1 / 25

eduroam JP and development of UPKI roaming

eduroam JP and development of UPKI roaming. Yoshikazu Watanabe*, Satoru Yamano* Hideaki Goto**, Hideaki Sone** * NEC Corporation, Japan ** Tohoku University, Japan. APAN24, Xi’an, 28 Aug. 2007. Contents. UPKI project and network roaming eduroam in Japan Problems and solutions

holmess
Download Presentation

eduroam JP and development of UPKI roaming

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. eduroam JPanddevelopment of UPKI roaming Yoshikazu Watanabe*, Satoru Yamano* Hideaki Goto**, Hideaki Sone** * NEC Corporation, Japan ** Tohoku University, Japan APAN24, Xi’an, 28 Aug. 2007

  2. Contents • UPKI project and network roaming • eduroam in Japan • Problems and solutions • Access control of roaming users regarding local resources • Summary

  3. UPKI project and network roaming • UPKI: University PKI (also referred to as: Inter-University Authentication and Authorization Platform) • Campus Ubiquitous Network (Tohoku Univ.) • R&D of authentication/policy-based network control mechanism • Introduction of eduroam to Japan • R&D of UPKI roaming system • Collaborative research by Tohoku Univ. and NEC

  4. eduroam in Japan Aug. 31, Tohoku University connected to Asia-Pacific eduroam Sep. 28, eduroam JP website opened Dec., Connected to Asia-Pacific eduroam secondary server in Hong Kong Dec., Four organizations federated High Energy Accelerator Research Organization (KEK), National Institute of Informatics (NII), Hokkaido Univ., and Kyoto Univ. June, Kyushu University federated 2006 2007 Eduroam HP : http://www.eduroam.jp/

  5. eduroam JP network Australia Hong Kong AP Primary AP Secondary Europe JP Primary JP Secondary The first eduroam APin Japan Kyushu Univ. Hokkaido Univ. Tohoku Univ. KEK NII Kyoto Univ.

  6. Circumstance in Japan • Scale • Lots of universities and colleges (87 national, 76 public, 571 private, and colleges; 1,200+ total as of Apr. 2006) • Large universities (some have 30,000+ people) • Operational policy • Guest use of IP addresses owned by a visited institution for the Internet access is not acceptable (≒ illegal) in many cases. • Each institution has different network administration policies.

  7. Problem about scale • Problem • Lots of universities and colleges → Configuring radius proxies is so hard • Solution • Utilizing realms regular expression patch for FreeRADIUS • A patch that enables to configure proxying with regular expressions • Adopted to recent ver. of FreeRADIUS • RadSec is also expected to solve this problem, and further to enhance the flexibility of configuration.

  8. Problem about operational policy • Problem • Guest use of IP addresses in a visited institution is not acceptable. • Responsible bodies become unclear. • Visited institutions are often involved to resolve troubles. (e.g. cracking, illegal access) • Cause a violation of subscription conditions ofIP address-based licensing (e.g. online journals). • Each institution has different network administration policies. → Visited institutions need a way to authorize roaming guests’ accesses to local resources. VPN-only policy (for the Internet access) Exchange of user class information and access control for local resources

  9. Proposed solutions(Campus Ubiquitous Network) Client Visited institution Home institution Client supplicant S/W supplicant S/W • VPN-only policy • Roaming users must use a • home VPN server to access • the Internet. • (A direct access to the Internet • from the visited institution • network is prohibited.) After authentication at AP, a user access VPN server and go outside. (Use a home IP address) After authentication at AP, a user access VPN server and go outside. (Use a home IP address) AP AP FW FW The Internet FW FW FW VPN RADIUS RADIUS (VPN) FW • Exchange of user class information and access control for local resources • Extension to eduroam authentication Our recent main theme Local Resources Exchange of authorization information and access control Local Resources

  10. Exchange of user class information and access control for local resources • Basic idea • Extend eduroam authentication procedure • A home radius server attaches user class information to a radius access-accept packet. • A radius server in a visited institution authorizes user accesses to local resources according to the received user class and local policies. → Realize access control for local resources • Prototype implementation is done

  11. User class • Classification of users by common criteria in eduroam federation • Each institution assigns user class to each user of the institution in advance.

