www.canarie.ca
May 20, 2015
www.canarie.ca
www.canarie.ca
An update on eduroam topics in Canada
All Things Eduroam
Chris Phillips | June 12th,2013 | CANHEIT | Ottawa
www.canarie.ca www.canarie.ca
Today’s topics
About Canadian
Operations
Traffic Stats
Trends & Patterns
Streamlining Configuration
Tools
Under the hood
Looking into the future
Latest Developments
Options
www.canarie.ca www.canarie.ca
Wifi is the new ethernet
www.canarie.ca www.canarie.ca
332
18
328
637
5410 5986
38
8
24
51
177 172
1
10
100
1000
10000
Thursday, 6 June, 13
Friday, 7 June, 13
Saturday, 8 June, 13
Sunday, 9 June, 13
Monday, 10 June, 13
Tuesday, 11 June, 13
CANHEIT 2013 eduroam Usage
eduroam Authentications
eduroam Unique Users
www.canarie.ca www.canarie.ca
www.canarie.ca
A day in the life of eduroam
www.canarie.ca www.canarie.ca
Where do they benefit from the service?
www.canarie.ca www.canarie.ca
Within Canada…
www.canarie.ca
Eduroam in Canada
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
-
200,000
400,000
600,000
800,000
1,000,000
1,200,000
1,400,000
1,600,000
eduroam Successful Logins
International
Canada
% no reply from server
www.canarie.ca
Eduroam helping reduce guest accounts
www.canarie.ca
Tools
www.canarie.ca www.canarie.ca
Go from this To this
www.canarie.ca www.canarie.ca
Canadian Data Now in eduroam Companion
• Based on registry & published by XML • XML files aggregated centrally by eduroam.org & available
for apps • One example of benefiting from a larger ecosystem
www.canarie.ca www.canarie.ca
Data Improvements
• Eduroam @ your campus is not just a single point • But that’s all we have on
you to geo-locate. • Site admins can provide
updated institution XML for their extra sites to enrich the database
• Send to: [email protected]
www.canarie.ca www.canarie.ca
Eduroam CAT service
• Builds & hosts profile installers for all platforms and devices(MSFT,Apple, Linux)
• CANARIE participated early in Beta testing to help exercise the tool
• Profile = specific configuration on your device to connect to the network
www.canarie.ca www.canarie.ca
Signing on to Manage Your eduroam Site
• Access is only for site admins
• Requires Federated Single Sign On + invitation one time link
• Can create multiple admins
• Can create multiple ‘profiles’ for testing prior to release.
• Production Profiles can be downloaded via CAT
www.canarie.ca www.canarie.ca
Once Signed in
www.canarie.ca www.canarie.ca
Site details
www.canarie.ca www.canarie.ca
Ability to check other eduroam domains
www.canarie.ca www.canarie.ca
Creating, Managing & Testing profiles
Multiple profiles can exist Ability to remotely check your own domain You can check your profile in advance for own unit testing!
www.canarie.ca www.canarie.ca
Managing the Profile
www.canarie.ca www.canarie.ca
Testing your profile
www.canarie.ca
Your Invited!
