aims'99 workshop aims'99 workshop

AIMS’99 WorkshopAIMS’99 Workshop

Heidelberg, 11-12 May 1999

P805: Internet Roaming

Giuseppe Sisto - Telecom Italia / CSELT

[email protected]

Project participants:• Deutsche Telecom• Finnet Group• France Telecom• MATAV• Telecom Italia



• Scope

• Objectives

• Technical approach

• P805 results

• P914 expected results

AGENDA



The Scope (from P717)

• Multiple ISPs in each country

• Problem similar to GSM roaming

• Same model for roaming solution

• Based on bilateral agreements between parties

• No central clearing point

• Distributed solution: Scaleable and robust



Roaming Service Reference ModelHome ISP’s Roaming User Traditional, Centralized Solution:

3rd Party Clearing PointTraditional, Centralized Solution:

3rd Party Clearing Point

P805 Solution:Direct A-A Interface

P805 Solution:Direct A-A Interface

The InternetThe InternetRemote ISPRemote ISP

Home ISPHome ISP

Authentication Server

for Remote ISP


for Remote ISP

NAS: Network Access Service

NAS: Network Access Service


for Home ISP


for Home ISP



• Terminal-network interface:– should work for PSTN and ISDN– should work for most common devices and configurations

• Network-network interface (A-A protocol)– should allow transport of all necessary parameters– should be secure (encryption, mutual validation)– should run over IP

• Compatible with existing third party solutions

The Requirements



The Possible Solutions

The solutions examined

• HTTP based

• RADIUS Based

• DIAMETER

• RADIUS/LDAP Integration



HTTP-based Solution

• SIR: Secure Internet Roaming specification (i-Pass consortium)

• good security level (use of encryption and digital certificates)

• based on a “centralized” model (MSS= Message Switching Server): out of our scope

Home ISP (H-ISP)

NAS RSAP

Remote ISP (R-ISP)

H-ISP’s Roaming User

MSS

VNAS

Authorizingentity

Encrypted communicationwith HTTP on SSL

PPP with CHAP



RADIUS-based Solution

• No end-to-end security in case of untrusted intermediate proxies

• Protocol not extensible: need for a new protocol

Home ISP (H-ISP)

NAS

Remote ISP (R-ISP)

AAA-Server(RADIUS)


AAA-Server(RADIUS)

Intermediate ISP (I-ISP)

AAA-Server(RADIUS)

PPP with CHAP



RADIUS Protocol

DIAMETER Protocol

Home ISP (H-ISP)

NAS


DIAMETER (proxy) Server

PPP with CHAP

DIAMETER (proxy) Server

Remote ISP (R-ISP)

DIAMETER

• Framework for any service which requires AAA/Policy support

• flexible/ extensible• Wide range of security solutions

(including X.509 certificates)

• Roaming scenario not yet available in ‘98

• Only one “experimental” implementation from Merit

• Not yet officially recognized by IETF



A Directory Enabled Solution• Directory Enabled Networks: a single common directory to

support all applications, services and infrastructure

DirectoryService

DirectoryService

E-mailE-mailNetwork

Operating System

Network Operating

System

OtherApplications

OtherApplications

• LDAP v. 3 (Lightweight Directory Access Protocol): IETF standard for Internet Directories (RFC2251)Client/Server Model, Distributed Service, Security Framework (Access Control / TLS / SASL)



LDAP-based roaming model

H-ISP Roaming User

RADIUSServer

LDAPClient

R-ISP LDAP Server

2.Referral to H-ISP LDAP server

1.LDAPInquiry

AAA Server

NAS

UserID@H-ISPPassword

Remote ISP (R-ISP)

H-ISP LDAP Server

3.Inquiry to H-ISP LDAP Server

Home ISP (H-ISP)

RADIUS



Directory information modeling

(referral entry)

Uid=ISPnAuthorisedUser

ISP1

O = ISP1(i.e. o=TIN.IT)

Uid=ISP1User 1

Uid=ISP1User 2

Uid=ISP1User N

O=ISP2

(referral entry)

O=ISP n

“ “

...

….

...

O=ISP1AdminUsers

Pointers to other ISPs’ LDAP servers



The Pilot



Implementation description

• Merit AAA Server (basic version)• Netscape Directory Server• Project Development of RADIUS/LDAP gateway• Set up of a Certification Authority to issue X.509 certificates

for the use of SSL (sn=SIRTE CA,o=CSELT, c=IT)



The Trials

• Functionality tests whole chain from roaming end-user to home ISP’s directory

server• Performance tests

local access vs. remote access of a user secure connections vs. non secure connections between

LDAP servers influence of DB size

• “Near Operational” tests All participants simultaneously authenticating themselves

both locally and remotely over a period of time



Results from the Trials

• Functionality tests: the model works!• Performance tests

Local access: non-secure connections: delay of few tenths of a second secure connections: delay of ~ 1/3 vs. non secure no influence of DB size

Remote access network delay of few seconds: the delay introduced by

use of SSL not relevant.• “Near Operational” tests: influenced by network conditions



Recommendations from the Pilot

ISPs: before signing contracts for centralised solutions with

third party providers, first identify the participation costs to the consortia;

do not sign “exclusive” contracts for centralised solutions with third party providers; keep the possibility to offer at the same time a de-centralised solution!

keep under observation the research activity, which may provide important innovations the near future,



P914: Study and Trials for Internet Roaming in Europe

Two new participants: Portugal Telecom and Telefonica España

Enhancements to the Roaming Solution: management aspects, accounting mechanisms, security, directory phonebook

Client Interface for Roaming users Support DIAMETER work; development and trial of a DIAMETER-

based roaming solution (EURESCOM now member of Merit AAA consortium, members active participants to IETF Roamops and AAA Groups).

Scope & Activities

aims'99 workshop aims'99 workshop

Technology