  12. Example of access control forlocal resources by user class Client Visited institution user class 1 2 3 4 The Internet FW AP campus network FW FW local service (e.g. printer) Users (class 1) cannot access local resources Users (class 2) can access only local network Users (class 3) can access campus network, but cannot access the internet directrly Users (class 4) can access the Internet directly

  13. Procedure : Access-Request Client Visited Institution Home Institution Client supplicant S/W supplicant S/W Start 802.1x authentication AP AP Send a radius access-request FW FW The Internet FW FW Local Resources Local Resources RADIUS RADIUS Use eduroam to authenticate the user Authenticate and authorize the user A normal radius access request packet as usual in eduroam

  14. Procedure : Access-Accept Client Visited Institution Home Institution Client supplicant S/W supplicant S/W Authorize accesses to local resources using the user class and local policies AP AP FW FW The Internet FW FW Local Resources Local Resources RADIUS RADIUS Retrieve the user class for the user, and send a radius access accept packet A radius access accept packet with the user class information

  15. Procedure : Access-Accept (cont.) Client Visited Institution Home Institution Client supplicant S/W supplicant S/W 802.1x authentication succeeds Send an access-accept packet without information of authorized resources AP AP Set filtering rules according to the received information FW FW The Internet FW FW Local Resources Local Resources RADIUS RADIUS Send a radius access-accept packet with information of authorized local resources

  16. Procedure : access to local resources Client Visited Institution Home Institution Client supplicant S/W supplicant S/W Access to local resources AP AP FW FW The Internet FW FW Filter traffic to local resources (block un-authorized accesses) Local Resources Local Resources RADIUS RADIUS

  17. Issues to be examined • The definition of the “user class” in eduroam • Representation, granularity, and so on • How to realize and control the communication between roaming users and local resources • Et cetera

  18. Summary • 6 institutions are participating in eduroam JP. • Issues regarding roaming are revealed through the deployment of eduroam JP. • Examining access control of roaming users regarding local resources

  19. Thank you for your kind attention.

  20. References

  21. The problem about traceability visitor Visited Institution Home Institution Guest users using host’s IP addresses are recognized as members of the institution. Host IP address A visitor cannot access the user’s home resources The Internet illegal access What if a visitor with IP address of visited institution did some attacks to servers outside ???

  22. Traceability : case study 1 University B is subscribing to an electronic journal X, while another university A is not. A student at univ-A goes to univ-B so he/she can download journal X using the WLAN roaming. Since the student downloaded too many articles at once, the publisher thought it was a violation of the subscription condition and sent a complaint to univ-B. In univ-B, NW manager has to analyze the roaming logs, and contact univ-A to search for the user. User tracking and communications between universities are laborious. Even between departments in a university, such a user tracking is very difficult. It is also much more difficult between countries.

  23. Traceability : case study 2 Some resources such as local web servers in univ-B are protected by an address-based access restriction. When people in univ-A visited univ-B, they could gain access to the resources using the WLAN roaming system. Even if the administrators of the web servers examine the access logs, the outsiders’ accesses cannot be noticed because the “local” IP addresses are used.

  24. Possible solution for roaming issuesDedicated network • Dedicated network might be useful for solving the responsibility problems. • User tracking remains difficult. • WLAN users cannot use local resources. • can be either merit or demerit Home university Visited university dedicated network Publisher campus LAN Internet

  25. VPN only solutionPermitted protocols for roaming users • VPN • PPTP (GRE(47),(TCP/1723)) • OpenVPN (UDP/1194) • SSH (TCP/22) • IPsec NAT-traversal (UDP/4500) • Cisco IPsec (TCP/10000) • L2TP (UDP/1701) • Others • pop3 (TCP/110) • pop3s (TCP/995) • imap4 (TCP/143) • imaps (TCP/993) • ssmtp (TCP/465) • msa (TCP/587)

More Related