• To tap into this great resource, request your CAF IdP to be added to the eduGAIN feed
• Once added we send site admins invite and you’re in • Don’t have a CAF IdP? Check out our Identity Appliance
http://www.flickr.com/photos/shutter/105497713/sizes/l/in/photostream/ Chris Owens
www.canarie.ca
Eduroam:Looking into the Future within Canada
www.canarie.ca
www.canarie.ca
www.canarie.ca
Investments Being Made • Geographic diversity • Expanded capacity • Increased automation, Change management improvements • Ops tools: int’l tools (cat.eduroam.org) ticketing & reporting
www.canarie.ca
Eduroam:Looking into the Future globally
www.canarie.ca www.canarie.ca
Recent Stats • Thousands (~10000+) points of presence for eduroam SSID • 60 countries/regions in production, 27 in pilot • 60,000,000+ successful transactions processed monthly • Between 10-13% is international traffic
-
5,000
10,000
15,000
20,000
25,000
30,000
35,000
40,000
at bg cz dk fi hr ie it mk no pl rs se uk
1hr of Global eduroam successful signons May 14th, 2013 4pm CEST (peak)
161,238
23,553
∑ National ∑ International
Comparing Domestic & International – May 14th, 2013, 4pm CEST (peak)
www.canarie.ca
Eduroam Today
Slide 31
id: [email protected] realm: ubc.ca realm: sfu.ca
realm: ca
Confederation Servers
Federation Server
realm: restena.lu
realm: lu
realm: uni.lu
Predicting Growth – Hard, but let’s try • Needed for preservation of quality & enough runway to act • Crystal BallàAssumptions: ratio 2:87:10000:50MM, or
• 10 countries/yr, ea. w/114 ‘domains’ & 575k signons/mth • Adding another 30 countries, requires 1 more root server • No one has any more devices than they do today J • There are 193 countries/regions worldwide • ..What does this look 3 years out then?
Today: x87 countries
Today: x2 roots svrs
Today: 10,000+ sites
+3yrs: x117 countries
+3yrs: 3? roots svrs
+3yrs: 13,348+ sites
In 3 years from now..
www.canarie.ca
Why do something different? • Mobility’s explosive growth hard to predict (size/freq etc) • TCO profile improvements to be made from new tech. • Int’l roaming hierarchical model of
TLD != geography/country oversight(e.g. .edu/.org) • Hierarchical structure transactional performance cost
more pronounced as mobility increases
Bottom line: Need to investigate ways to have optimal service performance & cost which break away from same curve as growth
www.canarie.ca http://www.flickr.com/photos/cubmundo/7174576572/ cubmundo, http://www.flickr.com/photos/konabish/5968465331/ Greg Bishop
Future Contexts • Reality: we’re no longer nimble: now have battleship turning radius
• Recommendations/explorations take time to do well, and have long shelf life
àmeans planning horizons of 2,3,5yr for deployment+ Total Cost Ownership
• Always an eye on overall cost, want to explore new paths for trust management. PKIX already woven into today’s model, improvements to this?
Approach 2 years out 3 years out 5 years out
Do mix of NAPTR,Shared
Secret, RADSEC?
Go toward stronger PKIX
model?
Leverage DNSSEC &
DANE?
www.canarie.ca
eduroam augmented with DANE
Slide 34
id: [email protected] realm: ubc.ca
Host: hotspot.ubc.ca realm: sfu.ca
realm: ca
Confederation Servers
Federation Server
realm: restena.lu
realm: lu
realm: uni.lu
eduroam.org
DNSSec zone for eduroam.org
idp.eduroam.org sp.eduroam.org
tld1.eduroam.lu.idp.eduroam.org
Hotspot.ubc.ca.sp.eduroam.org
‘Host’ In DNS & has cert?
Yes, here it is!
tld1.eduroam.lu, can I have your key?
Yes, here it is!
Yup, key offered matches that in DNSSec tree,you shall pass, carry on!
www.canarie.ca www.canarie.ca
Take Aways
About Canadian
Operations
Traffic Stats
Trends & Patterns
Streamlining Configuration
Tools
Under the hood
Looking into the future
Options
Latest Developments
• Always expanding the network
• Mobility will just get more important
• We build on your success
• We’re making it easier
• Tools are ready for you
• Go for the next step
• Investing in the infrastructure
• Working with leaders worldwide
• Ensuring our
needs are heard
www.canarie.ca
Useful References
The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA http://tools.ietf.org/html/rfc6698 Use Cases and Requirements for DNS-Based Authentication of Named Entities (DANE) http://tools.ietf.org/html/rfc6394 Useful reference about expected responses and SMTP and DANE https://datatracker.ietf.org/doc/draft-ietf-dane-srv/?include_text=1 RADSEC whitepaper http://www.open.com.au/radiator/radsec-whitepaper.pdf Interesting other enhancements/ideas about certificates and related security http://www.certificate-transparency.org/faq
www.canarie.ca