One document matched: draft-wierenga-ietf-eduroam-00.xml
<?xml version="1.0"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd"[
<!ENTITY RFC2119 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC2865 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.2865.xml">
<!ENTITY RFC2866 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.2866.xml">
<!ENTITY RFC3268 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.3268.xml">
<!ENTITY RFC5176 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.5176.xml">
<!ENTITY RFC3539 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.3539.xml">
<!ENTITY RFC3588 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.3588.xml">
<!ENTITY RFC3748 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.3748.xml">
<!ENTITY RFC4107 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.4107.xml">
<!ENTITY RFC4279 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.4279.xml">
<!ENTITY RFC4346 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.4346.xml">
<!ENTITY RFC4372 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.4372.xml">
<!ENTITY RFC4953 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.4953.xml">
<!ENTITY RFC5246 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml">
<!ENTITY RFC5247 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.5247.xml">
<!ENTITY RFC5280 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.5280.xml">
<!ENTITY RFC5580 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.5580.xml">
<!ENTITY RFC5997 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.5997.xml">
<!ENTITY RFC6066 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.6066.xml">
<!ENTITY RFC6125 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.6125.xml">
<!ENTITY RFC6421 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.6421.xml">
<!ENTITY RFC6613 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.6613.xml">
<!ENTITY RFC6614 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.6614.xml">
<!ENTITY radius-tcp PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-radext-tcp-transport.xml'>
<!ENTITY radius-dtls PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-radext-dtls.xml'>
<!ENTITY dyn-disc PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-radext-dynamic-discovery.xml'>
<!ENTITY radsec PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-radext-radsec.xml'>
<!ENTITY I-D.hansen-privacy-terminology SYSTEM
"http://xml.resource.org/public/rfc/bibxml3/reference.I-D.hansen-privacy-terminology.xml">
<!ENTITY I-D.ietf-abfab-arch SYSTEM
"http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-abfab-arch.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc compact="no" ?>
<?rfc sortrefs="yes" ?>
<?rfc strict="yes" ?>
<?rfc linkmailto="yes" ?>
<rfc ipr="trust200902" docName="draft-wierenga-ietf-eduroam-00.txt" category="info">
<front>
<title abbrev="eduroam">The eduroam architecture for network roaming</title>
<author fullname="Klaas Wierenga" initials="K." surname="Wierenga">
<organization>Cisco Systems</organization>
<address>
<postal>
<street>Haarlerbergweg 13-19</street>
<city>Amsterdam</city>
<code>1101 CH</code>
<country>The Netherlands</country>
</postal>
<phone>+31 20 357 1752</phone>
<email>klaas@cisco.com</email>
</address>
</author>
<author fullname="Stefan Winter" initials="S." surname="Winter" >
<organization abbrev="RESTENA" >Fondation RESTENA</organization>
<address>
<postal>
<street>6, rue Richard Coudenhove-Kalergi</street>
<city>Luxembourg</city>
<code>1359</code>
<country>Luxembourg</country>
</postal>
<phone>+352 424409 1</phone>
<facsimile>+352 422473</facsimile>
<email>stefan.winter@restena.lu</email>
<uri>http://www.restena.lu.</uri>
</address>
</author>
<author initials="T." surname="Wolniewicz" fullname="Tomasz Wolniewicz">
<organization>Nicolaus Copernicus University</organization>
<address>
<postal>
<street>pl. Rapackiego 1</street>
<city>Torun</city>
<country>Poland</country>
</postal>
<phone>+48-56-611-2750</phone>
<facsimile>+48-56-622-1850</facsimile>
<email>twoln@umk.pl</email>
<uri>http://www.home.umk.pl/~twoln/</uri>
</address>
</author>
<date year="2012"/>
<keyword>Internet-Draft</keyword>
<keyword>Federated Authentication</keyword>
<keyword>AAA</keyword>
<keyword>RADIUS</keyword>
<keyword>802.1X</keyword>
<keyword>roaming</keyword>
<keyword>EAP</keyword>
<keyword>eduroam</keyword>
<abstract>
<t>
This document describes the architecture of the eduroam service for federated
(wireless) network access in academia.
The combination of 802.1X, EAP and RADIUS that is used in eduroam provides a secure,
scalable and deployable service for roaming network access. The successful
deployment of eduroam over the last decade in the educational sector may serve as an
example for other sectors, hence this document. In particular the initial architectural
and standards choices and the changes that were prompted by operational
experience are highlighted.
</t>
</abstract>
</front>
<!---->
<middle>
<section title="Introduction">
<t>In 2002 the European Research and Education community set out to create a
network roaming service for students and employees in academia
<xref target="eduroam-start" />. Now over 10 years later this service has grown to
more than 5000 service locations, serving millions of users in all continents with
the exception of Antarctica.
</t>
<t>
This memo serves to explain the considerations for the design of
eduroam as well as to document operational experience and resulting
changes that led to IETF standardization effort like for example
RADIUS over TCP <xref target="RFC6613" /> and RADIUS with TLS <xref target="RFC6614" />
and that promoted alternative use of RADIUS like in Abfab
<xref target="I-D.ietf-abfab-arch"/>. Whereas the eduroam service is limited to
academia, the eduroam architecture can easily be reused in other environments.
</t>
<section anchor="terminology" title="Terminology">
<t>XXX
This document uses identity management and privacy terminology from
<xref target="I-D.hansen-privacy-terminology"/>. In particular, this
document uses the terms Identity Provider, Service Provider and identity
management.
</t>
</section> <!-- Terminology -->
<section anchor="Notational" title="Notational Conventions">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
are to be interpreted as described in <xref target="RFC2119">RFC 2119</xref>.
