TF-Mobility update - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

TF-Mobility update

Description:

Default handling after lookup failure. Fallback/defaulting to RADIUS. Fallback/defaulting to static RadSec. Configuration related tests. CA certificate not installed ... – PowerPoint PPT presentation

Number of Views:25
Avg rating:3.0/5.0
Slides: 14
Provided by: KlaasWi5
Learn more at: http://www.terena.org
Category:

less

Transcript and Presenter's Notes

Title: TF-Mobility update


1
eduroam-ng architecture Test results and way
forward
Klaas.Wierenga_at_surfnet.nl
TF-Mobility, Zagreb, 2 February 2006
2
Current architecture
  • Main (technical) issues
  • No (real) authorisation ? DAMe
  • Static routing based on realm parsing
  • Credentials pass through intermediate systems
  • Transitive trust based on shared secrets
  • Dead peers hard to detect

3
Evaluation of a number of approaches
  • Diameter nearly shipping (for many years now -)
  • DNSsec hardly deployed, new
  • RadSec new, single vendor (Radiator), but not
    much more than a combination of existing
    technologies
  • DNSroam see above

4
RadSec/DNSROAM
  • Radius packet format
  • Transport TCP (or SCTP)
  • Encryption TLS (optional)
  • TLS gt PKI
  • DNSROAM combines RadSec with DNS for dynamically
    locating the peer

5
Test setup
  • Participants CESNET, ISTF, TELIN (NL), ARNES,
    ACAD (BG), UNINETT, RESTENA, Radiator (AU),
    SURFnet.

6
Test set
  • Authentication related tests
  • Known user
  • Unknown user
  • Wrong credentials
  • PKI related tests
  • Certificate signed by unknown CA
  • Multiple CAs
  • Revoked certificate
  • Mismatch between peer name and CN
  • Wrong subjectAltName or CN in the certificate
  • DNS related tests
  • NAPTR lookup failure
  • SRV lookup failure
  • A lookup failure
  • Default handling after lookup failure
  • Fallback/defaulting to RADIUS
  • Fallback/defaulting to static RadSec
  • Configuration related tests
  • CA certificate not installed

7
Fully hierarchical
  • One PKI, split PKI?

8
Meshed toplevel
  • Central DNS zone?

9
Fully meshed (DNSROAM)
  • Big trust issues multiple PKIs, bucket of
    certificates, revocation lists
  • Multiple federation membership?
  • Issues with sites having to open up their
    servers for the world
  • How about a secure peer lookup service instead
    of DNS (eduGAIN?)

10
Legacy model
11
Measurements
12
Results
  • All scenarios can be made to work, but
  • DNSROAM is not yet production grade
  • Static RADSEC is (thanks to us) stable enough to
    warrant using it when possible because of its
    advantages over plain RADIUS
  • Failure detection
  • TCP
  • Peer authentication
  • Trust (PKI) issues are key factor in making this
    work

13
What now?
?
DNSROAM
RadSec
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "TF-Mobility update" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!