Transcript casg-in

WLAN Roaming for the
European Scientific Community:
Lessons Learned
Rodo, June 9th, 2004
Carsten Bormann <[email protected]>
Niels Pollem <[email protected]>
reporting on the work of TERENA TF Mobility
Outline
 WLAN access control and security
 How does inter-domain roaming work
 Roaming on a European scale
 How to integrate solutions at the site level
 Conclusion
2
WLAN Security: Requirements
 Confidentiality (Privacy):
 Nobody can understand foreign traffic
 Insider attacks as likely as outsiders'
 Accountability:
 We can find out who did something
 Prerequisite: Authentication
3
WLAN Security: Approaches
 AP-based Security: AP is network boundary
 WEP (broken), WEP fixes, WPA, …
 802.1X (EAP variants + RADIUS) + 802.11i
 Network based Security: deep security
 VPNs needed by mobile people anyway
 SSH, PPTP, IPsec
 Alternative: Web-diverter (temporary MAC/IP address filtering)
 No confidentiality at all, though
4
Routers
.1X
world
Access
network
Campus
network
Intranet X
RADIUS Server(s)
5
WLAN Access Control:
Why 802.1X is better
 802.1X is taking over the world anyway
 The EAP/XYZ people are finally getting it right
 Only 5 more revisions before XYZ wins wide vendor support
 Available for more and more systems (Windows 2000 up)
 Distribute hard crypto work to zillions of access points
 Block them as early as possible
 More control to visited site admin, too!
 Most of all: It just works™
6
VPN-Gateways
VPN
world
Docking
network
Campus
network
Intranet X
DHCP, DNS, free Web
7
WLAN Access Control:
Why VPN is better
 Historically, more reason to trust L3 security than L2
 IPSec has lots of security analysis behind it
 Can use cheap/dumb APs
 Available for just about everything (Windows 98, PDA etc.)
 Easy to accommodate multiple security contexts
 Even with pre-2003 infrastructure
 Data is secure in the air and up to VPN gateway
 Most of all: It just works™
8
Access
Control
Device
Docking
network
Web
world
Campus
network
Intranet X
DHCP, DNS, free Web
9
WLAN Access Control:
Why Web-based filtering is better
 No client software needed (everybody has a browser)
 Ties right into existing user/password schemes
 Can be made to work easily for guest users
 It’s what the hotspots use, so guest users will know it already
 May be able to tie in with Greenspot etc.
 Privacy isn’t that important anyway (use TLS and SSH)
 Accountability isn’t that important anyway
 Most of all: It just works™
10
From Access Control
to Roaming
Roaming:
High-level requirements
Objective:
Enable NREN users to use Internet (WLAN and wired)
everywhere in Europe
 with minimal administrative overhead (per roaming)
 with good usability
 maintaining required security for all partners
12
Inter-domain 802.1X
Supplicant
Authenticator
(AP or switch)
Visited
RADIUS server
Institution A
Guest
RADIUS server
User
DB
Institution B
User
DB
Internet
piet@institution_b.nl
Employee
VLAN
Home
Guest
VLAN
Student
VLAN
Central RADIUS
Proxy server
e.g., @NREN
13
Web-based with RADIUS
14
VPN
VPN-Gateways
Docking
network
G-WiN
Wbone – VPN roaming
solution to 4 universities
/ colleges in state of
Bremen.
SWITCHmobile – VPN
solution deployed at 7
universities across
Switzerland.
Campus Network
Intranet X
DHCP, DNS,
free Web
VPN-Gateways
Docking
network
G-WiN
Campus Network
Intranet X
Clients enter the Internet
through home
DHCP, DNS,
network/gateway.
free Web
15
IPSec
extend to other sites ...
Wbone
interconnecting docking networks
PPTP
Linux
Cisco
HS Brhv.
