• Like
AIMS'99 Workshop AIMS'99 Workshop
Upcoming SlideShare
Loading in...5
×

AIMS'99 Workshop AIMS'99 Workshop

  • 353 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
353
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
5
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. P805: Internet Roaming
    • Giuseppe Sisto - Telecom Italia / CSELT
    • [email_address]
    • Project participants:
    • Deutsche Telecom
    • Finnet Group
    • France Telecom
    • MATAV
    • Telecom Italia
  • 2.
    • Scope
    • Objectives
    • Technical approach
    • P805 results
    • P914 expected results
    AGENDA
  • 3. The Scope (from P717)
    • Multiple ISPs in each country
    • Problem similar to GSM roaming
    • Same model for roaming solution
    • Based on bilateral agreements between parties
    • No central clearing point
    • Distributed solution: Scaleable and robust
  • 4. Roaming Service Reference Model Home ISP’s Roaming User Traditional, Centralized Solution: 3rd Party Clearing Point P805 Solution: Direct A-A Interface The Internet Remote ISP Home ISP Authentication Server for Remote ISP NAS: Network Access Service Authentication Server for Home ISP
  • 5.
    • Terminal-network interface:
      • should work for PSTN and ISDN
      • should work for most common devices and configurations
    • Network-network interface (A-A protocol)
      • should allow transport of all necessary parameters
      • should be secure (encryption, mutual validation)
      • should run over IP
    • Compatible with existing third party solutions
    The Requirements
  • 6. The Possible Solutions
    • The solutions examined
    • HTTP based
    • RADIUS Based
    • DIAMETER
    • RADIUS/LDAP Integration
  • 7. HTTP-based Solution
    • SIR: Secure Internet Roaming specification (i-Pass consortium)
    • good security level (use of encryption and digital certificates)
    • based on a “centralized” model (MSS= Message Switching Server): out of our scope
    Home ISP (H-ISP) NAS RSAP Remote ISP (R-ISP) H-ISP’s Roaming User MSS VNAS Authorizing entity Encrypted communication with HTTP on SSL PPP with CHAP
  • 8. RADIUS-based Solution
    • No end-to-end security in case of untrusted intermediate proxies
    • Protocol not extensible: need for a new protocol
    Home ISP (H-ISP) NAS Remote ISP (R-ISP) AAA-Server (RADIUS) H-ISP’s Roaming User AAA-Server (RADIUS) Intermediate ISP (I-ISP) AAA-Server (RADIUS) PPP with CHAP
  • 9. DIAMETER
    • Framework for any service which requires AAA/Policy support
    • flexible/ extensible
    • Wide range of security solutions (including X.509 certificates)
    • Roaming scenario not yet available in ‘98
    • Only one “experimental” implementation from Merit
    • Not yet officially recognized by IETF
    RADIUS Protocol DIAMETER Protocol Home ISP (H-ISP) NAS H-ISP’s Roaming User DIAMETER (proxy) Server PPP with CHAP DIAMETER (proxy) Server Remote ISP (R-ISP)
  • 10. A Directory Enabled Solution
    • Directory Enabled Networks: a single common directory to support all applications, services and infrastructure
    • LDAP v. 3 (Lightweight Directory Access Protocol): IETF standard for Internet Directories (RFC2251)
    • Client/Server Model, Distributed Service, Security Framework (Access Control / TLS / SASL)
    Directory Service E-mail Network Operating System Other Applications
  • 11. LDAP-based roaming model H-ISP Roaming User RADIUS Server LDAP Client R-ISP LDAP Server 2. Referral to H-ISP LDAP server 1. LDAP Inquiry AAA Server NAS [email_address] Password Remote ISP (R-ISP) H-ISP LDAP Server 3. Inquiry to H-ISP LDAP Server Home ISP (H-ISP) RADIUS
  • 12. Directory information modeling (referral entry) Uid=ISPnAuthorisedUser ISP1 O = ISP1 (i.e. o=TIN.IT) Uid=ISP1User 1 Uid=ISP1User 2 Uid=ISP1User N O=ISP2 (referral entry) O=ISP n “ “ ... … . ... O=ISP1AdminUsers Pointers to other ISPs’ LDAP servers
  • 13. The Pilot
  • 14. Implementation description
    • Merit AAA Server (basic version)
    • Netscape Directory Server
    • Project Development of RADIUS/LDAP gateway
    • Set up of a Certification Authority to issue X.509 certificates for the use of SSL (sn=SIRTE CA,o=CSELT, c=IT)
  • 15. The Trials
    • Functionality tests
      • whole chain from roaming end-user to home ISP’s directory server
    • Performance tests
      • local access vs. remote access of a user
      • secure connections vs. non secure connections between LDAP servers
      • influence of DB size
    • “ Near Operational” tests
      • All participants simultaneously authenticating themselves both locally and remotely over a period of time
  • 16. Results from the Trials
    • Functionality tests: the model works!
    • Performance tests
      • Local access:
        • non-secure connections: delay of few tenths of a second
        • secure connections: delay of ~ 1/3 vs. non secure
        • no influence of DB size
      • Remote access
        • network delay of few seconds: the delay introduced by use of SSL not relevant.
    • “ Near Operational” tests: influenced by network conditions
  • 17. Recommendations from the Pilot
    • ISPs:
    • before signing contracts for centralised solutions with third party providers, first identify the participation costs to the consortia;
    • do not sign “exclusive” contracts for centralised solutions with third party providers; keep the possibility to offer at the same time a de-centralised solution!
    • keep under observation the research activity, which may provide important innovations the near future,
  • 18. P914: Study and Trials for Internet Roaming in Europe Two new participants: Portugal Telecom and Telefonica España
    • Enhancements to the Roaming Solution: management aspects, accounting mechanisms, security, directory phonebook
    • Client Interface for Roaming users
    • Support DIAMETER work; development and trial of a DIAMETER-based roaming solution (EURESCOM now member of Merit AAA consortium, members active participants to IETF Roamops and AAA Groups).
    Scope & Activities