Draft minutes of the 20th TF-Mobility Meeting

Transcription

1 Page 1/12 TITLE / REFERENCE Draft minutes of the 20th TF-Mobility Meeting 20 th TF-Mobility and Network Middleware Meeting - Tuesday, 20 October 2009 CNR Via dei Taurini, 19, Rome, Italy. The meeting was hosted by GARR. Table of Contents 1. Welcome and Apologies Approval of Agenda Minutes of Last Meeting and Update of Action List...2 Minutes...2 Actions from Previous Meetings National Updates...3 Finland...3 The Netherlands...3 Australia/New Zealand...4 Germany...4 Croatia...4 Luxembourg...5 Sweden...5 United States of America...5 Japan...5 Canada...6 France...6 Austria...6 Spain...6 United Kingdom...6 Poland Progress on Work Items Standardisation process Support for the development of the next generation eduroam Location awareness DNSSEC Integration with other operators Metering and monitoring Sensor and mesh networking Liaison with GN2/GN Cooperation with other initiatives New mobile technologies Global Eduroam Group Hosting organizations in eduroam Requirements for tunneled EAP-methods AMeN (Active Monitoring eduroam Node) DNSSEC experiences at SURFnet Date of Next Meeting AOB and Close... 10

2 Page 2/12 1. Welcome and Apologies Klaas Wierenga welcomed everyone to the meeting. Apologies were recorded on the event registration page and consisted of Kurt Baumann (SWITCH), Anders Nilsson (SUNET/Umeå University) and Roland van Rijswijk (SURFnet). 2. Approval of Agenda The agenda was approved as circulated. 3. Minutes of Last Meeting and Update of Action List Minutes The minutes of the last meeting held on the 7 th May 2009 were approved without corrections and are available at Actions from Previous Meetings Reference Who Action Status Milan Circulate information on the procedures needed to DNSSEC sign eduroam.org This task is to be carried over and have input from Dyonisius Visser at TERENA who is responsible for other DNSSEC work within the TERENA DNS structure Diego Ask Glen Wearen to report on Irish 3G deal and identity management issues. Glen is not in attendance and this action will be carried over to the next meeting Milan Draft a short paper on DNSSEC uses, and circulate on TF- Mobility mailing list Kurt Identify sensor and mesh networking activities, and find out what their technical requirements are TERENA TERENA to establish Global eduroam mailing list with known eduroam administrative contacts. Malaga BoF resulted in the mailing list - and paper completed by Roland (SURFnet). Roland to be approached by Brook to take over the responsibility of this work item. Klaas has conversed with Kurt regarding sensor + mesh networks. A small trial is being setup by SWITCH but not much sensor related information at this point. Have Kurt report in a future meeting or via the mailing list. This has been completed - list registration information available at the list of eduroam GWG members from the AARNet maintained list has been migrated. [ACTION ] Brook to establish an archive of the GWG mailing list if it doesn't exist already.

