wlan roaming for the european scientific community: lessons learned , june 9 th, 2004 carsten...
Post on 19-Dec-2015
215 views
TRANSCRIPT
WLAN Roaming for the European Scientific Community: Lessons Learned
, June 9th, 2004
Carsten Bormann <[email protected]>Niels Pollem <[email protected]>
reporting on the work of TERENA TF Mobility
http://www.terena.nl/mobility/
2
Outline
WLAN access control and security How does inter-domain roaming work Roaming on a European scale How to integrate solutions at the site level Conclusion
3
WLAN Security: Requirements
Confidentiality (Privacy):
Nobody can understand foreign traffic
Insider attacks as likely as outsiders'
Accountability:
We can find out who did something
Prerequisite: Authentication
4
(2003:) Security is rarely easy
5
(2004:) solved
6
(2004:) or maybe not?
7
WLAN Security: Approaches
AP-based Security: AP is network boundaryWEP (broken), WEP fixes, WPA, …802.1X (EAP variants + RADIUS) + 802.11i
Network based Security: deep securityVPNs needed by mobile people anyway
SSH, PPTP, IPsec
Alternative: Web-diverter (temporary MAC/IP address filtering) No confidentiality at all, though
8
Intranet X
Accessnetwork
Campusnetwork
world
Routers
RADIUS Server(s)
.1X
9
WLAN Access Control:Why 802.1X is better 802.1X is taking over the world anyway The EAP/XYZ people are finally getting it right
Only 5 more revisions before XYZ wins wide vendor support
Available for more and more systems (Windows 2000 up) Distribute hard crypto work to zillions of access points Block them as early as possible
More control to visited site admin, too!
Most of all: It just works™
10
Intranet X
Dockingnetwork
Campusnetwork
world
VPN-Gateways
DHCP, DNS, free Web
VPN
11
WLAN Access Control:Why VPN is better Historically, more reason to trust L3 security than L2
IPSec has lots of security analysis behind it Can use cheap/dumb APs
Available for just about everything (Windows 98, PDA etc.) Easy to accommodate multiple security contexts
Even with pre-2003 infrastructureData is secure in the air and up to VPN gateway
Most of all: It just works™
12
Intranet X
Dockingnetwork
Campusnetwork
world
AccessControl Device
DHCP, DNS, free Web
Web redire
ct
Web
13
WLAN Access Control:Why Web-based filtering is better No client software needed (everybody has a browser) Ties right into existing user/password schemes Can be made to work easily for guest users
It’s what the hotspots use, so guest users will know it alreadyMay be able to tie in with Greenspot etc.
Privacy isn’t that important anyway (use TLS and SSH) Accountability isn’t that important anyway
Most of all: It just works™
From Access Controlto Roaming
15
Roaming: High-level requirements
Objective:
Enable NREN users to use Internet (WLAN and wired) everywhere in Europe
with minimal administrative overhead (per roaming) with good usability maintaining required security for all partners
16
Inter-domain 802.1X
RADIUS server
Institution B
RADIUS server
Institution A
Internet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
Guest
piet@institution_b.nl
StudentVLAN
GuestVLAN
EmployeeVLAN
HomeVisited
e.g., @NREN
17
Web-based with RADIUS
18
Intranet X
Dockingnetwork
Campus Network
G-WiN
VPN-Gateways
DHCP, DNS, free Web
Intranet X
Dockingnetwork
Campus Network
G-WiN
VPN-Gateways
DHCP, DNS, free Web
VPN
SWITCHmobile – VPN solution deployed at 14+ universities and other sites across Switzerland.
Wbone – VPN roaming solution to 4 universities / colleges in state of Bremen.
Clients enter the Internet through home network/gateway.
19
Wboneinterconnecting docking networks
RBriteline
Uni Bremen172.21/16
HS Bremen172.25/16
HfK
HS Brhv.10.28.64/18
IPSec
Cisco
IPSec/PPTP/SSH
Linux
IPSec
Cisco
PPTP
Linux
IPSec
Cisco
PPTP
Linux
PPTP
Linux
PPTP
Linux
AWI
extend to other sites ...
