The document discusses the A4-Mesh project which aims to provide broadband network access to researchers in remote locations using a wireless mesh network. The project implements authentication, authorization, accounting, and auditing (AAAA) to secure access for wireless mesh nodes and users. A pilot network is deployed in the MontanAqua environmental monitoring application to provide scientists real-time sensor data access. The network uses SWITCHaai for user authentication and develops mechanisms for wireless mesh node authentication and integration. Traffic and network monitoring are implemented for accounting and auditing of mesh nodes and users.

1. 28th TF-Mobility and Network Middleware
Meeting
A4-Mesh: Authentication, Authorization,
Accounting, and Auditing in
Wireless Mesh Networks
Torsten Braun
Communication and Distributed Systems
Institute of Computer Science and Applied Mathematics
Universität Bern
braun@iam.unibe.ch
http://cds.unibe.ch, http://a4-mesh.unibe.ch

2. Overview
> Project Introduction
> Application Scenario
> Wireless Mesh Network
> Authentication and Authorization
> Accounting
> Conclusions and Outlook
Zürich, 26.06.2012 2
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

3. Project Introduction

4. Project Partners
> Institut für Informatik und
Angewandte Mathematik
> Geographisches Institut
> Informatikdienste
> Institut d’Informatique
> Service Informatique et
Télématique
Zürich, 26.06.2012 4
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

5. Project Goals and Objectives
> Goal
— Provide low-cost broadband network access to researchers and
students at remote locations
> Objectives
— Cost-efficient network access
— Easily deployable wireless mesh network (WMN)
— Integrated into regular authentication and authorization
infrastructure of Swiss higher education (SWITCHaai)
Zürich, 26.06.2012 5
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

6. Wireless Mesh Networks (WMNs)
Application Scenarios
1. Environmental
Monitoring
2. Campus Network
Extension
Zürich, 26.06.2012 6
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

7. AAAA for WMNs
> Authentication and Authorization of
1. wireless mesh nodes entering the WMN
2. mobile users accessing the Internet via the WMN
(using SWITCH AAI mechanisms)
> Accounting of traffic generated by
1. wireless mesh nodes and sensors
2. individual mobile users
(for charging and monitoring purposes)
> Auditing functions
— detect inconsistent or erroneous node states
— perform recovery mechanisms or trigger alarms
> Indoor testbed and pilot networks at
1. Crans Montana
2. University campuses at Bern and Neuchâtel
Zürich, 26.06.2012 7
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

8. Application Scenario: MontanAqua

9. Requirements by Environmental Monitoring
> Support of scientists (hydrology researchers) to collect
sensor data from environmental measurements.
> Scientists use data for generating and verifying models of the
environment.
> Specific measurements to cover certain areas or to collect
specific sensor data are needed.
Zürich, 26.06.2012 9
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

10. MontanAqua Investigation Area
Sion
Sierre
Tseuzier
storage lake
Plaine Morte glacier
© Weingartner
Zürich, 26.06.2012 10
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

11. Modelling Water Resources
PIHM - Penn State Integrated Hydrologic Model
cc scenarios
2050
WATER
RESOURCES
2010
LAND USE
©
Martina
Kauzlaric
module
GLACIER
module
KARST
Jeannin
ice thickness
0 m 100 m 200 m
©
Matthias
Huss
© Weingartner
PHIM
high data demand for modelling water balance and fluxes
Zürich, 26.06.2012 11
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

12. Weather Stations and Rain Gauges
wind velocity &
direction
air temperature &
relative humidity
solar radiation
rainfall
Zürich, 26.06.2012 12
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

13. Runoff Station
Zürich, 26.06.2012 13
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

14. Soil Measurements
soil moisture sensors tensiometers
lysimeter
Zürich, 26.06.2012 14
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

15. Data Transfer Alternatives
GSM Modem
for weather stations
lost GSM Signal
GPRS Modem
for weather stations
data access only via
server of producer
of weather station
Manually
for rain gauges,
runoff gauges,
weather station
Zürich, 26.06.2012 15
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

16. Serial Port Tunneling
Zürich, 26.06.2012 16
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

17. Benefits for Scientists
> Real-time access on logger (software up-dates, failure checking)
→ reduced frequency of maintenance
> Real-time data access (data verification, monitoring of sensors)
> Data stored on server at University and logger in the field
→ reduction of data loss risk (destruction of sensors/loggers)
→ independent of GSM/GPRS network availability
→ high data-transfer rates (web cam)
Zürich, 26.06.2012 17
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

18. Sensor Readings
Zürich, 26.06.2012 18
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

19. Wireless Mesh Network

20. MontanAqua Sensors and A4-Mesh Network
webcam
Zürich, 26.06.2012 20
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

21. A4-Mesh Topology
Sion
Sierre
Zürich, 26.06.2012 21
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

22. Wireless Mesh Node Technology
• IP66 steel enclosure
• 1-2x Alix 3D2 system boards
• 1x Alix 6F2 system board
• 1-4x 801.11n mini PCI cards
• 1x 801.11g mini PCI card
• 1x UMTS mini PCI-Express card
• I2C twin relay
• 2x2 MIMO, 25dBi, dual
polarization panel antennas
• ADAM Linux
• Optimized Link State Routing /
802.11 s
Zürich, 26.06.2012 22
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

23. Deployment of Nodes 4a/b
Zürich, 26.06.2012 23
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

24. Deployment of Nodes 3/7
Zürich, 26.06.2012 24
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

25. Deployment of Node 8
Zürich, 26.06.2012 25
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

26. Authentication and Authorization

27. Authentication and Authorisation
> Network resources can only be accessed by authenticated
and authorized end users and wireless mesh nodes:
— Wireless mesh nodes entering the WMN
– Mechanism tailored to WMNs supporting easy and secure inter-
organizational access to network resources using a separate
Shibboleth federation.
— Mobile users accessing the Internet via the WMN
– Implementation based on web-based captive portal protected by
SWITCHaai
Zürich, 26.06.2012
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks
27

28. A4-Mesh AAAA Architecture
Zürich, 26.06.2012 28
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

29. Machine Authentication and Authorization
Zürich, 26.06.2012
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks
29
Request VPN key
Authentication request with X.509 certificate
Machine
attributes
is authorized ?
authorized
VPN key
Open firewall
VPN tunnel establishment

30. User Authentication and Authorization
(Captive Portal)
Zürich, 26.06.2012
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks
30

31. Accounting

32. Accounting
> Traffic monitoring at each mesh node (NetFlow, RFC 3954)
> Central storage of flow statistics at A4-Mesh gateway
> Data enrichment at A4-Mesh gateway (IP, IPNAT, time, UniqueID)
Zürich, 26.06.2012 32
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

33. Accounting Aggregator
Zürich, 26.06.2012 33
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

34. Network Monitoring
> Monitoring agent at each mesh node (Zabbix agent)
> Central server at A4-Mesh gateway (Zabbix server)
Zürich, 26.06.2012 34
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

35. Conclusions and Outlook

36. Conclusions
> WMN is valuable for researchers working in the field.
> Implementation of SWITCHaai-based authentication and
authorization for WMN nodes and end users
> Implementation of monitoring functions for WMN nodes
> Outlook: integration and tests
Zürich, 26.06.2012
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks
36

37. a4-mesh.unibe.ch
Zürich, 26.06.2012 37
Torsten Braun: A4-Mesh: Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks