Eduroam JP and development of UPKI roaming Yoshikazu Watanabe*, Satoru Yamano* Hideaki Goto**, Hideaki Sone** * NEC Corporation, Japan ** Tohoku University,

eduroam JPand

development of UPKI roaming

Yoshikazu Watanabe*, Satoru Yamano*

Hideaki Goto**, Hideaki Sone**

* NEC Corporation, Japan

** Tohoku University, Japan

APAN24, Xi’an, 28 Aug. 2007

2

Contents

• UPKI project and network roaming

• eduroam in Japan

• Problems and solutions

• Access control of roaming users regarding local resources

• Summary

3

UPKI project and network roaming

• UPKI: University PKI (also referred to as: Inter-

University Authentication and Authorization Platform) – Campus Ubiquitous Network (Tohoku Univ.)

• R&D of authentication/policy-based network control mechanism

– Introduction of eduroam to Japan

– R&D of UPKI roaming system

• Collaborative research by Tohoku Univ. and NEC

4

eduroam in JapanAug. 31, Tohoku University connected to

Asia-Pacific eduroamSep. 28, eduroam JP website openedDec., Connected to Asia-Pacific eduroa

m secondary server in Hong KongDec., Four organizations federated

High Energy Accelerator Research Organization (KEK), National Institute of Informatics (NII),Hokkaido Univ., and Kyoto Univ.

June, Kyushu University federated

2006

2007

Eduroam HP : http://www.eduroam.jp/

5

eduroam JP network

JPSecondary

JPPrimary

HokkaidoUniv.

TohokuUniv.

KyotoUniv.

KEK NII

APPrimary

APSecondary

Hong KongAustralia

Europe

KyushuUniv.

The first eduroam APin Japan

6

• Scale– Lots of universities and colleges

(87 national, 76 public, 571 private, and colleges; 1,200+ total as of Apr. 2006)

– Large universities (some have 30,000+ people)

• Operational policy– Guest use of IP addresses owned by a visited

institution for the Internet access is not acceptable ( illegal)≒ in many cases.

– Each institution has different network administration policies.

Circumstance in Japan

7

Problem about scale• Problem

– Lots of universities and colleges

→ Configuring radius proxies is so hard

• Solution– Utilizing realms regular expression patch for FreeRAD

IUS• A patch that enables to configure proxying with regular expre

ssions• Adopted to recent ver. of FreeRADIUS

– RadSec is also expected to solve this problem, and further to enhance the flexibility of configuration.

8

Problem about operational policy• Problem

1. Guest use of IP addresses in a visited institution is not acceptable.• Responsible bodies become unclear.• Visited institutions are often involved to resolve troubles.

(e.g. cracking, illegal access)• Cause a violation of subscription conditions of

IP address-based licensing (e.g. online journals).

2. Each institution has different network administration policies.→ Visited institutions need a way to authorize roaming guests’

accesses to local resources.

VPN-only policy (for the Internet access)

Exchange of user class information andaccess control for local resources

9

Proposed solutions(Campus Ubiquitous Network)

RADIUS

LocalResources

(VPN)

AP

FW

Client

Homeinstitution

Visitedinstitution

Client supplicant

S/W

The Internet

FW

FW

RADIUS

LocalResources

VPN

AP

FW

FW

FW

supplicantS/W

After authentication at AP, a user access VPN server and go outside. (Use a home IP address)

After authentication at AP, a user access VPN server and go outside. (Use a home IP address)

1. VPN-only policy Roaming users must use a home VPN server to access the Internet. (A direct access to the Internet from the visited institution network is prohibited.)

Exchange of authorization informationand access control

2. Exchange of user class information and access control for local resources

Extension to eduroam authentication

Our recent main theme

10

Exchange of user class information and access control for local resources• Basic idea

– Extend eduroam authentication procedure– A home radius server attaches user class information

to a radius access-accept packet.– A radius server in a visited institution authorizes user

accesses to local resources according to the received user class and local policies.

→ Realize access control for local resources

• Prototype implementation is done

11

User class

• Classification of users by common criteria in eduroam federation

• Each institution assigns user class to each user of the institution in advance.

