www.canarie.ca

www.canarie.ca

An update on eduroam topics in Canada

All Things Eduroam

Chris Phillips | June 12th,2013 | CANHEIT | Ottawa

www.canarie.ca www.canarie.ca

Today’s topics

About Canadian

Operations

Traffic Stats

Trends & Patterns

Streamlining Configuration

Tools

Under the hood

Looking into the future

Latest Developments

Options

www.canarie.ca www.canarie.ca

Wifi is the new ethernet

www.canarie.ca www.canarie.ca

332

18

328

637

5410 5986

38

8

24

51

177 172

1

10

100

1000

10000

Thursday, 6 June, 13

Friday, 7 June, 13

Saturday, 8 June, 13

Sunday, 9 June, 13

Monday, 10 June, 13

Tuesday, 11 June, 13

CANHEIT 2013 eduroam Usage

eduroam Authentications

eduroam Unique Users

www.canarie.ca www.canarie.ca

www.canarie.ca

A day in the life of eduroam

www.canarie.ca www.canarie.ca

Where do they benefit from the service?

www.canarie.ca www.canarie.ca

Within Canada…

www.canarie.ca

Eduroam in Canada

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

-

200,000

400,000

600,000

800,000

1,000,000

1,200,000

1,400,000

1,600,000

eduroam Successful Logins

International

Canada

% no reply from server

www.canarie.ca

Eduroam helping reduce guest accounts

www.canarie.ca

Tools

www.canarie.ca www.canarie.ca

Go from this To this

www.canarie.ca www.canarie.ca

Canadian Data Now in eduroam Companion

•  Based on registry & published by XML •  XML files aggregated centrally by eduroam.org & available

for apps •  One example of benefiting from a larger ecosystem

www.canarie.ca www.canarie.ca

Data Improvements

•  Eduroam @ your campus is not just a single point •  But that’s all we have on

you to geo-locate. •  Site admins can provide

updated institution XML for their extra sites to enrich the database

•  Send to: tickets@canarie.ca

www.canarie.ca www.canarie.ca

Eduroam CAT service

•  Builds & hosts profile installers for all platforms and devices(MSFT,Apple, Linux)

•  CANARIE participated early in Beta testing to help exercise the tool

•  Profile = specific configuration on your device to connect to the network

www.canarie.ca www.canarie.ca

Signing on to Manage Your eduroam Site

•  Access is only for site admins

•  Requires Federated Single Sign On + invitation one time link

•  Can create multiple admins

•  Can create multiple ‘profiles’ for testing prior to release.

•  Production Profiles can be downloaded via CAT

www.canarie.ca www.canarie.ca

Once Signed in

www.canarie.ca www.canarie.ca

Site details

www.canarie.ca www.canarie.ca

Ability to check other eduroam domains

www.canarie.ca www.canarie.ca

Creating, Managing & Testing profiles

Multiple profiles can exist Ability to remotely check your own domain You can check your profile in advance for own unit testing!

www.canarie.ca www.canarie.ca

Managing the Profile

www.canarie.ca www.canarie.ca

Testing your profile

www.canarie.ca

Your Invited!

•  To tap into this great resource, request your CAF IdP to be added to the eduGAIN feed

•  Once added we send site admins invite and you’re in •  Don’t have a CAF IdP? Check out our Identity Appliance

http://www.flickr.com/photos/shutter/105497713/sizes/l/in/photostream/ Chris Owens

www.canarie.ca

Eduroam:Looking into the Future within Canada

www.canarie.ca

www.canarie.ca

www.canarie.ca

Investments Being Made •  Geographic diversity •  Expanded capacity •  Increased automation, Change management improvements •  Ops tools: int’l tools (cat.eduroam.org) ticketing & reporting

www.canarie.ca

Eduroam:Looking into the Future globally

www.canarie.ca www.canarie.ca

Recent Stats •  Thousands (~10000+) points of presence for eduroam SSID •  60 countries/regions in production, 27 in pilot •  60,000,000+ successful transactions processed monthly •  Between 10-13% is international traffic

