GN2 JRA5: Roaming and Authorisation

Transcription

1 GN2 JRA5: Roaming and Authorisation Jürgen Rauschenbach, DFN TF-NGN Athens 03/11/05

2 Introduction JRA5 builds a European Roaming Infrastructure (eduroamng) taking into account existing experience from the roaming area and provides a first (simple, but operational) federation example JRA5 will pilot the federated support for existent Authentication and Authorisation Infrastructures for Research and Education, this will be called edugain In some countries federated AAIs are already available, edugain will be able to cooperate with them (Shibboleth, PAPI, Moria, A-Select) JRA5 fits into GÉANT2 project homogenously because AA solutions are needed in the GÉANT partner countries and because other activities will use JRA5 results

3 Structure and Partners JRA5 consists of the following Work Item in the 4 project years: WI-1: Roaming WI-2: Authentication and Authorisation Infrastructure WI-3: Single Sign-On WI-4: Integration of advanced Technologies Number of partners is 16 (NRENs), Number of participants is 97 (mailing list), with contributions of around active persons Partners are SURFnet, DFN, RedIRIS, SWITCH, NORDUnet (University of Umea, UNI-C, UNINETT, CSC), RESTENA, ARNES, CARNET/SRCE, CESNET, FCCN, GRNET, HEAnet, HUNGARNET, ISTF, Ukerna, Dante Collaboration with many external groups: TF-Mobility, TF-EMC2, GN2 activities (JRA1, SA3), international groups like gwg, FWNA, Grids,

4 Work item distribution Year 2. Year 3.Year 4.Year Roaming AAI SSO NT ProjMgmt Admin sup

5 Work plan first 18 months On our agenda (deliverables): 1: Terminology for Roaming (and AAI) 2: AAI Requirements 3: Roaming Requirements 4: Roaming policy (legal material, policy document part1 and 2) 5 Design of the AAI Architecture 6: Architecture of eduroam-ng 7: Requirements single sign-on All objectives in months 1-12 have been met J

6 Year 1 - Achievements Work item 1 Roaming A-1: Glossary of Terms DJ5.1.1, a terminology document, scope roaming and AAI,to be extended with new terms A-2: was the Roaming Requirements document DJ5.1.2; security, standardisation and operational aspects A-3: have been contributions to the extension of the roaming pilot eduroam, both in the number of participants (NRENs) and also functionally (analysing the current infrastructure, eduroam-in-a-box, alternative architecture discussion). A-4: co-operational work with the TF Mobility, use eduroam as experimental platform in JRA5 as a step stone to eduroam-ng. Open discussion and dissemination on the mobility list. A-5: legislation overview for roaming services. DJ federation policy is currently in an early draft state. DJ

7 Technology: bypassing the hierarchy overhead? European Server.nl.ac.uk.pl uva.nl Uni.torun.pl Access Point Access Point User database AA traffic goes through all intermediate entries All links are peer-to-peer agreements / static routes / p2p secure DIAMETER? DNSsec? Work on-going in Telematica/JRA5 partners

8 Limitations of the current roaming infrastructure Technology All authn and authz traffic flows through the complete hierarchy Static trust (shared secrets in preconfigured p2p chain) Single points of failure (even when doubling the top level RADIUS) Policy Not suitable for full service yet Usability eduroam is not flexible enough with SSIDs, ciphers and VLANs mapping Do we need a specialised client? Where are the access points? Can a data base be helpful here? Management & Monitoring Are all servers up and running? How to detect abuse of the service? edugain How can we integrate roaming with the European AAI edugain?