3 Page 3/ Klaas, Hideaki Sone and Bob Send known eduroam administrative contacts to Kevin Meynell Known contacts have been added to eduroam GWG. There is currently no "official" contact for the United States of America. Morgan Stefan Circulated eduroam specifications document on Global eduroam mailing list. MoU new version in progress - there will be a few more weeks before completion. James Sankar provided a lot of feedback. WPA2 "must" is still an issue Klaas Setup conference call on u. Carried over to the next meeting [ACTION ] Klaas to follow up on action items prior to the next TF-Mobility meeting. 4. National Updates Finland Wenche Backman gave the report via Video Conference and a summary via . We have configured our top level RADIUS to support RadSec and our NRO (Arch Red) has RA-status for edugain sca. We have urged our organisations to provide eduroam database related information. When we obtain this information, I will change the encryption level enc_level -tag from enc_level1 to the real value. In the meantime I changed it to unknown. enc_level1 is the value that is present in the template. We have signed a Memorandum of Understanding (MoU) with a roaming community in the city of Tampere. This roaming community has one SSID for web-based authentication and one SSID for WPA. Our national roaming service (which allows webbased authentication) has been connected to this roaming community. Furthermore, according to the MoU, we will investigate possibilities to connect the roaming community to eduroam in a one-sided fashion. This means that the roaming community would be ready to provide eduroam at their hot-spots without expecting anything in return. This is a VERY generous offer but unfortunately most of their current base stations do not support multiple SSIDs. During the summer another of our organizations (Helsinki University of Technology) joined eduroam Identity provision of eduroam is very high - use of the SSID. The Netherlands Paul Dekkers reported on progress in the Netherlands. Migrating institutions from WEP to WPA and using the "eduroam" SSID. Institutions are switching but not telling SURFnet. Some advantages - communications with people are the biggest issue. SecureW2 "re-licensing" is problematic. Developing a Access controller with lightweight access points in institutions so that they don't have to provide this service. Ideal for conferences. There is a selection of equipment that is being trialled. This will be a costed service.

4 Page 4/12 Equipment has been selected - and is being purchased - this will allow the presentation to be longer. eduroam in city of Groningen, with multiple universities, but the problem is they use the SSID "Eduroam" rather than "eduroam" (Upper case E vs lower case e) to enforce network- and VLAN-switching. Collaboration and sharing infrastructure seems better. The network can be resold to other providers. KPN are providing a free wireless infrastructure for visitors etc at the hospitals. But this weakens the business case for putting in eduroam and users are subject to the commercial operator which may change from "free". Australia/New Zealand Alex Reid reported on the eduroam activities in Australia and New Zealand 28 institutions now connected - coverage of 2/3rd are eduroam enabled. Usage has tripled over the year - high use at conference locations. Now have connectivity around Brisbane - Bus' are eduroam enabled and the Ferries are enabled thanks to a diffrent university. end-to-end monitoring being worked on. User Centric Website being developed. Port based pricing service is now available for flat rate 10Mb/s + 100Mb/s service to be used for shared/collaborative services (such as eduroam traffic) as AARNet provide both peered and commodity internet access. [ACTION ] Brook to discuss eduroam.org website updated with Daniel/Marcus from Australia regarding their User Centric Website. Germany Jurgen reported the following. DFN is still using German Language for the Instituiton names for the local map. The mapping service uses UTF-8. Slow with the maintenance of the monitoring service - as there is a map that can be maintained via the website. There are some issues 166 campus' on the DFN. 130 instituions represented. There is grouping/clustering of the maps. You can zoom to see different levels of the map. An operational meeting was held recently: RadSecProxy being used at the national level and 18 institutions using RadSec. Some transformation is manual. Reported on SecureW unique international roaming people per month. Have talked with T-Mobile regarding eduroam. eduroam couldn't be used but a deal has been brokered to use your institutional authentication for 3G/Data services (it is similar to the ipass model). Croatia Miro reported on Croatian eduroam work. There are several service locations where lightweight access points are used. Migrating to WPA2 is an issue regarding communication and similar issues. Wanting to increase the number of service locations. CARNET has a deal with mobile operators and get a 50% discount on UTMS.

