All Things eduroam


Published on

CANARIE is the operator for eduroam in Canada and is active both domestically and internationally working on improvements and expanding the reach of eduroam. Our activities are diverse and we would like to update the community with developments in the following areas:

Eduroam operations: The number of eduroam sites in Canada is growing and so is the traffic as more and more mobile users carry multiple devices. Maintaining a high quality experience is important where the ultimate assessment is in the hands of the users. This portion of the presentation will discuss specific areas that we focused on and how they have improved, as well as eduroam traffic patterns and analysis tools.

Helping eduroam sites streamline eduroam configuration using CATS: CAT is short for Configuration Assistant Tool, a centrally managed service tool created by that allows site admins to monitor and remotely test their eduroam site from international locations. It uses federated access (using CAF & eduGAIN) to permit site operators to manage their own site-specific settings, and help streamline eduroam deployment and local support.

Looking to the future: Exploring enhancements to eduroam infrastructure – eduroam has been in service for just over ten years using the same durable RADIUS technology. This portion of the presentation will explore some of the next generation approaches to keep eduroam growing and working even better for the next decade. Topics in this section will be improved ways to interconnect eduroam servers using DNSSEC, as well as DANE cryptographic enhancements for dynamic server discovery.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

All Things eduroam

  1. 1.
  2. 2. www.canarie.caAn update on eduroam topics in CanadaAll Things EduroamChris Phillips | June 12th,2013 | CANHEIT | Ottawa
  3. 3. www.canarie.cawww.canarie.caToday’s topicsAboutCanadianOperationsTraffic StatsTrends &PatternsStreamliningConfigurationToolsUnder thehoodLooking intothe futureLatestDevelopmentsOptions
  4. 4. www.canarie.cawww.canarie.caWifi is the new ethernet
  5. 5. www.canarie.cawww.canarie.ca332183286375410 59863882451177 172110100100010000Thursday, 6June, 13Friday, 7 June,13Saturday, 8June, 13Sunday, 9 June,13Monday, 10June, 13Tuesday, 11June, 13CANHEIT 2013 eduroam Usageeduroam Authenticationseduroam Unique Users
  6. 6.
  7. 7. www.canarie.caA day in the life of eduroam
  8. 8. www.canarie.cawww.canarie.caWhere do they benefit from the service?
  9. 9. www.canarie.cawww.canarie.caWithin Canada…
  10. 10. www.canarie.caEduroam in Canada0.00%5.00%10.00%15.00%20.00%25.00%-200,000400,000600,000800,0001,000,0001,200,0001,400,0001,600,000eduroam Successful LoginsInternationalCanada% no reply from server
  11. 11. www.canarie.caEduroam helping reduce guest accounts
  12. 12. www.canarie.caTools
  13. 13. www.canarie.cawww.canarie.caGo from this To this
  14. 14. www.canarie.cawww.canarie.caCanadian Data Now in eduroam Companion•  Based on registry & published by XML•  XML files aggregated centrally by & availablefor apps•  One example of benefiting from a larger ecosystem
  15. 15. www.canarie.cawww.canarie.caData Improvements•  Eduroam @ your campus isnot just a single point•  But that’s all we have onyou to geo-locate.•  Site admins can provideupdated institution XML fortheir extra sites to enrich thedatabase•  Send to:
  16. 16. www.canarie.cawww.canarie.caEduroam CAT service•  Builds & hostsprofile installers forall platforms anddevices(MSFT,Apple, Linux)•  CANARIEparticipated early inBeta testing to helpexercise the tool•  Profile = specificconfiguration onyour device toconnect to thenetwork
  17. 17. www.canarie.cawww.canarie.caSigning on to Manage Your eduroam Site•  Access is only for siteadmins•  Requires FederatedSingle Sign On +invitation one time link•  Can create multipleadmins•  Can create multiple‘profiles’ for testing priorto release.•  Production Profiles canbe downloaded via CAT
  18. 18. www.canarie.cawww.canarie.caOnce Signed in
  19. 19. www.canarie.cawww.canarie.caSite details
  20. 20. www.canarie.cawww.canarie.caAbility to check other eduroam domains