9 Architecture alternatives DIAMETER (RFC 3588) Protocol defines different routing models to find the peer (redirect agent, redirect + PKI, DNS NAPTR/SRV + PKI) For inter-domain DNS based model looks promising DNSSec would be an alternative here (not part of the standard) Integration with legacy RADIUS by translation agents, gradual transition would be possible, but RADIUS have to stay Problem: no DIAMETER quality implementation so far RadSec (Radiator team) Trust establishment very similar to the DIAMETER + DNS and PKI Not a standard solution, not all RADIUS implementations Experimental work has started

10 Architecture alternatives (2) RADIUS/DNSSec Look-up through secure DNS Visiting RADIUS establishes a TLS connection to the home RADIUS to negotiate a shared secret (RKE protocol): dynamic p2pconnectivity Then it works like a normal RADIUS connection Dedicated roaming domain secure DNS tree needed RADDNSSEC Modified RADIUS/DNSSec, TLS handshake instead of RKE No smooth and easy deployment for the alternatives DIAMETER ranks high, but RadSec seems to be available faster

11 Year 1 Achievements (2) Work item 2 AAI A-6: AAI Requirements document DJ5.2.1 setting the scope of an AAI solution and defining first building blocks and general federation functionality, illustrated in examples and use cases A-7: AAI architecture document DJ5.2.2 (published last week) Work item 3 SSO No real work done so far

12 AAI operations Authentication request Authentication response HLS request HLS response Attribute request Attribute response Authorisation request Authorisation response Operations formally defined (SAML 1.1), opensaml for implementation (SAML 2.0 is announced already) Web services (WS) context

13 AAI basic components Common edugain Services Home Location Service HLS Interface HomeLocation Home edugain Federation Peering Point Home Bridging Element AuthN Attributes Remote edugain Federation Peering Point HLS Remote Bridging Element AuthN Attributes AuthN AuthZ Home Domain Identity Repository Remote Domain Resource

14 Abstract AAI operation <soap:envelope... > <soap:header/> <soap:body> <samlp:request RequestID= foo > <samlp:attributequery> <saml:subject>bar </saml:subject> </samlp:attributequery> </samlp:request> </soap:body> </soap:envelope...> HI TLS-Tunnel(s) Requester Identity Repository Resource

15 Conclusions/Summary Eduroam pilot infrastructure is growing into eduroam-ng, discussion of the new architecture also with groups from Australia, USA and more partners in the global working group on eduroam. There are a number of national operational federations in place, and a test platform for edugain will be built upon these AAIs. To be set up in the coming months. Interest is growing in both roaming and AAI work is not easy, but a lot of fun

16 ?

17 DIAMETER with DNS, CA DNS based peer discovery and PKI based roaming domain DNS server lookup DIAMETER server for home.org 2 2a authenticate / authorize user@home.org client e.g access point 1 2d exists: is 3 DIAMETER Server 6 logic p2p (static) visit.org user account db visiting visit.org.org DNS server 2c get CA key 2b 4 5 p2p (dynamic) 4c 4d DNS server infra eduroam.org Certificate Authority 4a home home.org DIAMETER Server logic home.org user account db 4b get CA key

18 RadSec DNS based peer discovery and PKI based roaming domain DNS server lookup RADIUS server for home.org 2 2a authenticate / authorize user@home.org client e.g access point 2d p2p (static) visit.org user account db visiting visit.org.org DNS server 2c 2b infra eduroam.org Certificate Authority exists: 4d is get CA 4a 4b 3 RADIUSp2p key (dynamic) DNS home Server server home.org logic 4 RADIUSp2p (dynamic) 5 Server 1 p2p logic 6 (dynamic) 4c home.org user account db get CA key

19 RADIUS + DNSSec DNS based peer discovery and DNS based determination whether peer is part of roaming domain 2a 2b infra eduroam.org DNS server lookup RADIUS server for home.org authenticate / authorize user@home.org client e.g access point 2 3 4c 4d RADIUSp2p (dynamic) Server 1 DNS server 6 logic p2p (static) visit.org user account db visiting visit.org lookup peer key 4 5 DNS server lookup peer key 4a p2p (dynamic) 4b home home.org RADIUSp2p (dynamic) Server logic home.org user account db

20 Additional slide: AAI components LFA/LA H FPP Remote Interface R FPP Local Interface Local Federation Adaptor Federation Limits Local Adaptor Federation Services Site Site Access Management Resource Other Sites

21 EduRoam Supplicant Authenticator (AP or switch) RADIUS server University A User DB RADIUS server University B User DB Gast piet@university_b.nl SURFnet Employee VLAN Student VLAN Commercial VLAN Central RADIUS Proxy server Trust based on RADIUS plus policy documents signaling 802.1X data (VLAN assigment)