</t>
</section> <!-- Notational Conventions -->
<section anchor="DesignGoals" title="Design Goals">
<t>The guiding design considerations of eduroam were as follows:
</t>
<t>
- Unique identification of users at the edge of the network
</t>
<t>
In order to determine whether a user has the right to use the network
resources the user needs to be identified. Furthermore, in case of abuse of
the resources, there is a requirement to be able to identify the user.
Lastly, it should not be possible for a person to impersonate someone else or
take over their identity.
</t>
<t>
- Enable (trusted) guest use:
</t>
<t>
In order to enable roaming it should be possible for users of participating
institutions to get seamless access to the networks of other institutions
that participate in the service.
</t>
<t>
- Scalable
</t>
<t>
The infrastructure that is created should scale to a large number of users
and organizations without requiring a lot of coordination and other
administrative procedures (possibly after initial set up). Specifically, it
should not be necessary to go through an administrative process when a user
visits another organization.
</t>
<t>
- Easy to install and use
</t>
<t>
It should not be very complicated to participate in the roaming
infrastructure as that may inhibit wide scale adoption. In particular, there
should be no or easy client installation and one-off configuration.
</t>
<t>
- Secure and privacy preserving
</t>
<t>
Whereas it is impossible to create a secure system in the absolute sense, it
is important to have a system that strikes a good balance between ease of use
and security. One important design criteria has been that there needs to be a
security association between the end-user and their home organization, so no
exposure of credentials to a third party. In particular, it should be
possible for participating organizations to set their own requirements for
the quality of authentication of users without the need for the
infrastructure as a whole to implement the same standard.
</t>
<t>
- Standards based
</t>
<t>
In an infrastructure in which many thousands of organizations participate it
is obvious that it should be possible to use equipment from different
vendors, therefore it is important to base the infrastructure on open
standards.
</t>
<t>
These considerations have led to an architecture based on:
<list style="symbols">
<t>802.1X (<xref target="dot1X-standard" />)as port based authentication framework using</t>
<t>EAP (<xref target="RFC3748" />) for integrity and confidentially protected
transport of credentials and a</t>
<t>RADIUS (<xref target="RFC2865" />) hierarchy as trust fabric.</t>
</list>
</t>
</section> <!-- Design Goals-->
</section> <!-- Introduction-->
<section anchor="ClassicArchitecture" title="Classic Architecture">
<t>Federations, like eduroam, implement essentially two types of trust. The
trust relation between an end-user and the Identity Provider (IdP, operated by the home
organization of the user) and between the IdP and the Service Provider (SP, in eduroam
the operator of the network at the visited location). In eduroam the establishment of
the trust relation between user and IdP is through mutual authentication. IdPs and SP
establish trust through the use of a RADIUS hierarchy.
</t>
<t>These two forms of trust in turn provide the transitive trust that makes the SP allow
the use of its network resources.
</t>
<section title="Authentication" anchor="Authentication">
<t>Authentication in eduroam is achieved by using a combination of IEEE 802.1X
<xref target="dot1X-standard" /> and EAP <xref target="RFC4372" />.
</t>
<section title="802.1X" anchor="Dot1X">
<t>By using the 802.1X <xref target="dot1X-standard" /> framework for port-based
network authentication, organizations
that offer network access (SPs) for visiting (and local) eduroam users can
make sure that only authorized users get access. The user (or rather the
user's supplicant) sends an access request to the authenticator (wireless
access point or switch) at the SP, the authenticator forwards the access
request to the authentication server of the SP which in turn proxies the
request through the RADIUS hierarchy to the authentication server of the
user's home organization (the IdP, see below).
</t>
<t>In order for users to be aware of the availability of the eduroam service,
an SP that offers wireless network access MUST broadcast the SSID 'eduroam',
unless that conflicts with the SSID of another eduroam SP, in which case an
SSID starting with "eduroam-" MAY be used.
To protect user data confidentiality eduroam SPs IEEE 802.11 wireless
networks MUST support WPA2+AES, and MAY additionally support WPA/TKIP as a
courtesy to users of legacy hardware.
</t>
</section> <!-- Dot1X -->
<section title="EAP" anchor="EAP">
<t>The use of the Extensible Authentication Protocol (EAP) <xref target="RFC4372" />
serves 2 purposes. In the first place a proper chosen EAP-method allows for integrity
and confidentiality protected transport of the user credentials to the home
organization. Secondly, by having all RADIUS servers transparently proxy
access requests regardless of the EAP-method inside the RADIUS packet, the
choice of EAP-method is between the 'home' organization of the user and the
user, in other words, in principle every authentication form that can be carried
inside EAP can be used in eduroam, as long as they adhere to the policy with regards
to security properties.
</t>
<t>
<figure anchor="tunneled-eap" title="Tunneled EAP"><artwork>
<![CDATA[
+-----+
/ \
/ \
/ \
/ \
,----------\ | | ,---------\
| SP | | eduroam | | IdP |
| +----+ trust fabric +---+ |
`------+---' | | '-----+---'
| | | |
| \ / |
| \ / |
| \ / |
| \ / |
+----+ +-----+ +----+
| |
| |
+---+--+ +--+---+
| | | |
+-+------+-+ ___________________________ | |
| | O__________________________ ) +------+
+----------+
Host (supplicant) EAP tunnel Authentication server
]]>
</artwork></figure>
</t>
<t>Proxying of access requests is based on the outer identity in the
EAP-message. Those outer identities MUST be of the form something@realm,
where the realm part is the domain name of the domain that the IdP belongs
to.
