[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RADEXT WG consensus on RFC 4107 applicability to RADIUS Crypto-Agility Requirements



Hello,

>   I think Eduroam is the only (N x N) deployment I've seen where N > 10.

And even we are avoiding N^2 complexity at the moment with a tree structure: 
star topology with central proxy from institutions within a country, star 
topology of country proxies to root.

If you care enough: even with RadSec and peer resolution, we might still have 
proxies in between, for entirely non-technical reasons. Some countries want 
to reserve the right to filter attributes at a national level, so any 
resolution technique would be configured on their side to end up at the 
national TLD proxy, and be distributed onwards from there.

>   Since Eduroam is using RadSec, I suspect that the N^2 issue could be
> solved by leveraging a central Eduroam Certificate Authority.  It would
> issue, and sign, certificates for each participating institution or
> country.  Each particpant would then be responsible for using those
> certs, and for validating the certs of Eduroam partners.

That is exactly the plan. We are not quite there yet with full deployment, but 
on our way.

> > 2. RFC 4107 criteria do not apply to a RADIUS crypto-agile solution:
> >   a. RADIUS client-server communication is not an N^2 problem (except
> > perhaps in the roaming
> > situation where end-to-end protection is being provided).
>
>   Yes.

We are facing a requirement of RADIUS-at-roaming-end to RADIUS-at-thome-end 
security, which is where my wish to have auto key mgmt came from. The 
concrete use case we have is that some countries need the age of a user to 
determine if he's legally allowed to get unfiltered internet access.

This means we would need to transfer either birthday or at least age via 
RADIUS. This kind of user attribute can be easily tied to a concrete 
User-Name in most cases and is thus subject to law regulations regarding 
transmission and storage of personal data.

For the moment our only solution is to keep eduroam to higher ed and research 
only, where all eligible users can be expected to be over eighteen. We are 
currently working on a quite sophisticated out-of-band handshaking for such 
data (there are more examples than just age), but would be a lot happier if 
there was an easy in-band solution.

I agree though that our woes in that regard are pretty much unique.

Greetings,

Stefan

-- 
Stefan WINTER

RESTENA Foundation - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
R&D Engineer

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: stefan.winter@restena.lu     Tel.:     +352 424409-1
http://www.restena.lu               Fax:      +352 422473

Attachment: signature.asc
Description: This is a digitally signed message part.