Transcript casg-in
WLAN Roaming for the
European Scientific Community:
Lessons Learned
Rodo, June 9th, 2004
Carsten Bormann <[email protected]>
Niels Pollem <[email protected]>
reporting on the work of TERENA TF Mobility
http://www.terena.nl/mobility/
Outline
WLAN access control and security
How does inter-domain roaming work
Roaming on a European scale
How to integrate solutions at the site level
Conclusion
2
WLAN Security: Requirements
Confidentiality (Privacy):
Nobody can understand foreign traffic
Insider attacks as likely as outsiders'
Accountability:
We can find out who did something
Prerequisite: Authentication
3
(2003:) Security is rarely easy
4
(2004:) solved
5
(2004:) or maybe not?
6
WLAN Security: Approaches
AP-based Security: AP is network boundary
WEP (broken), WEP fixes, WPA, …
802.1X (EAP variants + RADIUS) + 802.11i
Network based Security: deep security
VPNs needed by mobile people anyway
SSH, PPTP, IPsec
Alternative: Web-diverter (temporary MAC/IP address filtering)
No confidentiality at all, though
7
Routers
.1X
world
Access
network
Campus
network
Intranet X
RADIUS Server(s)
8
WLAN Access Control:
Why 802.1X is better
802.1X is taking over the world anyway
The EAP/XYZ people are finally getting it right
Only 5 more revisions before XYZ wins wide vendor support
Available for more and more systems (Windows 2000 up)
Distribute hard crypto work to zillions of access points
Block them as early as possible
More control to visited site admin, too!
Most of all: It just works™
9
VPN-Gateways
VPN
world
Docking
network
Campus
network
Intranet X
DHCP, DNS, free Web
10
WLAN Access Control:
Why VPN is better
Historically, more reason to trust L3 security than L2
IPSec has lots of security analysis behind it
Can use cheap/dumb APs
Available for just about everything (Windows 98, PDA etc.)
Easy to accommodate multiple security contexts
Even with pre-2003 infrastructure
Data is secure in the air and up to VPN gateway
Most of all: It just works™
11
Access
Control
Device
Docking
network
Web
world
Campus
network
Intranet X
DHCP, DNS, free Web
12
WLAN Access Control:
Why Web-based filtering is better
No client software needed (everybody has a browser)
Ties right into existing user/password schemes
Can be made to work easily for guest users
It’s what the hotspots use, so guest users will know it already
May be able to tie in with Greenspot etc.
Privacy isn’t that important anyway (use TLS and SSH)
Accountability isn’t that important anyway
Most of all: It just works™
13
From Access Control
to Roaming
Roaming:
High-level requirements
Objective:
Enable NREN users to use Internet (WLAN and wired)
everywhere in Europe
with minimal administrative overhead (per roaming)
with good usability
maintaining required security for all partners
15
Inter-domain 802.1X
Supplicant
Authenticator
(AP or switch)
Visited
RADIUS server
Institution A
Guest
RADIUS server
User
DB
Institution B
User
DB
Internet
piet@institution_b.nl
Employee
VLAN
Home
Guest
VLAN
Student
VLAN
Central RADIUS
Proxy server
e.g., @NREN
16
Web-based with RADIUS
17
VPN
VPN-Gateways
Docking
network
G-WiN
Wbone – VPN roaming
solution to 4 universities
/ colleges in state of
Bremen.
SWITCHmobile – VPN
solution deployed at 14+
universities and other sites
across Switzerland.
Campus Network
Intranet X
DHCP, DNS,
free Web
VPN-Gateways
Docking
network
G-WiN
Campus Network
Intranet X
Clients enter the Internet
through home
DHCP, DNS,
network/gateway.
free Web
18
IPSec
extend to other sites ...
Wbone
interconnecting docking networks
PPTP
Linux
Cisco
HS Brhv.