In order to preserve privacy, participating organizations MUST deploy
EAP-methods that provide mutual authentication. For EAP methods that support outer
identity, anonymous outer identities are recommended. Most commonly used in eduroam
are the so-called tunneled EAP-methods that first create a server authenticated TLS
tunnel through which the user credentials are transmitted.
</t>
</section> <!-- EAP -->
</section> <!-- Authentication-->
<section title="Federation Trust Fabric" anchor="Federation">
<t>The eduroam federation trust fabric is based on RADIUS. RADIUS trust is based on
shared secrets between RADIUS peers. In eduroam any RADIUS message originating from a
trusted peer is implicitly assumed to originate from a member of the romaing consortium.
</t>
<section title="RADIUS" anchor="RADIUS">
<t>The eduroam trust fabric is based on a proxy hierarchy of RADIUS servers,
loosely based on the DNS hierarchy. That is, the organizational RADIUS
servers agree on a shared secret with the national servers and the national
servers agree on a shared secret with the root server. Access requests are
routed through a chain of RADIUS proxies towards the home organization of the
user, and the access accept (or reject) follows the same path back.
</t>
<t>
<figure anchor="radius-hierarchy" title="eduroam RADIUS hierarchy"><artwork>
<![CDATA[
+-------+
| |
| . |
| |
+---+---+
/ | \
+----------------/ | \---------------------+
| | |
| | |
| | |
+--+---+ +--+--+ +----+---+
| | | | | |
| .edu | . . . | .nl | . . . | .ac.uk |
| | | | | |
+--+---+ +--+--+ +----+---+
/ | \ | \ |
/ | \ | \ |
/ | \ | \ |
+-----+ | +-----+ | +------+ |
| | | | | |
| | | | | |
+---+---+ +----+---+ +----+---+ +--+---+ +-----+----+ +-----+-----+
| | | | | | | | | | | |
|utk.edu| |utah.edu| |case.edu| |hva.nl| |surfnet.nl| |soton.ac.uk|
| | | | | | | | | | | |
+----+--+ +--------+ +--------+ +------+ +----+-----+ +-----------+
| |
| |
+--+--+ +--+--+
| | | |
+-+-----+-+ | |
| | +-----+
+---------+
user: paul@surfnet.nl surfnet.nl Authentication server
]]>
</artwork> </figure>
</t>
<t>Routing of access requests to the home IdP is done based on the realm
part of the outer identity. For example, when user paul@surfnet.nl of
SURFnet (surfnet.nl) tries to gain wireless network access at the University
of Tennessee at Knoxville (utk.edu) the following happens:
</t>
<t>
<list style="symbols">
<t>Paul's supplicant transmits an EAP access request to the Access Point
(Authenticator) at UTK with outer identity say anonymous@surfnet.nl
</t>
<t>The Access Point forwards the EAP message to its Authentication Server
(the UTK RADIUS server)
</t>
<t>The UTK RADIUS server checks the realm to see if it is a local realm,
since it isn't the request is proxied to the .edu RADIUS server
</t>
<t>The .edu RADIUS server verifies the realm, and since it is not a in a
.edu subdomain it proxies the request to the root server
</t>
<t>The root RADIUS server proxies the request to the .nl RADIUS server
</t>
<t>The .nl RADIUS server proxies the request to the surfnet.nl server
</t>
<t>The surfnet.nl RADIUS server decapsulates the EAP message and verifies
the user credentials
</t>
<t>The surfnet.nl RADIUS server informs the utk.edu server of the outcome
of the authentication request (accept or deny) by proxying the outcome
through the RADIUS hierarchy in reverse order.
</t>
<t>The UTK RADIUS server instructs the UTK Access Point to either accept
or deny access based on the outcome of the authentication.</t>
</list>
</t>
<t>Note: The depiction of the root RADIUS server is a simplification of
reality. In reality the root server is distributed over 3 continents and each
maintains a list of top level realms a specific root server is responsible
for. So in reality, for intercontinental roaming there is an extra proxy step
from one root server to the other involved.
</t>
</section> <!-- RADIUS -->
</section> <!-- Federation -->
</section> <!-- Classic Architecture -->
<section title="Issues with initial Trust Fabric" anchor="IssuesClassic">
<t>While the hierarchical RADIUS architecture in the previous section has
served as the basis for eduroam Operations for an entire decade, the
exponential growth of authentications is expected to lead to performance and
operations bottlenecks on the aggregation proxies. The following sections describe
some of the shortcomings, and the resulting conclusions.</t>
<section title="Server Failure Handling" anchor="IssuesClassicFailure">
<t>In eduroam, authentication requests for roaming users are statically
routed through pre-configured proxies. The number of proxies varies: in a
national roaming case, the number of proxies is typically 1 or 2 (some
countries deploy regional proxies, which are in turn aggregated by a national
proxy); in international roaming, 3 or 4 proxy servers are typically involved
(the number may be higher along some routes).
</t>
<t>RFC2865 <xref target="RFC2865" /> does not define a failover algorithm. In
particular, the failure of a server needs to be deducted from the absence of
a reply. Operational experience has shown that this has detrimental effects
on the infrastructure and end user experience:
<list style="numbers">
<t>Authentication failure: the first user whose authentication path is
along a newly-failed server will experience a long delay and possibly
timeout
</t>
<t>Wrongly deducted states: since the proxy chain is longer than 1 hop, a
failure further down in the authentication path is indistinguishable from a
failure in the next hop.
</t>
<t>Inability to determine recovery of a server: only a "live"
authentication request sent to a server which is believed inoperable can
lead to the discovery that the server is in working order again. This issue
has been resolved with RFC5997 <xref target="RFC5997" />.
