Title: JRA5 Ubiquity Mobility and Roaming Access to Services plans and outline
1 JRA5 - Ubiquity (Mobility) and Roaming Access
to Servicesplans and outline
- Jürgen Rauschenbach
- jrau_at_dfn.de
2Motivation
- Initiative in 2002 of TERENA (Trans European
Research and Education Networking Association)
Identification of the problem (Roaming) - By Roaming we understand
- a methode for the transfer of Authentification
informations betwen organisations in a way that
acces for a user from another organisation can be
granted (wireless or fixed) 1) to the
network of the visited organisation and/or
2) to the home network
(for authentification purposes and for working in
the known environment) - TF Mobility open (15 countries), 1.1.2003 -
30.6.2004, Charta and reports see
www.terena.nl/mobility
3TF Mobility will
- evaluate today used and operated national (or
local) roaming solutions based on the
requirements defined by the TF - select most promising methods and organize field
tests - make recommendations to the NRENs and provide
material for discussion - Evaluation of mobile equipment and technology of
the next generation for Handover und Roaming
(mobile IPv6).
4Cross-domain 802.1X with VLAN assignment (Surfnet)
Supplicant
RADIUS server Institution B
RADIUS server Institution A
Authenticator (AP or switch)
User DB
User DB
Guest piet_at_institution_b.nl
Internet
signalling
Guest VLAN
Employee VLAN
data
Central RADIUS Proxy server
Student VLAN
Authentication at home institution, 802.1X ,
TTLS (SecureW2), (proxy) RADIUS. One time
passwords are also transmitted via SMS to guest
users. A RADIUS Hierarchy is proposed to scale
this to a European wide solution.
5RADIUS proxy hierarchy established (geographic
view)
FUNET
RADIUS Proxy servers connecting to a European
level RADIUS proxy server
SURFnet
- Participation guidelines are being drafted
- Aim is to increase membership. Norway, Slovenia,
Czech Republic Greece have indicated their
willingness to join.
DFN
University of Southampton
FCCN
CARnet
6JRA5 Roaming (1)
- Quality check of the requirements doc
- update (802.1i)
- taking into account other technologies (UMTS, 3rd
generation and beyond) - roaming in wireless and fixed networks
- widen scope to seamless roaming
- academic and commercial interworking, policy
issues - integrating p2p building blocks
- input from AAI
- widen scope to support SSO
7JRA5 Roaming (2)
- Define NREN roaming policy issues and guidelines
- define policy to establish a trust fabric at
NREN/institution level - survey national EU issues related to roaming
- Data Protection Act, Privacy Act, ...
- Define guidelines for roaming on NREN/institution
level - improved interoperability cookbook
8JRA5 Roaming (3)
- Inter NREN roaming testbed extension and test
plan - provide an updated design for NREN roaming
- roaming pilot service roll-out plan
(recommendations to the NRENs, but decisions are
still with the NREN!) - advertising/convincing the NRENs
- providing supporting materials (FAQs, cross test
reports, etc.) - provide statistics, analyse success, feedback to
standards, push to vendors - provide a plan on further work (UMTS, seamless
roaming testbed, etc.)
9(No Transcript)
10AAI Where we are today?
- different solutions used, some NREN started, some
not - PAPI, A-Select, Shibboleth, Athens, many more ...
- Combinations exist too (SWITCHaai)
- user administration is seen by the NREN as a
local problem, recommendations (LDAP?, ...) - many projects (FEIDE, Unitcf, ...
- TERENA TF AACE is working on these fields (until
next Summer)
11JRA5 AAI (1)
- Define basic requirements, incl. classification
of services and apps to be addressed - designment a federated architecture and
description of the generic blocks and components
needed (started in TF AACE) - install a test solution in a testbed for
federated AAI, test plan - survey of problems to solve and refinement of the
requirements, making them stronger - test again (rapid prototyping)
12JRA5 AAI (2)
- AAI is characterised by a broader spectrum of
solutions, more diverse then in roaming - trying to stick on practicability!
- requirements should show, what we want to not do
- AAI task will be continued probably until end of
project - GRID to be observed, avoid strong incompatibility
if possible
13JRA5 SSO
- Based on AAI
- short term SSO network access (802.11, later
different networks (Wi-Fi and GPRS, mobile IPv6!) - long term SSO access network and apps (generic
cases might be quite challenging) - basic solutions on Radius? CARnet
- centralised solutions?