10.28.64/18
HfK
PPTP
IPSec/PPTP/SSH
Linux
Linux
R
Briteline
HS Bremen
Uni Bremen
172.25/16
IPSec
Cisco
AWI
IPSec
PPTP
Cisco
Linux
172.21/16
PPTP
Linux
16
Making roaming work on a
European scale
European RADIUS hierarchy
UNI-C
FUNET
SURFnet
UKERNA
DFN
CESnet
FCCN
CARnet
GRnet
RADIUS Proxy servers
connecting to a European
level RADIUS proxy server
RedIRIS
18
The CASG
 Separate docking networks from
inetnum:
netname:
descr:
descr:
descr:
country:
admin-c:
tech-c:
tech-c:
status:
mnt-by:
changed:
source:
193.174.167.0 - 193.174.167.255
CASG-DFN
DFN-Verein
Stresemannstrasse 78
10963 Berlin
DE
MW238
JR433
KL565
ASSIGNED PA
DFN-LIR-MNT
[email protected] 20040603
RIPE
controlled address space for gateways (CASG)
 Hosts on docking networks can freely interchange packets
with hosts in the CASG
 Easy to accomplish with a couple of ACLs
 All VPN gateways get an additional CASG address
 Hmm, problem with some Cisco concentrators
19
VPN-Gateways
Docking
network
Access
controller
G-WiN
Campus Network
Intranet X
DHCP, DNS,
free Web
VPN-Gateways
Docking
network
Access
controller
The
big
CASG
bad
Internet
G-WiN
Campus Network
VPN-Gateways
Access
controller
Intranet X
DHCP, DNS,
free Web
Docking
network
G-WiN
Campus Network
Intranet X
DHCP, DNS,
free Web
20
CASG allocation
 Back-of-the-Envelope: 1 address per 10000 population
 E.g., .CH gets ~600, Bremen gets ~60
 Allocate to minimize routing fragmentation
 May have to use some tunneling/forwarding
 VPN gateway can have both local and CASG address
21
The CASG Pledge
 I will gladly accept any packet
 There is no such thing as a security incident on the CASG
 I will not put useful things in the CASG
 People should not be motivated to go there except to authenticate
or use authenticated services
 I will help manage the prefix space to remain stable
22
How to integrate all these
at the site level?
Commonalities
 802.1X
 Secure SSID
 RADIUS
 Web-based captive portal
 Open SSID
 RADIUS
 VPN-based
 Open SSID
 No RADIUS
}
RADIUS
backend
}
Docking net
(open SSID)
24
How can I help...
as a home institution
Implement the other backend:
 As a RADIUS-based site
 Implement a CASG VPN gateway (or subscribe to an NREN one)
 Provide the right RADIUS for all frontends
 As a VPN site
 Run a RADIUS server
 Help the users try and debug their roaming setup while at
home (play visited site)
25
How can I help...
as a visited institution
Implement the other frontend:
 As a docking network site
 Implement the other docking appraoch:
 CASG access or Web-diverter
 Implement a 802.1X SSID (“eduroam”) in addition to open SSID
 As an 802.1X site
 Implement an open SSID with CASG access and Web-diverter
 Your local users will like it, too
 Maybe too much…
26
Network layout with multiple
SSID’s and VLAN assignment
27
Network layout without multiple
SSID’s and VLAN assignment
28
Doing the plumbing
Default router in docking net
 Default route points to access control device:
ip route 0.0.0.0 0.0.0.0 172.21.3.11
 CASG routes point to CASG router
ip route 193.174.167.0 255.255.255.0 172.21.3.250
30
CASG router
ip access-list extended casg-out
permit ip 193.174.167.0 0.0.0.255 any
deny
ip any any
ip access-list extended casg-in
permit ip any 193.174.167.0 0.0.0.255
deny
ip any any
interface Vlan86
ip address 172.21.3.250 255.255.0.0
ip access-group casg-in in
ip access-group casg-out out
ip nat inside
31
What if docking net is RFC1918?
 Maximum compatibility with an address-based NAT:
ip access-list standard docking-addr
permit 172.21.0.0 0.0.255.255
!
ip nat translation timeout 1800
ip nat pool dn 134.102.216.1 134.102.216.250 netmask 255.255.255.0
ip nat inside source list docking-addr pool dn
32
So where are we?
Fun little issues
 1/3 of Bremen‘s 432 Cisco 340 APs can't do VLANs
 Ethernet interface hardware MTU issue
 Some client WLAN drivers are erratic in the presence of
multi-SSID APs
 Can't give university IP addresses to roamers
 Too many university-only services are “authenticated” on IP address
 Address pool must be big enough for flash crowds
 CASG space is currently allocated on a national level
 So there will be a dozen updates before CASG is stable
34
Conclusions
 It is possible to create a fully interoperable solution
 It’s not that hard
 especially when you use TF mobility’s deliverable H to guide you
 Re-evaluate solutions in a couple of years
 TF mobility is going for a second term to help
 Integration approach also provides an easy upgrade path
 E.g., add 802.1X to docking-only site
35