</t>
</list>
</t>
<t>The second point can have significant impact on the operational state of
the system in a worst-case scenario: Imagine one realm's home server being
inoperable. A user from that realm is trying to roam internationally and
tries to authenticate. The RADIUS server on the hotspot location will assume
its own national proxy is down, because it does not reply. That national
server, being perfectly alive, in turn will assume that the international
aggregation proxy is down; which in turn will believe the home country proxy
national server is down. None of these assumptions are true. Worse yet:
should any of these servers trigger a failover to a redundant backup RADIUS
server, it will still not receive a reply, because the request will still be
routed to the same defunct home server. Within a short time, all redundant
aggregation proxies might be considered defunct by their preceding hop.
</t>
<t>In the absence of proper next-hop state derivation, some interesting
concepts have been introduced by eduroam participants; the most
noteworthy being a failover logic which considers up/down states not per
next-hop RADIUS peer, but instead per realm (See [
http://wiki.eduroam.cz/dead-realm/docs/dead-realm.html ] for details). As of
recent, RFC5997 <xref target="RFC5997" /> implementations and cautious failover
parameters make such a worst-case scenario very unlikely to happen, but are
still an important issue to consider.
</t>
</section> <!-- ISSUES-CLASSIC-FAILURE -->
<section title="No error condition signalling" anchor="IssuesClassicErrors">
<t>The RADIUS protocol lacks signalling of error conditions, and the IEEE
802.1X protocol does not allows to convey extended failure reasons to the
end-user's device. For eduroam, this creates issues in a twofold way:
<list style="symbols">
<t>The home server may have an operational problem, for example if its
authentication decisions depend on an external data source such as
ActiveDirectory or an SQL server, and if these external dependencies are out
of order. If the RADIUS interface is still functional, there are two
options how to reply to an Access-Request which can't be serviced due to
such error conditions:
<list style="numbers">
<t>Do Not Reply: the inability to reach a conclusion can be treated by
not replying to the request. The upside of this approach is that the
end-user's software doesn't come to wrong conclusions and won't give
unhelpful hints such as "maybe your password is wrong". The downside is
that intermediate proxies may come to wrong conclusions because their
downstream RADIUS server isn't responding.
</t>
<t>Reply with Reject: in this option, the inability to reach a conclusion
is treated like an authentication failure. The upside of this approach is
that intermediate proxies maintain a correct view on the reachability
state of their RADIUS peer. The downside is that EAP supplicants on
end-user devices often react with either false advice ("your password is
wrong") or even trigger permanent configuration changes (e.g. the Windows
built-in supplicant will delete the credential set from its registry,
prompting the user for their password on the next connection attempt). The
latter case of Windows is a source of significant helpdesk activity;
users may have forgotten their password after initially storing it, but
are suddenly prompted again.
</t>
</list>
</t>
<t>There have been epic discussions in the eduroam community which of the
two approaches is more appropriate; but they were not conclusive.
</t>
<t>Similar considerations as above apply when an intermediate proxy does
not receive a reply from a downstream RADIUS server. The proxy may either
choose not to reply to the original request, leading to retries and its
upstream peers coming to wrong conclusions about its own availability; or
it may decide to reply with Access-Reject to indicate its own liveliness,
but again with implications for the end user.
</t>
</list>
</t>
<t>The ability to send Status-Server watchdog requests is only of use
reactively if a downstream server doesn't reply. The active link-state
monitoring of the TCP connection with e.g. RADIUS/TLS gives a clearer
indication whether there is an alive RADIUS peer, but does not solve the
defunct backend problem. An explicit ability to send Error-Replies, on the
RADIUS (for other RADIUS peer information) and EAP level (for end-user
supplicant information), would alleviate these problems but is currently not
available.
</t>
</section> <!-- ISSUES-CLASSIC-ERRORS -->
<section title="Routing table complexity" anchor="IssuesClassicRouting">
<t>The aggregation of RADIUS requests based on the structure of the user's
realm implies that realms ending with the same top-level domain are
routed to the same server; i.e. to a common administrative domain. While
this is true for ccTLDs, which map into national eduroam federations, it is
not true for realms residing in gTLDs.
Realms in gTLDs were historically discouraged because the automatic
mapping "realm ending" -> "eduroam federation's server" could not be
applied. However, with growing demand from eduroam realm administrators,
it became necessary to create exceptional entries in the forwarding
rules; such realms need to be mapped on a realm-by-realm basis to their
eduroam federations. Example: "kit.edu" needs to be routed to the German
federation server; "iu.edu" neeeds to be routed to the U.S.A. federation
server.
</t>
<t>
While the ccTLDs occupied only approx. 50 routing entries in total (and
has a upper bound of approx. 200), the potential size of the routing
table becomes virtually unlimited if it needs to accomodate all
individual entries in .edu, .org, etc.
</t>
<t>
In addition to that, all these routes need to be synchronised between
three international root servers, and the updates needed to be applied
manually to RADIUS server configuration files. The frequency of the
required updates made this approach fragile and error-prone as the
number of entries grew.
</t>
</section> <!-- ISSUES-CLASSIC-ROUTING -->
<section title="UDP Issues" anchor="IssuesClassicUDP">
<t>RADIUS is based on UDP, which was a reasonable choice when its main use
was with simple PAP requests which required only exactly one packet
exchange in each direction.
</t>
<t>When transporting EAP over RADIUS, the EAP conversations requires
multiple round-trips; depending on the total payload size, 8-10
round-trips are not uncommon. The loss of a single UDP packet will lead
to user-visible delays and might result in servers being marked as dead
due to the absence of a reply. The proxy path in eduroam consists of
several proxies, all of which introduce a tiny packet loss probability;
i.e. the more proxies are needed, the higher the failure rate is going
to be.
