Embed Size (px)
Citation preview
10 October 2003 Internet2 members meeting 1
An update on the work of
JANET Wireless Advisory Group &
The Terena Mobility Taskforce
James Sankar
UKERNA
10 October 2003 Internet2 members meeting 2
Contents Page
• Background to UKERNA
• The Current Network – SuperJANET
• The SuperJANET Development Programme & the JANET Network Access Area
• JANET Wireless Advisory Group
• TF-Mobility update
• Internet 2 members collaboration?
10 October 2003 Internet2 members meeting 3
Current Network - SuperJANET
• In service – March 2001
• Backbone – Supplied by WorldCom (now MCI)
• Initially 2.5Gbit/s now upgraded to 10 Gbit/s (July 2002)
10 October 2003 Internet2 members meeting 4
JANET Development Programme
“…to underpin the development of SuperJANET, evolving over the coming years to support the applications used by
the community, which is served by the network.”
Network Access Area
• To widen of access to JANET to allow the migration of the learning process from its traditional base in the classroom, lecture theatre and laboratory, to the home and workplace.
• To exploit the opening open out of the "local loop" marketplace to enable wider access to JANET.
• To develop a broad number of activity areas that can enable the widening of access to the JANET network, such as ADSL, Two-way satellite, Wireless, IP over Power, Cable Modem etc.
• To work with other National Research and Education Networks on network access developments
10 October 2003 Internet2 members meeting 5
JANET Wireless Advisory Group
• Group formed in May 2003.
• Supported by UKERNA.
• Initial lifetime of 1 year – will be extended in line with
the action plan.
• Group established and consists of – Higher education
– Further education
– Industry (suppliers and service providers)
• Website established http://www.ja.net/development/network_access/wireless/wag/wag.html with agenda, minutes and case studies available online.
• Public mailing list set up– “wireless-
• Terms of reference agreed
• Action Plan in draft form and under consultation.
10 October 2003 Internet2 members meeting 6
• Mobile Wireless (40% effort)
• Location Independent Networking (30% effort)
• Wireless Applications & Services (10% effort)
• Point to Point / Multipoint Wireless (20% effort)
• Other Activities
• One or more end points may change location, such as 802.11, UMTS, GPRS, SMS, Bluetooth)
• Where a user can obtain network access independent of their physical location).
• Location Based Services & Instant Messaging applications
• Both end points have a fixed location, such as Fixed Radio and Infrared Services.
• Monitor commercial & community Wireless network activities.
• Attend the TF-Mobility meetings.
• Monitor standards and legislation.
JANET Wireless Advisory Group Terms of Reference
Key aim: To provide advice and guidance to the JANET community on wireless networking
10 October 2003 Internet2 members meeting 7
What are other Europe NRENs doing?
WLAN Policy
& best practice
in place
Scaling wireless LAN infrastructures across existing backbones for
national “roaming” solutions
Developing interoperable solutions to existing national
solutions as part of the Terena TF mobility group, to develop a Europe
wide wireless roaming infrastructure amongst
participating NRENs
10 October 2003 Internet2 members meeting 8
802.1X @ SURFnet
VPN + Certificates@ FCCN
VPN @ University of Bremen
& SWITCH
Originators of National Roaming solutions across Europe
PPPoE over Linux @University of Bristol &
The University of Swansea
Web-based redirection @ FUNET
10 October 2003 Internet2 members meeting 9
Background• TERENA – Trans European Research and Education Networking Association (brings
European NRENs together for European projects)• TF Mobility (Taskforce) officially began on January 1 2003.
– The group has an 18 month lifetime.
• Aim: ”coordinating research and testing in Europe regarding real usage and scalability of mobility solutions inside the academic community”.
• Mobility solutions are defined as – a way to transfer authentication information between organisations so that a user from different
organisation may gain wired or wireless access to 1) the visiting organisation’s network or 2) the visitor’s home network for home authentication and network access.
• Work Areas– Identify inter-NREN roaming requirements.– Evaluate current national roaming solutions.– Select inter-NREN solution and test.– Evaluate mobile equipment, technology and next generation mobile technology for
handover and roaming (mobile IPv4 & v6).
10 October 2003 Internet2 members meeting 10
Requirements definition
1) With minimal administrative overhead (per roaming user)• Very little admin work to enable roaming per user• Minimize the complexity of additional systems required• No n2 work required when scaling system• No regulatory entanglement
2) With good usability• Available to most current WLAN (and wired) users.• No additional software required to enable roaming.• Enable all (work, guest, home networks, IPv4 and IPv6).
3) Maintaining required security for all partners• Allow use only for approved NREN users.• Provide accountability but also confidentiality of traffic.• Guard against data manipulation and session hijacking.• Allow real security (e2e) on top. • Don’t aggravate security issues of visited networks.
Enable NREN users to use Internet (WLAN and wired) everywhere in Europe
10 October 2003 Internet2 members meeting 11
Cross-domain 802.1X with VLAN assignment (Surfnet)
Authentication at home institution, 802.1X , TTLS (SecureW2), (proxy) RADIUS. One time passwords are also transmitted via SMS to guest users.
A RADIUS Hierarchy is proposed to scale this to a European wide solution.
RADIUS server
Institution B
RADIUS server
Institution A
Internet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
Guest
piet@institution_b.nl
StudentVLAN
GuestVLAN
EmployeeVLAN
data
signalling
10 October 2003 Internet2 members meeting 12
Intranet X
Dockingnetwork
Campus Network
G-WiN
VPN-Gateways
DHCP, DNS, free Web
Intranet X
Dockingnetwork
Campus Network
G-WiN
VPN-Gateways
DHCP, DNS, free Web
VPN & RADIUS/ PKI
SWITCHmobile – VPN solution deployed at 7 universities across Switzerland.