10.28.64/18
HfK
PPTP
IPSec/PPTP/SSH
Linux
Linux
R
Briteline
HS Bremen
Uni Bremen
172.25/16
IPSec
Cisco
AWI
IPSec
PPTP
Cisco
Linux
172.21/16
PPTP
Linux
19
Making roaming work on a
European scale
European RADIUS hierarchy
UNI-C
FUNET
SURFnet
UKERNA
DFN
CESnet
FCCN
CARnet
GRnet
RADIUS Proxy servers
connecting to a European
level RADIUS proxy server
RedIRIS
21
The CASG
Separate docking networks from
inetnum:
netname:
descr:
descr:
descr:
country:
admin-c:
tech-c:
tech-c:
status:
mnt-by:
changed:
source:
193.174.167.0 - 193.174.167.255
CASG-DFN
DFN-Verein
Stresemannstrasse 78
10963 Berlin
DE
MW238
JR433
KL565
ASSIGNED PA
DFN-LIR-MNT
[email protected] 20040603
RIPE
controlled address space for gateways (CASG)
Hosts on docking networks can freely interchange packets
with hosts in the CASG
Easy to accomplish with a couple of ACLs
All VPN gateways get an additional CASG address
Hmm, problem with some Cisco concentrators
22
VPN-Gateways
Docking
network
Access
controller
G-WiN
Campus Network
Intranet X
DHCP, DNS,
free Web
VPN-Gateways
Docking
network
Access
controller
The
big
CASG
bad
Internet
G-WiN
Campus Network
VPN-Gateways
Access
controller
Intranet X
DHCP, DNS,
free Web
Docking
network
G-WiN
Campus Network
Intranet X
DHCP, DNS,
free Web
23
CASG allocation
Back-of-the-Envelope: 1 address per 10000 population
E.g., .CH gets ~600, Bremen gets ~60
Allocate to minimize routing fragmentation
May have to use some tunneling/forwarding
VPN gateway can have both local and CASG address
24
The CASG Pledge
I will gladly accept any packet
There is no such thing as a security incident on the CASG
I will not put useful things in the CASG
People should not be motivated to go there except to authenticate
or use authenticated services
I will help manage the prefix space to remain stable
25
How to integrate all these
at the site level?
Commonalities
802.1X
Secure SSID
RADIUS
Web-based captive portal
Open SSID
RADIUS
VPN-based
Open SSID
No RADIUS
}
RADIUS
backend
}
Docking net
(open SSID)
27
How can I help...
as a home institution
Implement the other backend:
As a RADIUS-based site
Implement a CASG VPN gateway (or subscribe to an NREN one)
Provide the right RADIUS for all frontends
As a VPN site
Run a RADIUS server
Help the users try and debug their roaming setup while at
home (play visited site)
28
How can I help...
as a visited institution
Implement the other frontend:
As a docking network site
Implement the other docking appraoch:
CASG access or Web-diverter
Implement a 802.1X SSID (“eduroam”) in addition to open SSID
As an 802.1X site
Implement an open SSID with CASG access and Web-diverter
Your local users will like it, too
Maybe too much…
29
Network layout with multiple
SSID’s and VLAN assignment
30
Network layout without multiple
SSID’s and VLAN assignment
31
Doing the plumbing
Default router in docking net
Default route points to access control device:
ip route 0.0.0.0 0.0.0.0 172.21.3.11
CASG routes point to CASG router
ip route 193.174.167.0 255.255.255.0 172.21.3.250
33
CASG router
ip access-list extended casg-out
permit ip 193.174.167.0 0.0.0.255 any
deny
ip any any
ip access-list extended casg-in
permit ip any 193.174.167.0 0.0.0.255
deny
ip any any
interface Vlan86
ip address 172.21.3.250 255.255.0.0
ip access-group casg-in in
ip access-group casg-out out
ip nat inside
34
What if docking net is RFC1918?
Maximum compatibility with an address-based NAT:
ip access-list standard docking-addr
permit 172.21.0.0 0.0.255.255
!
ip nat translation timeout 1800
ip nat pool dn 134.102.216.1 134.102.216.250 netmask 255.255.255.0
ip nat inside source list docking-addr pool dn
35
So where are we?
Fun little issues
1/3 of Bremen‘s 432 Cisco 340 APs can't do VLANs
Ethernet interface hardware MTU issue
Some client WLAN drivers are erratic in the presence of
multi-SSID APs
Can't give university IP addresses to roamers
Too many university-only services are “authenticated” on IP address
Address pool must be big enough for flash crowds
CASG space is currently allocated on a national level
So there will be a dozen updates before CASG is stable
37
Conclusions
It is possible to create a fully interoperable solution
It’s not that hard:
especially when you use TF mobility’s deliverable H to guide you
Re-evaluate solutions in a couple of years
TF mobility is going for a second term to help
Integration approach also provides an easy upgrade path
E.g., add 802.1X to docking-only site
38
Conclusions
It is possible to create a fully interoperable solution
It’s not that hard
especially when you use TF mobility’s deliverable H to guide you
Re-evaluate solutions in a couple of years
TF mobility is going for a second term to help
Integration approach also provides an easy upgrade path
E.g., add 802.1X to docking-only site
39