Making roaming work on aEuropean scale
21
FCCN
RADIUS Proxy servers connecting to a European level RADIUS proxy server
UKERNA
SURFnet
FUNET
DFN
CARnet
European RADIUS hierarchy
CESnet
RedIRIS
UNI-C
GRnet
22
The CASG
Separate docking networks from controlled address space for gateways (CASG)
Hosts on docking networks can freely interchange packets with hosts in the CASGEasy to accomplish with a couple of ACLs
All VPN gateways get an additional CASG addressHmm, problem with some Cisco concentrators
inetnum: 193.174.167.0 - 193.174.167.255netname: CASG-DFNdescr: DFN-Vereindescr: Stresemannstrasse 78descr: 10963 Berlincountry: DEadmin-c: MW238tech-c: JR433tech-c: KL565status: ASSIGNED PAmnt-by: DFN-LIR-MNTchanged: [email protected] 20040603source: RIPE
23
Intranet X
Dockingnetwork
Campus NetworkG-WiN
VPN-Gateways
DHCP, DNS, free Web
Accesscontroller
Intranet X
Dockingnetwork
Campus NetworkG-WiN
VPN-Gateways
DHCP, DNS, free Web
Accesscontroller
Intranet X
Dockingnetwork
Campus NetworkG-WiN
VPN-Gateways
DHCP, DNS, free Web
Accesscontroller
The big bad
Internet
CASG
24
CASG allocation
Back-of-the-Envelope: 1 address per 10000 populationE.g., .CH gets ~600, Bremen gets ~60
Allocate to minimize routing fragmentationMay have to use some tunneling/forwarding
VPN gateway can have both local and CASG address
25
The CASG Pledge
I will gladly accept any packetThere is no such thing as a security incident on the CASG
I will not put useful things in the CASGPeople should not be motivated to go there except to authenticate
or use authenticated services
I will help manage the prefix space to remain stable
How to integrate all theseat the site level?
27
Commonalities
802.1XSecure SSIDRADIUS
Web-based captive portalOpen SSIDRADIUS
VPN-basedOpen SSIDNo RADIUS
}Docking net(open SSID)
RADIUSbackend
}
28
How can I help...as a home institution
Implement the other backend: As a RADIUS-based site
Implement a CASG VPN gateway (or subscribe to an NREN one)Provide the right RADIUS for all frontends
As a VPN siteRun a RADIUS server
Help the users try and debug their roaming setup while at home (play visited site)
29
How can I help...as a visited institution
Implement the other frontend: As a docking network site
Implement the other docking appraoch: CASG access or Web-diverter
Implement a 802.1X SSID (“eduroam”) in addition to open SSID As an 802.1X site
Implement an open SSID with CASG access and Web-diverter
Your local users will like it, tooMaybe too much…
30
Network layout with multiple SSID’s and VLAN assignment
31
Network layout without multiple SSID’s and VLAN assignment
Doing the plumbing
33
Default router in docking net
Default route points to access control device:
ip route 0.0.0.0 0.0.0.0 172.21.3.11
CASG routes point to CASG router
ip route 193.174.167.0 255.255.255.0 172.21.3.250
34
CASG router
ip access-list extended casg-out
permit ip 193.174.167.0 0.0.0.255 any
deny ip any any
ip access-list extended casg-in
permit ip any 193.174.167.0 0.0.0.255
deny ip any any
interface Vlan86 ip address 172.21.3.250 255.255.0.0 ip access-group casg-in in
ip access-group casg-out out
ip nat inside
35
What if docking net is RFC1918?
Maximum compatibility with an address-based NAT:
ip access-list standard docking-addr
permit 172.21.0.0 0.0.255.255!
ip nat translation timeout 1800
ip nat pool dn 134.102.216.1 134.102.216.250 netmask 255.255.255.0ip nat inside source list docking-addr pool dn
So where are we?
37
Fun little issues
1/3 of Bremen‘s 432 Cisco 340 APs can't do VLANsEthernet interface hardware MTU issue
Some client WLAN drivers are erratic in the presence of multi-SSID APs
Can't give university IP addresses to roamersToo many university-only services are “authenticated” on IP addressAddress pool must be big enough for flash crowds
CASG space is currently allocated on a national levelSo there will be a dozen updates before CASG is stable
38
Conclusions
It is possible to create a fully interoperable solution It’s not that hard:
especially when you use TF mobility’s deliverable H to guide you
Re-evaluate solutions in a couple of yearsTF mobility is going for a second term to help
Integration approach also provides an easy upgrade pathE.g., add 802.1X to docking-only site
39
Conclusions
It is possible to create a fully interoperable solution It’s not that hard
especially when you use TF mobility’s deliverable H to guide you
Re-evaluate solutions in a couple of yearsTF mobility is going for a second term to help
Integration approach also provides an easy upgrade pathE.g., add 802.1X to docking-only siteGo for it
http://www.terena.nl/m
obility/