12

Example of access control forlocal resources by user class

local service(e.g. printer)

AP

Client Visited

institution

The InternetFW

campus network

FWFW

1 2 3 4userclass

Users (class 1) cannot access local resourcesUsers (class 2) can access only local networkUsers (class 3) can access campus network, but cannot access the internet directrlyUsers (class 4) can access the Internet directly

13

RADIUS

LocalResources

AP

Client

VisitedInstitutionsupplicant

S/W

FW

FW

Procedure : Access-Request

HomeInstitution

Client

The Internet

RADIUSLocal

Resources

AP

FW

supplicantS/W

FW

A normal radius access request packet as usual

in eduroam

Start 802.1x authentication

Authenticate and authorize the user

Use eduroam to authenticate the us

er

Send a radius access-request

14

RADIUS

LocalResources

AP

Client

VisitedInstitutionsupplicant

S/W

FW

FW

Procedure : Access-Accept

HomeInstitution

Client

The Internet

RADIUSLocal

Resources

AP

FW

supplicantS/W

FW

A radius access accept packet with the user

class information

Retrieve the user class for the user, and send a radius

access accept packet

Authorize accesses to local resources

using the user class and local policies

15

RADIUS

LocalResources

AP

Client

VisitedInstitutionsupplicant

S/W

FW

FW

Procedure : Access-Accept (cont.)

HomeInstitution

Client

The Internet

RADIUSLocal

Resources

AP

FW

supplicantS/W

FW

802.1x authentication succeeds

Send a radius access-accept packet with information of authorized local resources

Send an access-accept packet without information of authorized resources

Set filtering rules according to the received information

16

RADIUSLocal

Resources

AP

Client

VisitedInstitutionsupplicant

S/W

FW

FW

Procedure : access to local resources

HomeInstitution

Client

The Internet

RADIUSLocal

Resources

AP

FW

supplicantS/W

FW

Filter traffic to local resources(block un-authorized accesses)

Access to local resources

17

Issues to be examined

• The definition of the “user class” in eduroam– Representation, granularity, and so on

• How to realize and control the communication between roaming users and local resources

• Et cetera

18

Summary

• 6 institutions are participating in eduroam JP.

• Issues regarding roaming are revealed through the deployment of eduroam JP.

• Examining access control of roaming users regarding local resources

19

Thank you for your kind attention.

20

References

21

The problem about traceabilityvisitor

The Internet

illegal access

What if a visitor with IP address of visited institution did some attacks to servers outside ???

VisitedInstitution

HomeInstitution

Guest users using host’s IP addresses are recognized as members of the institution.

A visitor cannot access the user’s home resources

Host IP address

22

Traceability : case study 1

In univ-B, NW manager has to analyze the roaming logs, and contact univ-A to search for the user.

University B is subscribing to an electronic journal X, while another university A is not.

A student at univ-A goes to univ-B so he/she can download journal X using the WLAN roaming. Since the student downloaded too many articles at once, the publisher thought it was a violation of the subscription condition and sent a complaint to univ-B.

User tracking and communications between universities are laborious. Even between departments in a university, such a user tracking is very difficult. It is also much more difficult between countries.

23

Traceability : case study 2

Some resources such as local web servers in univ-B are protected by an address-based access restriction. When people in univ-A visited univ-B, they could gain access to the resources using the WLAN roaming system.

Even if the administrators of the web servers examine the access logs, the outsiders’ accesses cannot be noticed because the “local” IP addresses are used.

24

Possible solution for roaming issues

Dedicated network• Dedicated network might be useful for

solving the responsibility problems.– User tracking remains difficult.

• WLAN users cannot use local resources.– can be either merit or demerit

Internetcampus LAN

dedicated network

Visited universityHome university

Publisher

25

VPN only solution

Permitted protocols for roaming users

• VPN– PPTP (GRE(47) ， (TCP/1723))– OpenVPN (UDP/1194)– SSH (TCP/22)– IPsec NAT-traversal (UDP/4500)– Cisco IPsec (TCP/10000)– L2TP (UDP/1701)

• Others– pop3 (TCP/110) – pop3s (TCP/995)– imap4 (TCP/143)– imaps (TCP/993)– ssmtp (TCP/465)– msa (TCP/587)