-

5,000

10,000

15,000

20,000

25,000

30,000

35,000

40,000

at bg cz dk fi hr ie it mk no pl rs se uk

1hr of Global eduroam successful signons May 14th, 2013 4pm CEST (peak)

161,238

23,553

∑ National ∑ International

Comparing Domestic & International – May 14th, 2013, 4pm CEST (peak)

www.canarie.ca

Eduroam Today

Slide 31

id: pam@restena.lu realm: ubc.ca realm: sfu.ca

realm: ca

Confederation Servers

Federation Server

realm: restena.lu

realm: lu

realm: uni.lu

Predicting Growth – Hard, but let’s try •  Needed for preservation of quality & enough runway to act •  Crystal BallàAssumptions: ratio 2:87:10000:50MM, or

•  10 countries/yr, ea. w/114 ‘domains’ & 575k signons/mth •  Adding another 30 countries, requires 1 more root server •  No one has any more devices than they do today J •  There are 193 countries/regions worldwide •  ..What does this look 3 years out then?

Today: x87 countries

Today: x2 roots svrs

Today: 10,000+ sites

+3yrs: x117 countries

+3yrs: 3? roots svrs

+3yrs: 13,348+ sites

In 3 years from now..

www.canarie.ca

Why do something different? •  Mobility’s explosive growth hard to predict (size/freq etc) •  TCO profile improvements to be made from new tech. •  Int’l roaming hierarchical model of

TLD != geography/country oversight(e.g. .edu/.org) •  Hierarchical structure transactional performance cost

more pronounced as mobility increases

Bottom line: Need to investigate ways to have optimal service performance & cost which break away from same curve as growth

www.canarie.ca http://www.flickr.com/photos/cubmundo/7174576572/ cubmundo, http://www.flickr.com/photos/konabish/5968465331/ Greg Bishop

Future Contexts •  Reality: we’re no longer nimble: now have battleship turning radius

•  Recommendations/explorations take time to do well, and have long shelf life

àmeans planning horizons of 2,3,5yr for deployment+ Total Cost Ownership

•  Always an eye on overall cost, want to explore new paths for trust management. PKIX already woven into today’s model, improvements to this?

Approach 2 years out 3 years out 5 years out

Do mix of NAPTR,Shared

Secret, RADSEC?

Go toward stronger PKIX

model?

Leverage DNSSEC &

DANE?

www.canarie.ca

eduroam augmented with DANE

Slide 34

id: pam@restena.lu realm: ubc.ca

Host: hotspot.ubc.ca realm: sfu.ca

realm: ca

Confederation Servers

Federation Server

realm: restena.lu

realm: lu

realm: uni.lu

eduroam.org

DNSSec zone for eduroam.org

idp.eduroam.org sp.eduroam.org

tld1.eduroam.lu.idp.eduroam.org

Hotspot.ubc.ca.sp.eduroam.org

‘Host’ In DNS & has cert?

Yes, here it is!

tld1.eduroam.lu, can I have your key?

Yes, here it is!

Yup, key offered matches that in DNSSec tree,you shall pass, carry on!

www.canarie.ca www.canarie.ca

Take Aways

About Canadian

Operations

Traffic Stats

Trends & Patterns

Streamlining Configuration

Tools

Under the hood

Looking into the future

Options

Latest Developments

•  Always expanding the network

•  Mobility will just get more important

•  We build on your success

•  We’re making it easier

•  Tools are ready for you

•  Go for the next step

•  Investing in the infrastructure

•  Working with leaders worldwide

•  Ensuring our

needs are heard

www.canarie.ca

Useful References

The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA http://tools.ietf.org/html/rfc6698 Use Cases and Requirements for DNS-Based Authentication of Named Entities (DANE) http://tools.ietf.org/html/rfc6394 Useful reference about expected responses and SMTP and DANE https://datatracker.ietf.org/doc/draft-ietf-dane-srv/?include_text=1 RADSEC whitepaper http://www.open.com.au/radiator/radsec-whitepaper.pdf Interesting other enhancements/ideas about certificates and related security http://www.certificate-transparency.org/faq

www.canarie.ca