Transcript 19Sisto
P805: Internet Roaming
Giuseppe Sisto - Telecom Italia / CSELT
[email protected]
Project participants:
• Deutsche Telecom
• Finnet Group
• France Telecom
• MATAV
• Telecom Italia
AIMS’99 Workshop
Heidelberg, 11-12 May 1999
AGENDA
•
•
•
•
•
Scope
Objectives
Technical approach
P805 results
P914 expected results
AIMS’99 Workshop
Heidelberg, 11-12 May 1999
The Scope (from P717)
•
•
•
•
•
•
Multiple ISPs in each country
Problem similar to GSM roaming
Same model for roaming solution
Based on bilateral agreements between parties
No central clearing point
Distributed solution: Scaleable and robust
AIMS’99 Workshop
Heidelberg, 11-12 May 1999
Roaming Service Reference Model
Home ISP’s Roaming User
Traditional, Centralized Solution:
3rd Party Clearing Point
Authentication
Server
for Home ISP
Authentication
Server
for Remote ISP
NAS: Network
Access Service
Remote ISP
AIMS’99 Workshop
Heidelberg, 11-12 May 1999
P805 Solution:
Direct A-A Interface
The Internet
Home ISP
The Requirements
• Terminal-network interface:
– should work for PSTN and ISDN
– should work for most common devices and configurations
• Network-network interface (A-A protocol)
– should allow transport of all necessary parameters
– should be secure (encryption, mutual validation)
– should run over IP
• Compatible with existing third party solutions
AIMS’99 Workshop
Heidelberg, 11-12 May 1999
The Possible Solutions
The solutions examined
• HTTP based
• RADIUS Based
• DIAMETER
• RADIUS/LDAP Integration
AIMS’99 Workshop
Heidelberg, 11-12 May 1999
HTTP-based Solution
MSS
Remote ISP (R-ISP)
NAS
RSAP
Encrypted communication
with HTTP on SSL
PPP with CHAP
H-ISP’s
Roaming User
Home ISP
(H-ISP)
VNAS
Authorizing
entity
• SIR: Secure Internet Roaming specification (i-Pass
consortium)
• good security level (use of encryption and digital certificates)
• based on a “centralized” model (MSS= Message Switching
Server): out of our scope
AIMS’99 Workshop
Heidelberg, 11-12 May 1999
RADIUS-based Solution
Remote ISP (R-ISP)
NAS
AAA-Server
(RADIUS)
Intermediate
ISP (I-ISP)
Home ISP
(H-ISP)
AAA-Server
(RADIUS)
AAA-Server
(RADIUS)
PPP with CHAP
H-ISP’s
Roaming User
• No end-to-end security in case of untrusted intermediate
proxies
• Protocol not extensible: need for a new protocol
AIMS’99 Workshop
Heidelberg, 11-12 May 1999
DIAMETER
Remote ISP
(R-ISP)
DIAMETER
(proxy)
Server
RADIUS
Protocol
Home ISP
(H-ISP)
DIAMETER
Protocol
•
NAS
PPP
with
CHAP
•
H-ISP’s
Roaming User
•
•
AIMS’99 Workshop
Heidelberg, 11-12 May 1999
• Framework for any
DIAMETER
service which requires
(proxy)
AAA/Policy support
Server
• flexible/ extensible
Wide range of security solutions
(including X.509 certificates)
Roaming scenario not yet available in
‘98
Only one “experimental”
implementation from Merit
Not yet officially recognized by IETF
A Directory Enabled Solution
• Directory Enabled Networks: a single common directory to
support all applications, services and infrastructure
E-mail
Network
Operating
System
Other
Applications
Directory
Service
• LDAP v. 3 (Lightweight Directory Access Protocol): IETF
standard for Internet Directories (RFC2251)
Client/Server Model, Distributed Service, Security Framework (Access
Control / TLS / SASL)
AIMS’99 Workshop
Heidelberg, 11-12 May 1999
LDAP-based roaming model
Home ISP (H-ISP)
H-ISP Roaming User
3.
Inquiry to H-ISP
LDAP Server
H-ISP LDAP
Server
UserID@H-ISP
Password
AAA Server
RADIUS
NAS
2.
Referral to H-ISP LDAP server
RADIUS
Server
LDAP
Client
Remote ISP (R-ISP)
AIMS’99 Workshop
Heidelberg, 11-12 May 1999
1.
LDAP
Inquiry
R-ISP LDAP
Server
Directory information modeling
ISP1
O = ISP1
(i.e. o=TIN.IT)
““
O=ISP2
O=ISP1AdminUsers
…. O=ISP n
(referral entry)
(referral entry)
...
...
Uid=ISPnAuthorisedUser
Uid=ISP1User N
Uid=ISP1User 2
Uid=ISP1User 1
AIMS’99 Workshop
Heidelberg, 11-12 May 1999
Pointers to other ISPs’
LDAP servers
The Pilot
AIMS’99 Workshop
Heidelberg, 11-12 May 1999
Implementation description
•
•
•
•
Merit AAA Server (basic version)
Netscape Directory Server
Project Development of RADIUS/LDAP gateway
Set up of a Certification Authority to issue X.509 certificates
for the use of SSL (sn=SIRTE CA,o=CSELT, c=IT)
AIMS’99 Workshop
Heidelberg, 11-12 May 1999
The Trials
• Functionality tests
- whole chain from roaming end-user to home ISP’s directory
server
• Performance tests
- local access vs. remote access of a user
- secure connections vs. non secure connections between
LDAP servers
- influence of DB size
• “Near Operational” tests
- All participants simultaneously authenticating themselves
both locally and remotely over a period of time
AIMS’99 Workshop
Heidelberg, 11-12 May 1999
Results from the Trials
• Functionality tests: the model works!
• Performance tests
- Local access:
non-secure connections: delay of few tenths of a second
secure connections: delay of ~ 1/3 vs. non secure
no influence of DB size
- Remote access
network delay of few seconds: the delay introduced by
use of SSL not relevant.
• “Near Operational” tests: influenced by network conditions
AIMS’99 Workshop
Heidelberg, 11-12 May 1999
Recommendations from the Pilot
ISPs:
before signing contracts for centralised solutions with
third party providers, first identify the participation costs
to the consortia;
do not sign “exclusive” contracts for centralised
solutions with third party providers; keep the possibility
to offer at the same time a de-centralised solution!
keep under observation the research activity, which may
provide important innovations the near future,
AIMS’99 Workshop
Heidelberg, 11-12 May 1999
P914: Study and Trials for Internet
Roaming in Europe
Two new participants: Portugal Telecom and Telefonica España
Scope & Activities
Enhancements to the Roaming Solution: management aspects,
accounting mechanisms, security, directory phonebook
Client Interface for Roaming users
Support DIAMETER work; development and trial of a DIAMETERbased roaming solution (EURESCOM now member of Merit AAA
consortium, members active participants to IETF Roamops and
AAA Groups).
AIMS’99 Workshop
Heidelberg, 11-12 May 1999