam-ng, discussion of the new architecture also with groups from Australia, USA and more partners in the global working group on eduroam.

• There are a number of national operational federations in place, and a test platform for eduGAIN will be built upon these AAIs. To be set up in the coming months.

• Interest is growing in both roaming and AAI• work is not easy, but a lot of fun

Connect. Communicate. Collaborate

?

Connect. Communicate. CollaborateDIAMETER with DNS, CA Connect. Communicate. Collaborate

DIAMETERServer

DIAMETERServer

cliente.g. 802.11

access pointvisiting

visit.org user account db

home

home.org user

account db

infra

p2p(static)

1authenticate /

authorize user@home.org

eduroam.org

visit.org

home.org

Certificate Authority

DNS based peer discovery and PKI based roaming domain

DNSserver

2

3

4

6p2p

(dynamic)

lookup DIAMETER server for home.org

exists: is…

logic

4a 4b

4c

4d

5

logic

.org DNSserver

DNSserver

2a2d

2b2c

get CA key

get CA key

Connect. Communicate. CollaborateRadSec Connect. Communicate. Collaborate

cliente.g. 802.11 access point

p2p(dynamic)

RADIUSServer

logic

p2p(dynamic)

RADIUSServer

logic

visiting

visit.org user account db

home

home.org user

account db

infra

p2p(static)

1authenticate /

authorize user@home.org

eduroam.org

visit.org

home.org

Certificate Authority

DNS based peer discovery and PKI based roaming domain

DNSserver

2

3

4

6p2p

(dynamic)

lookup RADIUS server for home.org

exists: is… 4a 4b

4c

4d

5

.org DNSserver

DNSserver

2a2d

2b2c

get CAkey

get CA key

Connect. Communicate. CollaborateRADIUS + DNSSec Connect. Communicate. Collaborate

c lie n te .g . 80 2 .1 1 a c c e s s p o in t

p 2 p(d y n a m ic )

R A D IU SS e rv e r

lo g ic

p 2 p(d y n a m ic)

R A D IU SS e rv e r

lo g ic

v is it in g

v is it.o rg u s e r a c c o u n t d b

h o m e

h o m e .o rg u s e r

a c c o u n t d b

in f ra

p 2 p(s ta tic )

1a u th en tic a te /

a u th o riz e u s e r@ h o m e .o rg

e d u roam .o rg

v is it.o rg

h o m e .o rg

D N S b a s e d p e e r d is c o v e ry a n d D N S b a s e d d e te rm in a tio n w h e th e r p e e r is pa rt o f ro a m in g d om a in

D N Ss e rv e r

2 3

4

6

lo o k u p R A D IU S

s e rv e r fo r h o m e .o rg

4 a

4 c 4 d

5

D N Ss e rv e r

D N Ss e rv e r

p 2 p(d yn a m ic )

4 blo o k u p

p e e r k e y

lo o k u p p e e r k e y

2 a2 b

Connect. Communicate. Collaborate

Additional slide:AAI – components LFA/LA Connect. Communicate. Collaborate

Site

Resource

Site Access Management

Other Sites

Local Federation Adaptor

R FPPLocal Interface

Federation Limits

Federation Services

H FPPRemote Interface

Local Adaptor

Connect. Communicate. CollaborateEduRoam

RADIUS server

University B

RADIUS server

University A

SURFnet

Central RADIUS

Proxy server

Authenticator

(AP or switch) User DB

User DB

Supplicant

Gast

piet@university_b.nl

StudentVLAN

CommercialVLAN

EmployeeVLAN

data

signaling

• Trust based on RADIUS plus policy documents

• 802.1X

• (VLAN assigment)