5 Page 5/12 Use your AAI credentials for this service. 50% of Croation members were aware of eduroam (from GEANT study). 600,000 people have eduroam access. Only 36 locations with eduroam country wide. [NOTE] For information on the GEANT user segmentation study 2008 visit It is intended to be made available to NRENs and to GEANT project participants responsible for developing and delivering services and end-user support. Contact at DANTE for more information is Anna Everitt. Luxembourg Stefan Winter reported on eduroam in Luxembourg 1500 logins per day. City wide WiFi with eduroam (at no charge) provided by a commercial operator. Commercial access is 1 month access is 15 for the city wifi (comparible with 3G service costs for a month) which isn't very popular. The realestate for the location that they have wireless access points is being used for other services such as surveillance cameras so there is an income stream as an alternative to wifi costs. Sweden Torbjorn reported on his understanding of eduroam in Sweden. 25% to 30% of the members. This represents 80% of the student population. Incorporation of roaming with the other stakeholders. United States of America Bob 'RL' Morgan reported on activities in the US. The US lags behind in the adoption of eduroam. A CIO from Case Western Reserve University attended the NORDUnet conference and was sold on the idea of eduroam (by Klaas). A group has been setup of technical people to discuss what would be required to support eduroam as a service. The barriers previous remain but are being discussed. Organisations have done other things to support wireless. Some CIOs thought that this was connected to Web-based federations and didn't know that it was 802.1X based. Many sites are interested in participating and experimenting in this. There is a in principal commitment to have 50 US institutions connected within 12 months. Japan Hideaki Goto reported on eduroam in Japan during his presentation on "Hosting organizations in eduroam". Less than 1% of target institutions currently offer eduroam and this presentation will be to increase the number of deployments.

6 Page 6/12 Canada Jens Haeusser reported on eduroam.ca activity. Canada has talked with the US to help kickstart US eduroam US CIOs have pledged to get 50 universities connected by fall '10. Canada is willing to host US universities as a interim step Jeff Gumpf, Chief IT Architect, Case Western Reserve (technical lead US eduroam) 16 of 48 Universities in Canada now connected (mostly in the West). 11,000 Canadian, 6,000 International logins in September. 6 more sites expected in the next 6 months. eduroam was a standalone effort by BCNet, now transitioning to the Canadian Access Federation. Consultant doing a future study for the CAF - eduroam future will be tied to that effort. France Report by Olivier. 19 IdP and connections per day (not divided between national/international). Austria Kurt reported on ACOnet eduroam activity. "most" of the major universities are members A technical committee is working together to provide mapping information so that they'll be better represented. Spain Jose Manuel reported on RedIRIS work. Preparing data for the eduroam database. Create an interface for people to enter their data. Replace the radius only with RadSec as an option for interfederation. SecureW2 issues is also a problem. This will be disscussed at the next RedIRIS user conference. [ACTION ] Brook to discuss the "interface" to create mapping data and see about integrating this with the SURFnet solution discussed in line with website changes at GN3 Symposium. United Kingdom Mark O'Leary provided some information via . A full report will be ed to TF- Mobility mailing list. "One highlight to pass on is that I currently have 4 MSc students working on webbased 3D visualisation of JRS roaming logs (flight map style), code we'll be glad to pass on." Poland Zbigniew Oltuszyk provided a report on the Polish national update. 28 Polish institutions are active in eduroam The regional structure (with regional proxiex) has been established All connections between regional proxies and the Polish national ones are on RadSec We are in the process of buying wireless equipment for 21 Polish institutions, that will establish well accessible eduroam hotspots.

7 Page 7/12 After the national updates there was a discussion of many of the issues raised. Jens announced a promotion within Canadian eduroam institutions to Home before you roam" which doesn't cut down on all problems but if it doesn't work at your home institution it definately won't work elsewhere. Open Access points still exist in addition to eduroam/secure APs - UBC points users to the "Cloudpath client" if they connect on the open network and suggest they install it to streamline connection to the secure eduroam 802.1X by telling people "You should do this securely the next time 'round." 5. Progress on Work Items 5.1 Standardisation process Stefan reported on "Multi-Domain User Applications Research Task 1: Roaming developments" (nee JRA3/T1). Which touched on Standardisation and GN2/GN3 Liaison. The document has expanded from a single document to many (see slide 3). IPR issues regarding additions to FreeRADIUS (TCP transport for FreeRADIUS) slowed its integration into the development branch of FreeRADIUS. TLS addition is expected soon. Slides are available at: Support for the development of the next generation eduroam This topic was integrated into other discussions. 5.3 Location awareness Mark O'Leary wasn't able to attend. Discussion will continue on the mailing list with a report at the next meeting. 5.4 DNSSEC Milan summarised the discussion that was held at the DNSSEC BoF at TNC2009. SURFnet + Roland is very active in this area since the BoF held at TNC2009. A mailing list has been setup Paul Dekkers detailed a need for the improvements in the tools for DNSSEC which historically have been limited so work on OpenDNSSEC is important and will lead to services that institutions can use/deploy. Paul stated that the threat of an insecure DNS is real - so this added level of protection would be useful within the community. Presentation to follow. Jens stated that until their is a date at which DNSSEC is req'd that people still won't do it. Bob hoped that early adopters would build out a network that will show where the rough edges are and the problems so that it is easier for others in the future. Diego announced the Quality (equal) group that TERENA is organising and how it could assess DNSSEC. As the discussion followed Quality there were comments from Paul regarding TF-CSIRTs - eduwhitelist effort and whether equal will investigate something like DKIM and SPF.