  21. 21. www.canarie.cawww.canarie.caCreating, Managing & Testing profilesMultiple profiles can existAbility to remotely check yourown domainYou can check your profile inadvance for own unit testing!
  22. 22. www.canarie.cawww.canarie.caManaging the Profile
  23. 23. www.canarie.cawww.canarie.caTesting your profile
  24. 24. www.canarie.caYour Invited!•  To tap into this great resource, request your CAF IdP tobe added to the eduGAIN feed•  Once added we send site admins invite and you’re in•  Don’t have a CAF IdP? Check out our Identity Appliance Chris Owens
  25. 25. www.canarie.caEduroam:Looking into theFuture within Canada
  26. 26.
  27. 27.
  28. 28. www.canarie.caInvestments Being Made•  Geographic diversity•  Expanded capacity•  Increased automation, Change management improvements•  Ops tools: int’l tools ( ticketing & reporting
  29. 29. www.canarie.caEduroam:Looking into theFuture globally
  30. 30. www.canarie.cawww.canarie.caRecent Stats•  Thousands (~10000+) points of presence for eduroam SSID•  60 countries/regions in production, 27 in pilot•  60,000,000+ successful transactions processed monthly•  Between 10-13% is international traffic-5,00010,00015,00020,00025,00030,00035,00040,000at bg cz dk fi hr ie it mk no pl rs se uk1hr of Global eduroam successful signonsMay 14th, 2013 4pm CEST (peak)161,23823,553∑ National ∑ InternationalComparing Domestic & International –May 14th, 2013, 4pm CEST (peak)
  31. 31. www.canarie.caEduroam TodaySlide 31id: realm: realm: sfu.carealm: caConfederation ServersFederation Serverrealm: restena.lurealm: lurealm: uni.luPredicting Growth – Hard, but let’s try•  Needed for preservation of quality & enough runway to act•  Crystal BallàAssumptions: ratio 2:87:10000:50MM, or•  10 countries/yr, ea. w/114 ‘domains’ & 575k signons/mth•  Adding another 30 countries, requires 1 more root server•  No one has any more devices than they do today J•  There are 193 countries/regions worldwide•  ..What does this look 3 years out then?Today: x87 countriesToday: x2 roots svrsToday: 10,000+ sites+3yrs: x117 countries+3yrs: 3? roots svrs+3yrs: 13,348+ sitesIn 3 years from now..
  32. 32. www.canarie.caWhy do something different?•  Mobility’s explosive growth hard to predict (size/freq etc)•  TCO profile improvements to be made from new tech.•  Int’l roaming hierarchical model ofTLD != geography/country oversight(e.g. .edu/.org)•  Hierarchical structure transactional performance costmore pronounced as mobility increasesBottom line: Need to investigate ways to have optimal service performance & costwhich break away from same curve as growth
  33. 33. www.canarie.ca cubmundo, Greg BishopFuture Contexts•  Reality: we’re no longer nimble: now have battleship turning radius•  Recommendations/explorations take time to do well, and have long shelf lifeàmeans planning horizons of 2,3,5yr for deployment+ Total Cost Ownership•  Always an eye on overall cost, want to explore new paths for trustmanagement. PKIX already woven into today’s model, improvements to this?Approach 2 years out 3 years out 5 years outDo mix ofNAPTR,SharedSecret,RADSEC?Go towardstronger PKIXmodel?LeverageDNSSEC &DANE?
  34. 34. www.canarie.caeduroam augmented with DANESlide 34id: realm: ubc.caHost: hotspot.ubc.carealm: sfu.carealm: caConfederationServersFederationServerrealm: restena.lurealm: lurealm: uni.lueduroam.orgDNSSec zone for‘Host’ In DNS& has cert?Yes, here it is!,can I have yourkey?Yes,here itis!Yup, keyofferedmatches thatin DNSSectree,you shallpass, carryon!
  35. 35. www.canarie.cawww.canarie.caTake AwaysAboutCanadianOperationsTraffic StatsTrends &PatternsStreamliningConfigurationToolsUnder thehoodLooking intothe futureOptionsLatestDevelopments•  Alwaysexpanding thenetwork•  Mobility willjust get moreimportant•  We build onyour success•  We’re makingit easier•  Tools areready for you•  Go for thenext step•  Investing in theinfrastructure•  Working withleadersworldwide•  Ensuring ourneeds areheard
  36. 36. www.canarie.caUseful ReferencesThe DNS-Based Authentication of Named Entities (DANE) TransportLayer Security (TLS) Protocol: TLSA Cases and Requirements for DNS-Based Authentication of NamedEntities (DANE) reference about expected responses and SMTP and DANE whitepaper other enhancements/ideas about certificates and relatedsecurity
  37. 37.