</t>
<t>For some EAP types, depending on the exact payload size they carry,
RADIUS servers and/or supplicants may choose to fill as much EAP data
into a single RADIUS packet as the supplicant's layer 2 medium allows
for, typically 1500 Bytes. In that case, the RADIUS encapsulation around
the EAP-Message will itself also exceed 1500 Byte size which in turn
means the UDP datagram which carries the RADIUS packet will need to be
fragmented on the IP layer. While this is not a problem in theory,
practice has shown evidence of misbehaving firewalls which erroneously
discard non-first UDP fragments, which ultimately leads to a denial of
service for users with such EAP types and that specific configuration.
</t>
<t>One EAP type proved to be particularly problematic: EAP-TLS. While it is
possible to configure the EAP server to send smaller chunks of EAP
payload to the supplicant (e.g. 1200 Bytes, to allow for another 300
Bytes of RADIUS overhead without fragmentation), very often the
supplicants which send the client certificate do not expose such a
configuration detail to the user. Consequently, when the client
certificate is beyond 1500 Bytes in size, the EAP-Message will always
make use of the maximum possible layer-2 chunk size, which introduces
the fragmentation on the path EAP peer -> EAP server.
</t>
<t>The operational experience regarding EAP-TLS leads to the following
RECOMMENDATION: EAP supplicants should either make the maximum EAP chunk
size configurable OR use cautious values regarding the EAP chunk size
(e.g. max. 1200 Bytes per chunk, even if the layer 2 medium provides foresaw
more space).
</t>
<t>Both of the previously mentioned sources of errors (packet loss,
fragment discard) are hard to diagnose and can lead to significant user
frustration for the affected users.
</t>
</section> <!-- ISSUES-CLASSIC-UDP -->
<section title="Insufficient payload encryption" anchor="Crypto">
<t>The RADIUS protocol's design foresaw only the encryption of select
RADIUS attributes, most notably User-Password. With EAP methods
conforming to the requirements of RFC4017, the user's credential is not
transmitted using the User-Password attribute, and stronger encryption
than the one for RADIUS' User-Password is in use (typically TLS).
</t>
<t>Still, the use of EAP does not encrypt all personally identifiable
details of the user session. In particular, the user's computing device
can be identified by inspecting the Calling-Station-ID attribute; and
the user's location may be derived from observing NAS-IP-Address,
NAS-Identifier or Operator-Name attributes. Since these attributes are
not encrypted, even IP-layer third parties can harvest the corresponding
data. In a worst-case scenario, this enables the creation of mobility
profiles.
</t>
<t>These profiles are not necessarily linkable to an actual user because
EAP allows for the use of anonymous outer identities and
protected credential exchanges. However, practical experience has shown
that many users neglect to configure their supplicants in a
privacy-preserving way. Worse, for EAP-TLS users, the use of EAP-TLS
identity protection is not usually implemented and cannot be used. In
eduroam, concerned individuals and IdPs which use EAP-TLS are using
pseudonymous client certificates to provide for better privacy.
</t>
<t>One way out, at least for EAP types involving a username, is to pursue
the creation and deployment of pre-configured supplicant configuration
which makes all the required settings in user devices prior to their first
connection attempt; this depends heavily on the remote configuration
possibilities of the supplicants though.
</t>
<t>
A further threat involves the verification of the EAP server's identity.
Even though the cryptographic foundation, TLS tunnels, is sound, there
is a weakness in the supplicant configuration: many users do not understand
or are willing to invest time into the inspection of server certificates
or the installation of a trusted CA. As a result, users may easily be tricked
into connecting to an unauthorized EAP server, ultimately leading to
a leak of their credentials to that unauthorized third party.
</t>
<t>
Again, one way out of this particular threat is to pursue the creation
and deployment of pre-configured supplicant configuration which makes all
the required settings in user devices prior to their first connection attempt.
</t>
<t>Note: there are many different and vendor-proprietary ways to
pre-configure a device with the necessary EAP parameters (examples include
Apple, Inc's "mobileconfig" and Microsoft's "EAPHost" XML schema). Some
manufacturers even completely lack any means to distribute EAP configuration
data. We believe there is value in defining a common EAP configuration meta
data format which could be used across manufacturers; ideally leading to
a situation where any IEEE 802.1X network end-user merely needs to apply
this configuration file to configure any of his devices securely with the
required connection properties.
</t>
<t>Another possible threat involves transport of user-specific attributes
in a Reply-Message. If, for example, a RADIUS server sends back a
hypothetical RADIUS Vendor-Specific-Attribute "User-Role = Student of
Computer Science" (e.g. for consumption of a SP RADIUS server and
subsequent assignment into a "student" VLAN), this information would
also be visible for third parties and could be added to the mobility
profile.
</t>
<t>The only way out to mitigate all information leakage to third parties is
by protecting the entire RADIUS packet payload so that IP-layer third
parties can not extract privacy-relevant information. RFC2865 RADIUS
does not offer this possibility though.
</t>
<t>Note: This operational experience of eduroam could be taken as a guideline
for supplicant implementers to leave sufficient space in transmitted
packets.
</t>
</section> <!-- CRYPTO -->
</section> <!-- ISSUES-CLASSIC -->
<section anchor="NewArchitecture" title="Enhanced Architecture">
<t>The operational difficulties with an ever increasing number of participants as
documented in the previous section have led to a number of changes to the eduroam
architecture that in turn have, as mentioned in the introduction, led to
standardization effort.
</t>
<t>Note: The enhanced architecture components are fully backwards compatible with the
existing installed base, and is in fact gradually replacing those parts of it where
problems may arise.
