Presentation by Prof. Roshan Ragel at the LKNOG3 conference, Colombo 2019

1. 1
Tapping into the ISPs
LEARN’s Perspective
Roshan Ragel
BSc Eng, Ph.D.
Consultant
Presented at LkNOG3 on the 2nd of Oct 2019 in Colombo

2. 2
Content
1. LEARN: Preamble
2. LEARN and the ISPs
a. Connectivity
b. Eduroam
c. Identify Access Management

3. 3
LEARN - PREAMBLE

4. § Formulated to establish Lanka Education And Research Network (LEARN), the
NREN (National Research and Education Network) of Sri Lanka, as a Limited
Guarantee Company 2009.
§ Membership
16 Full Members 15 Associate Members 15 Affiliate Members
§ The Operation of LEARN is Governed by the Articles of Association of LEARN
(2009).
§ Managed by the LEARN Board of Directors, one member each from the full
member institutions.
4
LEARN

5. 5
16 Full Members

6. 6
15 Associate Members

7. 7
15 Affiliate Members

8. 8
LEARN - HISTORY

9. 10
LEARN – Connectivity Backbone

10. 11
LEARN – Network

11. 12
LEARN – Member VPLS
(Virtual Private LAN Service)
Universities
University of Colombo
Eastern University
University of Jaffna
University of Kelaniya
University of Moratuwa
Open University of Sri Lanka
University of Peradeniya
Rajarata University
University of Ruhuna
Sabaragamuwa University
South Eastern University
University of Sri Jayawardenapura
Uva-Wellassa University
University of the Visual and Performing Arts
Wayamba University
Bhiksu University of Sri Lanka
Buddhist & Pali University of Sri Lanka
General Sir John Kotelawala Defense University
Ocean University of Sri Lanka
Sri Palee Campus
Vocational Training Institutes
Sri Lanka – German Training Institute (SLGTI)
Sri Lanka Institute of Advanced Technological
Education (SLIATE)
Informatics Institute of Technology
Research Institutes
Arthur C Clarke Center for Modern Technologies (ACCMT)
Industrial Technology Institute (ITI)
National Institute of Fundamental Studies (NIFS)
National Aquatic Resources Agency (NARA)
National Science Foundation (NSF)
National Engineering Research and Development Center
(NERDC)
Postgraduate Institutes
Postgraduate Institute of Agriculture (PGIA)
Postgraduate Institute of Medicine (PGIM)
Postgraduate Institute of Humanities and Social Sciences (PGIHS)

12. 13
LEARN – Member Backup VPLS
(Virtual Private LAN Service)
Universities
University of Colombo
Eastern University
University of Jaffna
University of Kelaniya
University of Moratuwa
Open University of Sri Lanka
University of Peradeniya
Rajarata University
University of Ruhuna
Sabaragamuwa University
South Eastern University
University of Sri Jayawardenapura
Uva-Wellassa University
University of the Visual and Performing Arts
Wayamba University
General Sir John Kotelawala Defense University

13. 14
2Gbps
Highest local link bandwidth
§ University of Peradeniya
§ University of Moratuwa
10Mbps
Lowest local link bandwidth
§ Members with the higher bandwidths
also have separate backup links from
a second service provider
§ 300 Mbps - 1 Gbps→ 100 Mbps
§ > 1Gbps → 200 Mbps
77Connections Optical Fiber
Member Connection - Summary

14. 15
LEARN as an NREN

15. 17
A long term (15 years) 100G Asia-Europe Backbone
§ Asiapacific-Europe Ring (AER) MoU (Putrajaya, 22 July 2019)
• CAE-1 (AARNet, GÉANT, NORDUnet, SingAREN, SURFnet, TEIN*CC) and NICT, NII (Japan)
• Extensive backup links ensure network resilience and boost connectivity between Asia and Europe
for R&E

16. 18
LEARN – QoS
International Connectivity
(average to Chennai and Singapore
from Colombo/LEARN core)
• Availability - 99.8%
• Delay - 20ms
• Jitter - 4ms
• Packet loss – 0
(for non-congested fiber circuits)
Local Connectivity
(End Users to Colombo/LEARN core)
• Availability - 99.5%
• Delay – 4ms
(end users to the LEARN core)
• Jitter - 2ms
• Packet loss – 0
(for non-congested fiber circuits)
Delay Jitter Packet LossAvailability

