stefan.winter at restena.lu
Thu Nov 5 08:32:44 CET 2009
> Forget RADSEC then, you might aswell use IPsec in transport mode with AH
> (as hell we are already shifting EAP traffic around so ESP would be
> pointless) and then you can do it with bog standard RADIUS; although
> someone will need to sort out the "route straight to domain SRV record"
People in eduroam have tried RADIUS over IPSec and it was a pest. They
gave up on it and switched to RadSec meanwhile. And for RadSec, routing
via DNS is known (in a commercial product) since the early 2000s and
picked up in the IETF as of 2007. I just saw Alan Buxey referenced the
current state of it in his latest mail.
> So, 'eduroam-ca.der' can be a *group* of Root CA's I hope and there is a
> way to make sure that when the original CA reaches it's end of life you
> get *all* the sysadmins involved to update it to have the two CA's for a
> while and then on a 'd-day' to remove the old one?
The current plans in eduroam do indeed foresee a group of CAs: one for
each National Research Network that's willing to operate its own, and a
catch-all CA for the rest. All of which have individual rollover dates.
And have their own CRLs which need to be re-loaded regularly (which
means that there is no one D-Day). Sounds dreadful to you? Simple: a
repository with CAs and CRLs and a cron job to fetch the current state
once per day or so, and a HUP to pick it up. Nothing a server operator
should be afraid of.
CRL reload in OpenSSL is a pest right now, and we're eagerly waiting for
OpenSSL 1.0.0 which is claimed to be able to do this properly.
> Kinda my point is there is no reason why the bar could not be lowered
> further. The DNS idea was a hair brained idea of mine and I think it is
> crazy enough to work...plus it is using the *existing* infrastructure;
> plus finally admitting that edroam is *not* something that can be
> wholely accepted by an RFC...it is an exception.
> This is obviously turning into an Alex v's World argument. :-/
We've spent tremendous amounts of thinking and taxpayer money to think
about this. Without knowing your own flavour of DNS idea: how do you
solve the following:
- eduroam is for educational use only
- microsoft.com sets up a RADIUS server and enters a DNS record for it
- eduroam hotspot gets a user login from microsoft.com, looks up server,
authenticates, user uses network
- damn, we just allowed a commercial user into our network and violated
our own AUP and national regulations orders!
We think PKI (and certificates that hold accreditation info) comes to
the rescue. What rescues you?
> RADSEC with the PKI instructure eduroam is touting is a ticking time
> bomb and knowing the educational world they are going to notice this
> international trust network and want to shovel their own cruft over it
> too. When d-day arrives, it is going to break hard....the ides of March
> I tell you the ides of March.
Without a specific D-Day, your statement above loses much of its sense.
> Bah, to hell with you all ;)
Last time I went there, I made it freeze over. Made it lose most of its
charm, and I don't plan on going back.
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
Tel: +352 424409 1
Fax: +352 422473
More information about the Freeradius-Users