8 Page 8/12 Klaas returned the discussion to DNSSEC by stating that ALL MTAs will be DNSSEC enabled and with the resolver on the MTA supporting DNSSEC there would be a start to the "chicken and egg problem". Some countries have secondary level domains - such as.ac.uk,.ac.jp and.edu.au and this would make it easier for DNSSEC to be implemented for these Research, Education and Academic divisions. Many representitives were working with their country domain registrar to have DNSSEC provided. There was a discussion to DNSSEC eduroam.org and hand out domains for dynamic peer discovery under this secured domain. Milan stated that DNSSEC + RADSEC aren't needed together. Jens highlighted the fact that RADSEC negates the need for DNSSEC and you don't want to make the implementation more difficult. Milan reinterated that Domain Administration and Certificate/Metadata trust are two different administrative domains. Thus the discussion on using the same key for signing the DNS record and federation metadata isn't relevant. Some potential use cases presented: Dynamic Peer Discovery within eduroam. Mail as an application. Metadata discovery via SRV records. Key Distribution via DNSSEC. These use cases can be further developed by anyone (as per the following action). [ACTION ] All to produces good use-cases for DNSSEC implementations. To discuss later today and circulate on the BoF-DNSSEC@terena.org mailing list. 5.5 Integration with other operators There was no specific coverage of this topic. 5.6 Metering and monitoring Miro presented on the topic of Metering and Monitoring. The slides are available at: [ACTION ] Brook to put this Metering and Monitoring effort on the radar of the Dutch (Michael Rave), Canadian and Australian efforts to do the same. Report back at next meeting. 5.7 Sensor and mesh networking Kurt was absent from the meeting. 5.8 Liaison with GN2/GN3 This was covered by Stefan's presentation earlier in the day. 5.9 Cooperation with other initiatives There was some discussion throughout the day with respect to City WiFi efforts and integrating

9 Page 9/12 eduroam with these services New mobile technologies Information on u will be discussed on the mailing list with a view to have a presentation at a future meeting. 6. Global Eduroam Group 7. Hosting organizations in eduroam Hideaki Goto reported on 3 methods they are investigating regarding eduroam deployment in the wider UPKI federated environment of Japan. Looking at a mechanisms to devolve the federation of potentially 10s of thousands of APs around the country. Much discussion was generated by this presentation, mostly surrounding whether an open proxy is permissable in an eduroam federation. Most discussion surrounded QA issues and the need for individual certificates or shared-secrets to enable revocation at a future date. Klaas was encouraged by the work of Japan in this regard. The provisioning of service providers (SPs) via this mechanism and the use of a system like this for University level delegation would also be useful. [ACTION ] Minimum requirements for generating SP configurations in an eduroam federation. The slides are available at: Mobility-20th-HGoto.pdf 8. Requirements for tunneled EAP-methods Stefan Winter reported on EAP methods. Discussion around the suitability of the channel bindings and TTLS-PAP. It isn't that PAP is bad - but that there is an added risk. The channel binding allows for mutual authentication for the inner and tying the inner and outer authentication channels. Summary is on slide 6. The slides are available at: mobility/meetings/20/tf%20mobility%2020%20- %20EAP%20Tunnel%20Requirements%20Overview.pdf 9. AMeN (Active Monitoring eduroam Node) Michael Rave of SURFNet presented on the topic. The system will add an additional layer of monitoring (functional testing) by adding nodes as clients to attempt to "use" eduroam in the way a real person would. Wireless access points and routers or embedded device. Brook mentioned that the Australian eduroam Project Group is doing some similar work. [ACTION ] At the suggestion of Diego the eduroam.org website should have a portion devoted to projects that are doing work relating to eduroam (such as this). The slides are available at: EN-TF-Mobility-final.pdf