</t>
<section title="Federation Trust Fabric" anchor="NextGenFederation">
<t>Whereas the user authentication using 802.1X and EAP has remained unchanged (i.e.
no need for end-users to change any configurations), the issues as reported above have
resulted in a major overhaul of the way EAP messages are transported from the RADIUS
server of the SP to that of the IdP and back. The two fundamental changes are the use
of TCP instead of UDP and reliance on TLS instead of shared secrets between RADIUS
peers.
</t>
<section title="RADIUS with TLS" anchor="RadSec">
<t>The deficiencies of RADIUS over UDP as described in
<xref target= "IssuesClassicUDP"/> warranted a search for a replacement of
RFC2865 <xref target="RFC2865" /> for the transport of EAP. By the time this
need was understood, the designated successor protocol to RADIUS, Diameter
<xref target="RFC3588" />, was already specified by the IETF. However,
within the operational constraints of eduroam:
<list style="symbols">
<t>reasonably cheap to deploy on many administrative domains
</t>
<t>supporting NASREQ Application</t>
<t>supporting EAP Application</t>
<t>supporting Diameter Redirect</t>
<t>supporting validation of authentication requests of the most popular
EAP types (EAP-TTLS, PEAP, and EAP-TLS)</t>
<t>possibility to retrieve these credentials from popular backends such
as Microsoft ActiveDirectory, MySQL</t>
</list>
</t>
<t>no single implementation could be found. In addition to that, no
Wireless Access Points at the disposal of eduroam participants supported
Diameter, nor did any of the manufacturers have a roadmap towards Diameter
support. This led to the open question of lossless translation from RADIUS
to Diameter and vice versa; a question not satisfactorily answered by NASREQ.
</t>
<t>After monitoring the Diameter implementation landscape for a while, it
became clear that a solution with better compatibility and a plausible upgrade
path from the existing RADIUS hierarchy was needed. The eduroam community
actively engaged in the IETF towards the specification of several enhancements to
RADIUS to overcome the limitations mentioned in <xref target= "IssuesClassic"/>.
The outcome of this process was <xref target="RFC6614" /> and
<xref target="I-D.ietf-radext-dynamic-discovery" />.
</t>
<t>With its use of TCP instead of UDP, and with its full packet encryption,
while maintaining full packet format compatibility with RADIUS/UDP, RADIUS/TLS
<xref target="RFC6614" /> allows to upgrade any given RADIUS link in eduroam
without the need of a "flag day".
</t>
<t>In a first upgrade phase, the classic eduroam hierarchy (forwarding
decision taken by inspecting the realm) remains intact. That way,
RADIUS/TLS merely enhances the underlying transport of the RADIUS datagrams. But
this already provides some key advantages:
<list style="symbols">
<t>explicit peer reachability detection using long-lived TCP sessions
</t>
<t>protection of user credentials and all privacy-relevant RADIUS attributes
</t>
</list>
</t>
<t>RADIUS/TLS connections for the static hierarchy could be realised with
the TLS-PSK operation mode (which effectively provides a 1:1 replacement
for RADIUS/UDP's "shared secrets"), but since this operation mode is not
widely supported as of yet, all RADIUS/TLS links in eduroam are secured
by TLS with X.509 certificates from a set of accredited CAs.
</t>
<t>This first deployment phase does not yet solve the routing table
complexity problem (see (<xref target="IssuesClassicRouting" />); this aspect is
covered by introducing dynamic discovery for RADIUS/TLS servers.
</t>
</section> <!-- RadSec -->
<section title="Dynamic Discovery" anchor="DynamicDiscovery">
<t>XXX</t>
</section> <!-- dynamic-discovery -->
</section> <!-- NextGenFederation -->
</section> <!-- NextGen Architecture -->
<section title="Abuse prevention and incident handling" anchor="AbuseIncident">
<t>Since the eduroam service is a confederation of autonomous networks, there
is little justification for transferring accounting information from
the visited site to any other in general, or in particular to the home
organization of the user. Accounting in eduroam is therefore considered to be a
local matter of the visited site. The eduroam compliance statement
(<xref target="eduroam-compliance" />) in fact specifies that accounting traffic
SHOULD NOT be forwarded.
</t>
<t>The static routing infrastructure of eduroam acts as a filtering system
blocking accounting traffic from misconfigured local RADIUS
servers. Proxy servers are configured to terminate accounting
request traffic by answering to Accounting-Requests with an Accounting-Response
in order to prevent the retransmission of orphaned Accounting-Request
messages.
</t>
<t>Roaming creates accounting problems identified by <xref target="RFC4372" /> (Chargeable
User Identity). Since the NAS can only see the (likely anonymous) outer identity of
the user, it is impossible to correlate usage with a specific user (who may
use multiple devices). A NAS that supports Chargeable User Identity can request
additional information - Chargeable-User-Identity and if this is supplied
by the authenticating RADIS server in the Access-Accept message, this
value will then be added to corresponding Access-Request packets. While
eduroam does not have any charging mechanisms, it may still be desirable
to identify traffic originating from one particular user. One of the reasons is to
prevent abuse of guest access by users living nearby university
campuses. Chargeable User Identity supplies the perfect answer to
this problem, however at the moment of writing, to our knowledge only one hardware
vendor (Meru Networks) implements RFC4372 on their Access Points. For all other
vendors, requesting the Chargeable-User-Identity attribute needs to happen on the
RADIUS server to which the Access Point is connected to. Currently, the RADIUS servers
FreeRADIUS and Radiator can be retrofitted with the ability to do this.
</t>
<section title="Incident Handling" anchor="IncidentHandling">
<t>10 years of experience with eduroam have not exposed any serious
incident. This may be taken as evidence for proper security design and
awareness of users that they are identifiable, acts as an effective
deterrent.
