AIMS'99 Workshop AIMS'99 Workshop


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

AIMS'99 Workshop AIMS'99 Workshop

  1. 1. P805: Internet Roaming <ul><li>Giuseppe Sisto - Telecom Italia / CSELT </li></ul><ul><li>[email_address] </li></ul><ul><li>Project participants: </li></ul><ul><li>Deutsche Telecom </li></ul><ul><li>Finnet Group </li></ul><ul><li>France Telecom </li></ul><ul><li>MATAV </li></ul><ul><li>Telecom Italia </li></ul>
  2. 2. <ul><li>Scope </li></ul><ul><li>Objectives </li></ul><ul><li>Technical approach </li></ul><ul><li>P805 results </li></ul><ul><li>P914 expected results </li></ul>AGENDA
  3. 3. The Scope (from P717) <ul><li>Multiple ISPs in each country </li></ul><ul><li>Problem similar to GSM roaming </li></ul><ul><li>Same model for roaming solution </li></ul><ul><li>Based on bilateral agreements between parties </li></ul><ul><li>No central clearing point </li></ul><ul><li>Distributed solution: Scaleable and robust </li></ul>
  4. 4. Roaming Service Reference Model Home ISP’s Roaming User Traditional, Centralized Solution: 3rd Party Clearing Point P805 Solution: Direct A-A Interface The Internet Remote ISP Home ISP Authentication Server for Remote ISP NAS: Network Access Service Authentication Server for Home ISP
  5. 5. <ul><li>Terminal-network interface: </li></ul><ul><ul><li>should work for PSTN and ISDN </li></ul></ul><ul><ul><li>should work for most common devices and configurations </li></ul></ul><ul><li>Network-network interface (A-A protocol) </li></ul><ul><ul><li>should allow transport of all necessary parameters </li></ul></ul><ul><ul><li>should be secure (encryption, mutual validation) </li></ul></ul><ul><ul><li>should run over IP </li></ul></ul><ul><li>Compatible with existing third party solutions </li></ul>The Requirements
  6. 6. The Possible Solutions <ul><li>The solutions examined </li></ul><ul><li>HTTP based </li></ul><ul><li>RADIUS Based </li></ul><ul><li>DIAMETER </li></ul><ul><li>RADIUS/LDAP Integration </li></ul>
  7. 7. HTTP-based Solution <ul><li>SIR: Secure Internet Roaming specification (i-Pass consortium) </li></ul><ul><li>good security level (use of encryption and digital certificates) </li></ul><ul><li>based on a “centralized” model (MSS= Message Switching Server): out of our scope </li></ul>Home ISP (H-ISP) NAS RSAP Remote ISP (R-ISP) H-ISP’s Roaming User MSS VNAS Authorizing entity Encrypted communication with HTTP on SSL PPP with CHAP
  8. 8. RADIUS-based Solution <ul><li>No end-to-end security in case of untrusted intermediate proxies </li></ul><ul><li>Protocol not extensible: need for a new protocol </li></ul>Home ISP (H-ISP) NAS Remote ISP (R-ISP) AAA-Server (RADIUS) H-ISP’s Roaming User AAA-Server (RADIUS) Intermediate ISP (I-ISP) AAA-Server (RADIUS) PPP with CHAP
  9. 9. DIAMETER <ul><li>Framework for any service which requires AAA/Policy support </li></ul><ul><li>flexible/ extensible </li></ul><ul><li>Wide range of security solutions (including X.509 certificates) </li></ul><ul><li>Roaming scenario not yet available in ‘98 </li></ul><ul><li>Only one “experimental” implementation from Merit </li></ul><ul><li>Not yet officially recognized by IETF </li></ul>RADIUS Protocol DIAMETER Protocol Home ISP (H-ISP) NAS H-ISP’s Roaming User DIAMETER (proxy) Server PPP with CHAP DIAMETER (proxy) Server Remote ISP (R-ISP)