17. 19
LEARN – Services
Overview

18. 20
BdREN
NKN
MyREN
SingAREN
VinaREN
LEARN
Network Services
IP Connectivity IPv6
Virtual Circuit/VPN Muticast
NTP Service Optical Wavelength
24x7 Monitoring
BdREN
NKN
MyREN
SingAREN
VinaREN
LEARN
Security Services & Identity
CERT/CSIRT DDoS Mitigation
Vulnerability Scanning Anti-Spam Solution
EduRoam InterFederation

19. 21
BdREN
NKN
MyREN
SingAREN
VinaREN
LEARN
Hosting/Collocation Services
DNS Hosting Cloud Storage
Filesender IaaS
SaaS Web Hosting
Email Server Hosting
BdREN
NKN
MyREN
SingAREN
VinaREN
LEARN
Other Services
Consultancy/Training Videoconferencing
Domain Name Register IP Address Allocation
Virtual Learning Web/Desktop conference

20. 22
LEARN – Services
eduroam

21. 23
How eduroam works
eduroam is built with
• IEEE 802.1X (A standard for port based Network Access Control) and
• RADIUS (Remote Authentication Dial-In User Service).

22. IRS - Institutional Radius Server
Main Connectivity Topology for IRS’s
ac.lk
xxx.ac.lk
APAN TLS

23. IRS - Institutional Radius Server
Main Connectivity Topology for IRS’s
ac.lk
xxx.ac.lk
APAN TLS
xxx.ac.lk

24. IRS - Institutional Radius Server
Main Connectivity Topology for IRS’s
ac.lk
aa.xxx.ac.lk
APAN TLS
xxx.ac.lk

25. bb.xxx.ac.lk
IRS - Institutional Radius Server
Main Connectivity Topology for IRS’s
ac.lk
aa.xxx.ac.lk
APAN TLS
xxx.ac.lk

26. bb.xxx.ac.lk
IRS - Institutional Radius Server
Main Connectivity Topology for IRS’s
ac.lk
aa.xxx.ac.lk
APAN TLS
xxx.ac.lk

27. eduroam and LEARN - Timeline

28. 30
eduroam - Current Members
1
13 1
1
1
1
Institute Joined Date
Open University of Sri Lanka 2015/09
University of Kelaniya 2015/09
University of Peradeniya 2015/10
University of Colombo, School of Computing 2015/11
University of Moratuwa 2016/03
Faculty of Engineering, University of Ruhuna 2016/06
Informatics Institute of Technology 2016/12
University of the Visual and Performing Arts 2017/10
Sabaragamuwa University 2017/10
Uva-Wellassa University 2018/10
Industrial Technology Institute 2018/10
Faculty of Medicine, University of Kelaniya, Ragama 2018/10
Arthur C Clarke Institute for Modern Technologies 2018/10
Faculty of Technology, University of Ruhuna 2019/05
University Grants Commission (UGC) 2019/06
University of Colombo 2019/07
South Eastern University 2019/08
1

29. § Increase the number of eduroam IRS’s
§ Awareness programs for Academics, Students, Researchers, etc.
§ Awareness poster campaign
§ Extend eduroam coverage to selected public places
§ REQUEST to ISPs
eduroam - Future Plans

30. 32
LEARN – Services
Identity Access Management
(IAM)

31. The Model
Centered on the User Identifier (NetID) - A single unique University wide
identifier bound to the individual user and used at log-in to provision:
Authentication
Quickly verify user identities
(Who you are?)
Authorization
Control users access
(What you can access?)
Administration
Manage user privileges by role, group, status, etc.
Allows for fine-grained policy application

32. Federated Identity
Current mechanisms
• Assume applications are within the
same administrative domain.
• Adding an external user means creating
an account in your ID system.
• This could result in the new user having
access to more than just the intended
application.
Federated Identity Management (FIM)
• Securely shares information managed
at a users home organization with
remote services.
• It doesn’t matter if the service is in your
administrative domain or another. It’s all
handled the same way.
Identity
Provider
Service
Provider
Access Authenticate
Service
Provider

33. Federated Identity
§ A Service Provider (SP) relies on the AuthN at the IdP, consumes the
information the IdP provided and makes it available to the application.
Access
Authentication (AuthN)
takes place where the user
is known
Identity Provider (IdP)
publishes authentication
and identity information
about its users
Authorization (AuthZ)
happens on the service's
side