</t>
<t>
For example the European eduroam policy <xref target="eduroam-policy" /> describes
incident scenarios and actions to be taken, in this document we present the relevant
technical issues.
</t>
<t>
The first action in the case of an incident is to block the user's access
to eduroam at the visited site. Since the roaming user's true identity
is likely hidden behind an anonymous/fake outer identity, the visited
site can only rely on the realm of the user. Without cooperation from
the user's home institution, the visited institution's options are
limited to blocking authentications from the entire realm, which may
be considered as too harsh. On the other hand, the home institution
has only the possibility of blacking the user's authentication entirely,
thus blocking this user from accessing eduroam in all sites. This may
also be seen as a too harsh an action, especially since visited and home
sites could differ in interpreting the user's actions. Introduction of
support for Operator-Name and Chargeable-User-Identity (see below) to eduroam can
significantly improve the situation.
</t>
</section> <!-- IncidentHandling -->
<section title="Operator Name" anchor="OperatorName">
<t>
The Operator-Name attribute is defined in <xref target="RFC5580" /> as a means of unique
identification of the access site.
</t>
<t>The Proxy infrastructure of eduroam makes it impossible for home sites to tell
where their users roam to. While this may be seen as a positive aspect
enhancing user's privacy, it also makes user support, roaming statistics
and blocking offending user's access to eduroam significantly harder.
</t>
<t>Sites participating in eduroam are encouraged to add the Operator-Name attribute
using the REALM namespace, i.e. sending a realm name under control of the
given site.
</t>
<t>The introduction of Operator-Name in eduroam has identified one operational
problem - the identifier 126 assigned to this attribute has been
previously used by some vendors for their specific purposes and
has been included in attribute dictionaries of several RADIUS server
distributions. Since the syntax of this hijacked attribute had been set
to Integer, this introduces a syntax clash with the the RFC definition
(OctetString). Operational tests in eduroam have shown that servers using
the Integer syntax for attribute 126 may either truncate the value to 4
octets or even drop the entire RADIUS packet (thus making authentication
impossible). The eduroam monitoring and eduroam test tools try to locate
problematic sites.
</t>
<t>When a visited site sends its Operator-Name value, it creates a
possibility for the home sites to set up conditional blocking rules,
depriving certain users of access to selected sites. Such action will
cause much less concern then blocking users from all of eduroam.
</t>
<t>In eduroam the Operator Name is also used for the generation of Chargeable User
Identity values.
</t>
<t>The addition of Operator-Name is a straightforward configuration of the RADIUS
server and may be easily introduced on a large scale.
</t>
</section> <!-- OperatorName -->
<section title="Chargeable User Identifier" anchor="CUI">
<t>The Chargeable-User-Identity (CUI) attribute is defined by
RFC4372 <xref target="RFC4372" /> as an answer to accounting problems caused by the use of
anonymous identity in some EAP methods. In eduroam the primary use of CUI is in
incident handling, but it can also enhance local accounting.
</t>
<t>The eduroam policy requires that a given user's CUI generated for requests
originating form different sites should be different (to prevent collusion attacks).
The eduroam policy thus mandates that a CUI request be accompanied by the
Operator-Name attribute, which is used as one of the inputs for the CUI generation
algorithm. The Operator-Name requirement is considered to be the "business requirement"
described in Section 2.1 of RFC4372 <xref target="RFC4372" /> and hence conforms to the RFC.
</t>
<t>When eduroam started considering using CUI, there were
no NAS implementations, therefore the only solution was moving all CUI
support to the RADIUS server.</t>
<t>CUI request generation requires only the addition of NUL CUI attributes
to outgoing Access-Requests, however the real strength of CUI comes
with accounting. Implementation of CUI based accounting in the server
requires that the authentication and accounting RADIUS servers used
directly by the NAS are actually the same or at least have access to a
common source of information. Upon processing of an Access-Accept the
authenticating RADIUS server must store the received CUI value together with
the device's Calling-Station-Id in a temporary database. Upon receipt
of an Accounting-Request, the server needs to update the packet with
the CUI value read from the database.
</t>
<t>A wide introduction of CUI support in eduroam will significantly simplify
incident handling at visited sites. Introducing local, per-user access
restriction will be possible. Visited sites will also be able to notify
the home site about the introduction of such a restriction, pointing to
the CUI value an thus making it possible for the home site to identify
the user. When the user reports the problem at his home support, the
reason will be already known.
</t>
</section> <!--CUI -->
</section> <!-- AbuseIncident -->
<section title="Privacy Considerations" anchor="PrivacyConsiderations">
<t>
XXX
</t>
<section title="Collusion of RPs" anchor="Collusion">
<t>XXX</t>
</section> <!-- collusion -->
<section title="Exposing user credentials" anchor="UserCreds">
<t>XXX</t>
</section> <!-- user-creds -->
<section title="Track location of users" anchor="Track">
<t>XXX</t>
</section> <!-- track -->
</section> <!-- privacy-considerations -->
<section title="Security Considerations" anchor="SecurityConsiderations">
<t>
This section addresses only security considerations associated
with the use of eduroam. For considerations relating to 802.1X, RADIUS and EAP
in general, the reader is referred to the respective specification and to other
literature.
