AIMS’99 Workshop Heidelberg, 11-12 May 1999 P805: Internet Roaming Giuseppe Sisto - Telecom Italia...
-
Upload
hilary-fleming -
Category
Documents
-
view
216 -
download
2
Transcript of AIMS’99 Workshop Heidelberg, 11-12 May 1999 P805: Internet Roaming Giuseppe Sisto - Telecom Italia...
AIMS’99 WorkshopAIMS’99 Workshop
Heidelberg, 11-12 May 1999
P805: Internet Roaming
Giuseppe Sisto - Telecom Italia / CSELT
Project participants:• Deutsche Telecom• Finnet Group• France Telecom• MATAV• Telecom Italia
AIMS’99 WorkshopAIMS’99 Workshop
Heidelberg, 11-12 May 1999
• Scope
• Objectives
• Technical approach
• P805 results
• P914 expected results
AGENDA
AIMS’99 WorkshopAIMS’99 Workshop
Heidelberg, 11-12 May 1999
The Scope (from P717)
• Multiple ISPs in each country
• Problem similar to GSM roaming
• Same model for roaming solution
• Based on bilateral agreements between parties
• No central clearing point
• Distributed solution: Scaleable and robust
AIMS’99 WorkshopAIMS’99 Workshop
Heidelberg, 11-12 May 1999
Roaming Service Reference ModelHome ISP’s Roaming User Traditional, Centralized Solution:
3rd Party Clearing PointTraditional, Centralized Solution:
3rd Party Clearing Point
P805 Solution:Direct A-A Interface
P805 Solution:Direct A-A Interface
The InternetThe InternetRemote ISPRemote ISP
Home ISPHome ISP
Authentication Server
for Remote ISP
Authentication Server
for Remote ISP
NAS: Network Access Service
NAS: Network Access Service
Authentication Server
for Home ISP
Authentication Server
for Home ISP
AIMS’99 WorkshopAIMS’99 Workshop
Heidelberg, 11-12 May 1999
• Terminal-network interface:– should work for PSTN and ISDN– should work for most common devices and configurations
• Network-network interface (A-A protocol)– should allow transport of all necessary parameters– should be secure (encryption, mutual validation)– should run over IP
• Compatible with existing third party solutions
The Requirements
AIMS’99 WorkshopAIMS’99 Workshop
Heidelberg, 11-12 May 1999
The Possible Solutions
The solutions examined
• HTTP based
• RADIUS Based
• DIAMETER
• RADIUS/LDAP Integration
AIMS’99 WorkshopAIMS’99 Workshop
Heidelberg, 11-12 May 1999
HTTP-based Solution
• SIR: Secure Internet Roaming specification (i-Pass consortium)
• good security level (use of encryption and digital certificates)
• based on a “centralized” model (MSS= Message Switching Server): out of our scope
Home ISP (H-ISP)
NAS RSAP
Remote ISP (R-ISP)
H-ISP’s Roaming User
MSS
VNAS
Authorizingentity
Encrypted communicationwith HTTP on SSL
PPP with CHAP
AIMS’99 WorkshopAIMS’99 Workshop
Heidelberg, 11-12 May 1999
RADIUS-based Solution
• No end-to-end security in case of untrusted intermediate proxies
• Protocol not extensible: need for a new protocol
Home ISP (H-ISP)
NAS
Remote ISP (R-ISP)
AAA-Server(RADIUS)
H-ISP’s Roaming User
AAA-Server(RADIUS)
Intermediate ISP (I-ISP)
AAA-Server(RADIUS)
PPP with CHAP
AIMS’99 WorkshopAIMS’99 Workshop
Heidelberg, 11-12 May 1999
RADIUS Protocol
DIAMETER Protocol
Home ISP (H-ISP)
NAS
H-ISP’s Roaming User
DIAMETER (proxy) Server
PPP with CHAP
DIAMETER (proxy) Server
Remote ISP (R-ISP)
DIAMETER
• Framework for any service which requires AAA/Policy support
• flexible/ extensible• Wide range of security solutions
(including X.509 certificates)
• Roaming scenario not yet available in ‘98
• Only one “experimental” implementation from Merit