10 Page 10/ DNSSEC experiences at SURFnet Paul Dekkers of SURFnet presented an extensive explaination of DNS attack vectors and how DNSSEC can be used to to mitigate against these attacks. A white paper is available here: (nu means now in Dutch) The slides are available at: Klaas posed the question from this mornings DNSSEC discussion: "Has anyone found the killer application that makes DNSSEC attractive as a service?" Stefan propased a case for ISPs to have DNSSEC because banks could DNSSEC sign their DNS records to reduce phishing/pharming. There was mention of certificate revocation lists using DNS. This makes the TERENA.org domain more important for DNSSEC to ensure that the CRL can be guaranteed. Milan made the point that protocols were designed to work with insecure DNS (if those protocols have a security requirement) and that DNSSEC doesn't offer end to end security. DNSSEC could be used for lightweight PKI distribution for dynamic peer discovery. 11. Date of Next Meeting February 15th with a tentative location of Vienna. 12. AOB and Close Diego Lopez presented on GEMBus. Slides are available at: The meeting closed at 18:15. (Minutes published 27 th October 2009) Action List Reference Who Action Status Brook Establish an archive of the GWG mailing list if it doesn't exist already Klaas Follow up on action items prior to the next TF- Mobility meeting Brook Discuss eduroam.org website updated with Daniel/Marcus from Australia regarding their User Centric Website Brook Discuss the "interface" to create mapping data and see about integrating this with the SURFnet solution discussed in line with website changes at GN3 Symposium All Produce good use-cases for DNSSEC implementations. To discuss later today and circulate on the BoF-DNSSEC@terena.org mailing list Brook Put this Metering and Monitoring effort on the radar

11 Page 11/12 of the Dutch (Michael Rave), Canadian and Australian efforts to do the same. Report back at next meeting Hideaki Goto, Minimum requirements for generating SP configurations in an eduroam federation. Brook Brook At the suggestion of Diego the eduroam.org website should have a portion devoted to projects that are doing work relating to eduroam (such as this). List of Participants First Name Last Name Affiliation Wenche Backman CSC/Funet Kurt Bauer ACOnet Paul Dekkers SURFnet Licia Florio TERENA Hideaki Goto NII / Tohoku University Mehdi Hached RENATER Jens Haeusser Canadian Access Federation/UBC Nicole Harris JISC Collections Avgust Jauk ARNES Simon Leinen SWITCH Diego Lopez RedIRIS José-Manuel Macías RedIRIS Miroslav Milinovic Srce RL 'Bob' Morgan Internet2 / InCommon / University of Washington Zbigniew Oltuszyk PIONIER Dubravko Penezic Srce Jaime Perez RedIRIS Juergen Rauschenbach DFN-Verein Michael Rave SURFnet Alex Reid AAF, AARNet, UWA Olivier Salaün CRU Brook Schofield TERENA Hideaki Sone NII / Tohoku University Milan Sova CESNET Joost van Dijk SURFnet Torbjörn Wiberg Umeå Universitet/SWAMI Klaas Wierenga Cisco Systems Mark Williams JISC Collections Stefan Winter RESTENA Tomasz Wolniewicz PIONIER

12 Page 12/12