</t>
<section title="Man in the middle and Tunneling Attacks" anchor="MitM">
<t>XXX</t>
</section> <!-- MitM -->
<section title="Denial of Service Attacks" anchor="DoS">
<t>XXX</t>
</section> <!-- DoS -->
</section> <!-- security-considerations -->
<section title="IANA Considerations">
<t>There are no IANA Considerations</t>
</section> <!-- -->
</middle>
<back>
<references title="Normative References">
&RFC2119; &RFC2865; &RFC2866; &RFC3748; &RFC4279; &RFC4372; &RFC5280;
&RFC5176; &RFC5246; &RFC5247; &RFC5580; &RFC5997; &RFC6613; &RFC6614; &RFC6066;
&I-D.hansen-privacy-terminology;
</references>
<references title="Informative References">
&radius-dtls; &dyn-disc; &RFC3539; &RFC3588;
&RFC4107; &RFC4346; &RFC4953; &RFC6125;
&RFC6421; &I-D.ietf-abfab-arch;
<reference anchor="dot1X-standard"
target="http://standards.ieee.org/getieee802/download/802.1X-2010.pdf">
<front>
<title>IEEE std 802.1X-2010</title>
<author>
<organization>IEEE</organization>
</author>
<date month="February" year="2010"/>
</front>
<format type="TXT" target="http://standards.ieee.org/getieee802/download/802.1X-2010.pdf"/>
</reference>
<reference anchor="radsec-whitepaper"
target="http://www.open.com.au/radiator/radsec-whitepaper.pdf">
<front>
<title>RadSec - a secure, reliable RADIUS Protocol</title>
<author>
<organization abbrev="OSC">Open System Consultants</organization>
</author>
<date month="May" year="2005"/>
</front>
<format type="TXT" target="http://www.open.com.au/radiator/radsec-whitepaper.pdf"/>
</reference>
<reference anchor="MD5-attacks" target="http://www.springerlink.com/content/40867l85727r7084/">
<front>
<title>A Study of the MD5 Attacks: Insights and Improvements</title>
<author initials="J." surname="Black" fullname="John Black">
<organization abbrev="Colorado">University of Colorado at Boulder, USA
</organization>
</author>
<author initials="M." surname="Cochran" fullname="Martin Cochran">
<organization abbrev="UColorado">University of Colorado at Boulder, USA</organization>
</author>
<author initials="T." surname="Highland" fullname="Trevor Highland">
<organization abbrev="UTexas">University of Texas at Austin, USA</organization>
</author>
<date month="October" year="2006"/>
</front>
<format type="TXT" target="http://www.springerlink.com/content/40867l85727r7084/"/>
</reference>
<reference anchor="radsecproxy-impl" target="http://software.uninett.no/radsecproxy/">
<front>
<title>radsecproxy Project Homepage</title>
<author initials="S." surname="Venaas" fullname="Stig Venaas">
<organization abbrev="UNINETT">UNINETT</organization>
</author>
<date year="2007"/>
</front>
<format type="TXT" target="http://software.uninett.no/radsecproxy/"/>
</reference>
<reference anchor="eduroam-start"
target="http://www.terena.org/activities/tf-mobility/start-of-eduroam.pdf">
<front>
<title>Initial proposal for (now) eduroam</title>
<author initials="K." surname="Wierenga" fullname="Klaas Wierenga">
<organization abbrev="SURFnet">SURFnet
</organization>
</author>
<date year="2002"/>
</front>
<format type="PDF"
target="http://www.terena.org/activities/tf-mobility/start-of-eduroam.pdf"/>
</reference>
<reference anchor="eduroam-homepage" target="http://www.eduroam.org/">
<front>
<title>eduroam Homepage</title>
<author>
<organization abbrev="TERENA">Trans-European
Research and Education Networking Association
</organization>
</author>
<date year="2007"/>
</front>
<format type="TXT" target="http://www.eduroam.org/"/>
</reference>
<reference anchor="eduroam-compliance"
target="http://www.eduroam.org/downloads/docs/eduroam_Compliance_Statement_v1_0.pdf">
<front>
<title>eduroam compliance statement</title>
<author>
<organization abbrev="TERENA">Trans-European
Research and Education Networking Association
</organization>
</author>
<date year="2011"/>
</front>
<format type="TXT"
target="http://www.eduroam.org/downloads/docs/eduroam_Compliance_Statement_v1_0.pdf"/>
</reference>
<reference anchor="eduroam-policy"
target="http://www.eduroam.org/downloads/docs/GN3-12-194_eduroam-policy-%20for-signing_ver2%204_18052012.pdf">
<front>
<title>European eduroam policy</title>
<author>
<organization abbrev="TERENA">Trans-European
Research and Education Networking Association
</organization>
</author>
<date year="2011"/>
</front>
<format type="TXT"
target="http://www.eduroam.org/downloads/docs/GN3-12-194_eduroam-policy-%20for-signing_ver2%204_18052012.pdf"/>
</reference>
<reference anchor="geant2" target="http://www.geant2.net/">
<front>
<title>European Commission Information Society and Media: GEANT2</title>
<author>
<organization abbrev="Dante">Delivery of Advanced Network Technology to Europe
</organization>
</author>
<date year="2008"/>
</front>
<format type="TXT" target="http://www.geant2.net/"/>
</reference>
<reference anchor="terena" target="http://www.terena.org/">
<front>
<title>Trans-European Research and Education Networking Association</title>
<author>
<organization abbrev="TERENA">TERENA</organization>
</author>
<date year="2008"/>
</front>
<format type="TXT" target="http://www.terena.org/"/>
</reference>
</references>
<section title="Acknowledgments">
<t>The authors would like to thank the participants in the
TERENA Task Force on Mobility and Network Middleware as well as the Geant project for
their reviews and contributions.
</t>
<t>The eduroam trademark is registered by TERENA.
</t>
</section> <!-- Acknowledgments -->
<section title="Changes">
<t>This section to be removed prior to publication.
</t>
<t>
<list style="symbols">
<t>00 Initial Revision. </t>
</list>
</t>
</section> <!-- Changes -->
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 03:20:36 |