• Not yet officially recognized by IETF
AIMS’99 WorkshopAIMS’99 Workshop
Heidelberg, 11-12 May 1999
A Directory Enabled Solution• Directory Enabled Networks: a single common directory to
support all applications, services and infrastructure
DirectoryService
DirectoryService
E-mailE-mailNetwork
Operating System
Network Operating
System
OtherApplications
OtherApplications
• LDAP v. 3 (Lightweight Directory Access Protocol): IETF standard for Internet Directories (RFC2251)Client/Server Model, Distributed Service, Security Framework (Access Control / TLS / SASL)
AIMS’99 WorkshopAIMS’99 Workshop
Heidelberg, 11-12 May 1999
LDAP-based roaming model
H-ISP Roaming User
RADIUSServer
LDAPClient
R-ISP LDAP Server
2.Referral to H-ISP LDAP server
1.LDAPInquiry
AAA Server
NAS
UserID@H-ISPPassword
Remote ISP (R-ISP)
H-ISP LDAP Server
3.Inquiry to H-ISP LDAP Server
Home ISP (H-ISP)
RADIUS
AIMS’99 WorkshopAIMS’99 Workshop
Heidelberg, 11-12 May 1999
Directory information modeling
(referral entry)
Uid=ISPnAuthorisedUser
ISP1
O = ISP1(i.e. o=TIN.IT)
Uid=ISP1User 1
Uid=ISP1User 2
Uid=ISP1User N
O=ISP2
(referral entry)
O=ISP n
“ “
...
….
...
O=ISP1AdminUsers
Pointers to other ISPs’ LDAP servers
AIMS’99 WorkshopAIMS’99 Workshop
Heidelberg, 11-12 May 1999
Implementation description
• Merit AAA Server (basic version)• Netscape Directory Server• Project Development of RADIUS/LDAP gateway• Set up of a Certification Authority to issue X.509 certificates
for the use of SSL (sn=SIRTE CA,o=CSELT, c=IT)
AIMS’99 WorkshopAIMS’99 Workshop
Heidelberg, 11-12 May 1999
The Trials
• Functionality tests whole chain from roaming end-user to home ISP’s directory
server• Performance tests
local access vs. remote access of a user secure connections vs. non secure connections between
LDAP servers influence of DB size
• “Near Operational” tests All participants simultaneously authenticating themselves
both locally and remotely over a period of time
AIMS’99 WorkshopAIMS’99 Workshop
Heidelberg, 11-12 May 1999
Results from the Trials
• Functionality tests: the model works!• Performance tests
Local access: non-secure connections: delay of few tenths of a second secure connections: delay of ~ 1/3 vs. non secure no influence of DB size
Remote access network delay of few seconds: the delay introduced by
use of SSL not relevant.• “Near Operational” tests: influenced by network conditions
AIMS’99 WorkshopAIMS’99 Workshop
Heidelberg, 11-12 May 1999
Recommendations from the Pilot
ISPs: before signing contracts for centralised solutions with
third party providers, first identify the participation costs to the consortia;
do not sign “exclusive” contracts for centralised solutions with third party providers; keep the possibility to offer at the same time a de-centralised solution!
keep under observation the research activity, which may provide important innovations the near future,
AIMS’99 WorkshopAIMS’99 Workshop
Heidelberg, 11-12 May 1999
P914: Study and Trials for Internet Roaming in Europe
Two new participants: Portugal Telecom and Telefonica España
Enhancements to the Roaming Solution: management aspects, accounting mechanisms, security, directory phonebook
Client Interface for Roaming users Support DIAMETER work; development and trial of a DIAMETER-
based roaming solution (EURESCOM now member of Merit AAA consortium, members active participants to IETF Roamops and AAA Groups).
Scope & Activities