  10. 10. A Directory Enabled Solution <ul><li>Directory Enabled Networks: a single common directory to support all applications, services and infrastructure </li></ul><ul><li>LDAP v. 3 (Lightweight Directory Access Protocol): IETF standard for Internet Directories (RFC2251) </li></ul><ul><li>Client/Server Model, Distributed Service, Security Framework (Access Control / TLS / SASL) </li></ul>Directory Service E-mail Network Operating System Other Applications
  11. 11. LDAP-based roaming model H-ISP Roaming User RADIUS Server LDAP Client R-ISP LDAP Server 2. Referral to H-ISP LDAP server 1. LDAP Inquiry AAA Server NAS [email_address] Password Remote ISP (R-ISP) H-ISP LDAP Server 3. Inquiry to H-ISP LDAP Server Home ISP (H-ISP) RADIUS
  12. 12. Directory information modeling (referral entry) Uid=ISPnAuthorisedUser ISP1 O = ISP1 (i.e. o=TIN.IT) Uid=ISP1User 1 Uid=ISP1User 2 Uid=ISP1User N O=ISP2 (referral entry) O=ISP n “ “ ... … . ... O=ISP1AdminUsers Pointers to other ISPs’ LDAP servers
  13. 13. The Pilot
  14. 14. Implementation description <ul><li>Merit AAA Server (basic version) </li></ul><ul><li>Netscape Directory Server </li></ul><ul><li>Project Development of RADIUS/LDAP gateway </li></ul><ul><li>Set up of a Certification Authority to issue X.509 certificates for the use of SSL (sn=SIRTE CA,o=CSELT, c=IT) </li></ul>
  15. 15. The Trials <ul><li>Functionality tests </li></ul><ul><ul><li>whole chain from roaming end-user to home ISP’s directory server </li></ul></ul><ul><li>Performance tests </li></ul><ul><ul><li>local access vs. remote access of a user </li></ul></ul><ul><ul><li>secure connections vs. non secure connections between LDAP servers </li></ul></ul><ul><ul><li>influence of DB size </li></ul></ul><ul><li>“ Near Operational” tests </li></ul><ul><ul><li>All participants simultaneously authenticating themselves both locally and remotely over a period of time </li></ul></ul>
  16. 16. Results from the Trials <ul><li>Functionality tests: the model works! </li></ul><ul><li>Performance tests </li></ul><ul><ul><li>Local access: </li></ul></ul><ul><ul><ul><li>non-secure connections: delay of few tenths of a second </li></ul></ul></ul><ul><ul><ul><li>secure connections: delay of ~ 1/3 vs. non secure </li></ul></ul></ul><ul><ul><ul><li>no influence of DB size </li></ul></ul></ul><ul><ul><li>Remote access </li></ul></ul><ul><ul><ul><li>network delay of few seconds: the delay introduced by use of SSL not relevant. </li></ul></ul></ul><ul><li>“ Near Operational” tests: influenced by network conditions </li></ul>
  17. 17. Recommendations from the Pilot <ul><li>ISPs: </li></ul><ul><li>before signing contracts for centralised solutions with third party providers, first identify the participation costs to the consortia; </li></ul><ul><li>do not sign “exclusive” contracts for centralised solutions with third party providers; keep the possibility to offer at the same time a de-centralised solution! </li></ul><ul><li>keep under observation the research activity, which may provide important innovations the near future, </li></ul>
  18. 18. P914: Study and Trials for Internet Roaming in Europe Two new participants: Portugal Telecom and Telefonica España <ul><li>Enhancements to the Roaming Solution: management aspects, accounting mechanisms, security, directory phonebook </li></ul><ul><li>Client Interface for Roaming users </li></ul><ul><li>Support DIAMETER work; development and trial of a DIAMETER-based roaming solution (EURESCOM now member of Merit AAA consortium, members active participants to IETF Roamops and AAA Groups). </li></ul>Scope & Activities