Wbone – VPN roaming solution to 4 universities / colleges in state of Bremen.
A "virtual campus" initiative in Lisbon, and been testing and developing a VPN & PKI infrastructure.
10 October 2003 Internet2 members meeting 13
RADIUS based Web interface authentication solution
Internet
Docking Network
AccessControl Device
AAAServer
WWW-browser
1.
2.
3.
4.
5.
RADIUS based Web interface authentication at the University of Tampere
The Finnish are scaling their solution by using a hierarchy of RADIUS proxy servers for their national infrastructure
10 October 2003 Internet2 members meeting 14
PPP over Ethernet – University of Bristol nomadic network (with links to the University of Wales)
10 October 2003 Internet2 members meeting 15
TF-Mobility: Current status1. Documentation of national WLAN roaming solutions – complete
Characteristics identified as– 802.1X - “The future”, easy to scale, secure but cutting edge, thus expensive.– VPN - Widely available, expensive, secure & hard to scale.– Web based – cheap, widely available, easy to scale, but not secure.
2. WLAN Product testing matrix – 1st draft completed
3. Preliminary selection for inter-NREN roaming – in draft, conclusions are– No national solution meets all the requirements.– The group has chosen not to consider the following
• Local VPN access: VPN users will not be able to access a visited institutions VPN gateway because (though possible) offering access to all VPN servers is not be practical as all participating institutions would have to purchase a VPN server for this single purpose.
• PKI: Good to have when ready, currently it is not and would be complex to manage during the group’s limited lifetime.
– An architecture that supports the various national solutions is needed, a three stream approach is recommended…
10 October 2003 Internet2 members meeting 16
Recommendations • Define interoperability scenarios for each national solution and identify work
needed to integrate these solutions and three development streams together.
• A phased development / testing approach
Resolve scaling and interoperability issues for 802.1x, VPN, web-
based redirect,)
Consolidate findings into a trial report
Build and scale a RADIUS proxy hierarchy for non-VPN
AAA
Conduct feasibility tests on creating an scalable VPN
solution
Subject to feasibility, build the proposed
CASG solution
Extend to VPN in parallel
Work on software changes to Roamnode (PPPoE over Linux)
to facilitate roaming
The testing of inter-NREN roaming solutions has already started !
10 October 2003 Internet2 members meeting 17
SURFnet
FCCN
FUNET
RADIUS proxy hierarchy established (geographic view)
RADIUS Proxy servers connecting to a European level RADIUS proxy server
University of Southampton
(DFN) • Participation guidelines are being drafted
• Aim is to increase membership. Norway, Slovenia, Czech Republic & Greece have indicated their willingness to join.
CARnet
Findings so far(1) A standard is required for username@realm
(2) Clear text of authentication details between RADIUS servers can be overcome by using IPSec
10 October 2003 Internet2 members meeting 18
Organizational RADIUS ServerOrganizational RADIUS Server
Top-level RADIUS
Proxy Server
Top-level RADIUS
Proxy Server
Organizational RADIUS ServerOrganizational RADIUS Server
Organizational RADIUS ServerOrganizational RADIUS Server
Organizational RADIUS ServerOrganizational RADIUS Server
Organizational RADIUS ServerOrganizational RADIUS Server
National RADIUS
Proxy Server
National RADIUS
Proxy Server
National RADIUS
Proxy Server
National RADIUS
Proxy Server
University of Southampton
Currently hosted at SURFnet
Currently linked to FCCN, Portugal
Currently linked to CARNET, Croatia
BackupTop-level RADIUS
Proxy Server
BackupTop-level RADIUS
Proxy Server
etlr1.radius.terena.nl (192.87.36.6)
etlr2.radius.terena.nl (195.169.131.2)Organizational RADIUS ServerOrganizational RADIUS Server
National RADIUS
Proxy Server
National RADIUS
Proxy Server
Organizational RADIUS ServerOrganizational RADIUS Server
Currently linked to SURFnet, Netherlands
National RADIUS
Proxy Server
National RADIUS
Proxy Server
Organizational RADIUS ServerOrganizational RADIUS Server
Organizational RADIUS ServerOrganizational RADIUS Server
Currently linked to FUNET, Finland
RADIUS proxy hierarchy established (network topology view)
National RADIUS
Proxy Server
National RADIUS
Proxy Server
Organizational RADIUS ServerOrganizational RADIUS Server
FOKUS (Berlin)
National RADIUS
Proxy Server
National RADIUS
Proxy Server
10 October 2003 Internet2 members meeting 19
Controlled Address Space for VPN Gateways• Design and work plan documentation underway.• Interoperability tests of VPN to RADIUS proxy hierarchy agreed.• The group is considering using RADIUS for backup. • Further work to follow.
10 October 2003 Internet2 members meeting 20
Further collaborations???
• The TF-Mobility group welcomes participation within Europe and outside of Europe• Why not join in and participate with us on
– The RADIUS Proxy Hierarchy– The Controlled Address Space for VPN Gateways
• Contact us, the TF Mobility co-chairs are– James Sankar – [email protected]– Carsten Bormann - [email protected]
Further InformationJANET Wireless Advisory Group
http://www.ja.net/development/network_access/wireless/wag/wag.html
JANET Two-way satellite trial
http://www.ja.net/development/network_access/satellite/trial.html
The Terena Mobility Task Force
http://www.terena.nl/tech/task-forces/tf-mobility/
10 October 2003 Internet2 members meeting 21
Thank you for your time
Any questions ?
James Sankar+44 1235 822 223