34. Federated Identity
§ The first principle within federated identity management is the active
protection of user information
§ Protect the user’s credentials
§ Only the IdP ever handles the credentials
§ Protect the user's personal data, including the identifier
§ A customized set of information gets released to each SP

35. Identity Providers
Organisations with users run Identity Providers
§ Provide a login page
§ Provides a mechanism for consent of attribute
release
§ Login page is branded to the organisation
§ Login against the organisation LDAP or AD
§ Manages password reset
§ Provisions and de-provisions accounts
§ Agrees to the federation policies
Can be used for campus Single Sign-on as well as
federated SSO!

36. Service Providers
Run by organizations that have something to offer the federation community
§ Hands off authentication to IdPs
§ Obtains attributes from IdPs
§ Agrees to the federation policies

37. Federated Identity Management
SP – Service Provider
IdP – Identity Provider

38. Traditional Approach
Collaboration Identity Institutional Identity
Cloud
Google Docs
amara1234@gmail.com
collaborator1234@gmail.com
amara@inst.ac.lk
collaborator1234@university.ed.uk
Institutional infrastructure
@ inst
amara@inst.ac.lk
collaborator1234@inst.ac.lk
amara@inst.ac.lk
collaborator1234@university.ed.uk

39. FIM Approach
Collaboration Identity Institutional Identity
Cloud
amara@inst.ac.lk
collaborator1234@university.ed.uk
amara@inst.ac.lk
collaborator1234@university.ed.uk
Institutional infrastructure
@ inst
amara@inst.ac.lk
collaborator1234@university.ed.uk
amara@inst.ac.lk
collaborator1234@university.ed.uk

40. https://liaf.ac.lk
Introducing LEARN IAF

41. Federation Registry
https://fr.ac.lk

42. Discovery Service
https://fds.ac.lk

43. LIAF Architecture
eduroam NRO
eduroam
IRS
fr.ac.lk
Web based GUI IDP
User Database

44. Killer App?
Introduced Zoom Video Conferencing with Federated Access using SATOSA SAML Proxy
https://learn.zoom.us
Did an informational seminar to Technical / Non Tech 200 users on 12th July 2019

45. Institute Joined Date
Industrial Technology Institute - Sri Lanka 2018-11-06
Faculty of Medicine, University of Kelaniya 2018-11-28
Faculty of Technology, University of Ruhuna 2018-12-20
University of Colombo School of Computing 2019-06-07
University of the Visual and Performing Arts 2019-06-12
University Grants Commission - Sri Lanka 2019-06-12
University of Kelaniya - Sri Lanka 2019-06-13
University of Moratuwa 2019-06-14
IDP for LEARN Staff 2018-10-16
Faculty of Engineering, University of Ruhuna 2019-06-21
Uwa Wellassa University 2019-07-04
Faculty of Medicine, University of Ruhuna 2019-07-10
University of Colombo 2019-08-08
University of Peradeniya 2019-08-17
South Eastern University 2019-08-23
University of Ruhuna 2019-08-28
University of Sri Jayawardenapura 2019-09-05
Current Members
1
10 1
1
1
3

46. LEARN as a Service Provider
§ LEARN maintains a local indico instance as an event manager, opened to all through
eduGAIN with Research and Scholarship Entity Category, Uses eduTEAMS as discovery
service.
§ eduTEAMS is a IDP discovery service provided by eduGAIN to identify participating IDP’s
https://indico.learn.ac.lk

47. 49
LEARN is a Member of eduGAIN

48. § Increase the number of IDPs
§ More awareness programs for Academics, Students, Researchers, etc.
§ extend eduroam coverage to selected public places so that people will be
interested more on Identity enabled Services
§ Implement Monitoring and Analysis tools
§ Introduce SAML based authentication to all other LEARN provided services +
increase SPs
§ Hire some additional staff to be dedicated on LIAF activities – partially done
§ Request from ISP's to enable LIAF to their services, opening doors to 1000's
of academics and students
§ Include gov.lk portals through LGN (Lanka Government Network)
Future Plans

49. § LEARN and the ISPs
§ Connectivity
§ eduroam
§ Identity Access Management
(IAM)
Summary
§ TEIN*CC
§ Thilina Pathirana, LEARN
§ Internet Sources
Acknowledgement

50. Thank you!
52