eduroam Development VC Minutes 2023-05-23 1530 CEST
Attendance
Attendees
- Stefan Winter (Restena)
- Stefan Paetow (Jisc)
- Janfred Rieckers (DFN)
- Robert Gorrell (UNCG)
- Mike Zawacki (Internet2)
- Zenon Mousmoulas (GRNET)
- Guy Halse (TENET)
- Maja Górecka-Wolniewicz (PSNC)
- Tomasz Wolniewicz (PSNC)
- Chris Phillips (CANARIE)
- Ed Kingscote (CANARIE)
- Mohit Sharma (CANARIE)
- Ed Wincott (Jisc)
- Anders Nilsson (SUNET)
- Paul Dekkers (SURF)
- Christian Rohrer (SWITCH)
- Louis Twomey (HEAnet)
Regrets
Paul Dekkers (SURF) - might join later
János Mohácsi (KIFÜ) - might join later - clash with T&I incubator
Agenda / Proceedings
Welcome / Agenda Bashing
CAT 2.1.1 maintenance release
- working on right-to-left language UI corrections for Arabic still
- https://cat-test.eduroam.org -> Languages -> Arabic
- will have production eduPKI certificate issuance
- RADIUS server names, an non-personal mail contact
- currently prerogative of NRO operators to request - can request forthemselves (for institutions WIP)
- CAT has checks for verifying that your setup correctly checks revocation (except that the revoked certificate we use for that has recently expired, and the check isn’t functional - working on it)
- support for dynamic discovery: Radiator, latest radsecproxy RC, FreeRADIUS experimental
- If you don’t find your inst in “manage DB link” but it is in eduroam DB, send a note to StefanW personally
PEAP / TLS 1.3 / Session Resumption not working?
- Received word that no version of NPS is capable of TLS 1.3 (up to and including Windows Server 2022) -> issue has smaller footprint than expected
EAP-FIDO update
- ongoing; StefanW sent libfido2 instructions for Yubikey auths without UP verification to Janfred
- POC that registering in web context and using out of the context does work
- wpa_supplicant work ongoing
IETF update
- Interim radext meeting on 22 my 2023
- discussed 6614bis (RADIUS/TLS). 6614 is Experimental; bis will move to Proposed Standard.
- has dependencies on 6613 and RADIUS/DTLS; the new spec will merge these into the main 6614bis (Janfred is editor)
- draft for “RADIUS 1.1” (Alan DeKok). fixes 256 IDs, uses ALPN, removes everything MD5. FreeRADIUS has experimental support (compile-time switch).
- draft for BCP on TLS-PSK usage.
- (usage of plain RADIUS UDP/TCP over WANs will be deprecated after 6614bis is out)
- TLS-PSK is a drop-in for UDP shared secrets; should be deployable without much headache
- TLS with PKIX should be the thing for NRO operators, who can handle the complexity
- be prepared for a landslide change: previously, encrypting RADIUS was a fancy/avantgarde/overdoing thing; at that later point, security researchers will likely name and shame you for being a retard if you /don’t/ encrypt
- need to support IdP and SPs in their transition when the time has come
- are we prepared to leave those behind who aren’t able to keep up?
Recurring OpenRoaming chitchat
AOB / next VC
- Two weeks to TNC!
- 4 July 2023 1530 CEST
Appendix: on participants’ request: the chat window content
15:31:36 From Anders Nilsson To Everyone:
Wooho!!! The Polar Bear is BACK!!! 😎
15:32:18 From Zenon Mousmoulas To Everyone:
polar bear ❤️
15:32:57 From Anders Nilsson To Everyone:
Well… I’m done with ”ISE” anyway…. 😉
15:39:44 From Chris Phillips To Everyone:
this is for the RADSEC trusts between NRO to NRO servers?
15:40:29 From Anders Nilsson To Everyone:
URL to the Pad for today? (Never got that VC mail)
15:40:34 From Jan-Frederik Rieckers To Everyone:
https://pad.gwdg.de/wSmLx70tRK6q1PWdfoAjLQ?both
15:40:46 From Stefan (Jisc) To Everyone:
Replying to “this is for the RADS…”
Yes
15:40:47 From Anders Nilsson To Everyone:
Reacted to “https://pad.gwdg.de/…” with 👍
15:43:11 From Jan-Frederik Rieckers To Everyone:
People never use revocation checks. It breaks things. (Hard to get people to understand that THIS IS BY DESIGN!!!)
15:43:44 From Chris Phillips To Everyone:
i can see that F-TICKS data would be a casualty/collateral damage to the change — the same problem as multi-lateral federation with mesh, not hub/spoke
15:48:20 From Anders Nilsson To Everyone:
Fun story. Arista at last weeks Mobility Field Day launched their own ”Cloud NAC” server where RadSec Proxy was a vital component. Never got to know if it was homegrown or if they’ve just grabbed ours. 😉
15:48:25 From Paul Dekkers To Everyone:
The blocking feature is still relatively important I thin
15:48:57 From Paul Dekkers To Everyone:
If you don’t use blocking, the dynamically discovered requests may fail in the first request - if you use blocking pre 1.10-rc the non-dynamic ones may fail
15:49:20 From Paul Dekkers To Everyone:
In the rc with non-blocking the non-dynamic ones just have a 2s delay instead of getting a reject
15:51:25 From Anders Nilsson To Everyone:
10000-ish…😇
15:53:21 From Paul Dekkers To Everyone:
9600 IdPs, 36000 SPs
15:53:52 From Paul Dekkers To Everyone:
SPs ~ service locations
15:54:00 From Jan-Frederik Rieckers To Everyone:
cough
16:04:11 From Paul Dekkers To Everyone:
NREN networks are secure networks? ;-)
16:04:23 From Chris Phillips To Everyone:
that one sounds like this: https://datatracker.ietf.org/doc/draft-dekok-radext-deprecating-radius/
16:05:31 From Chris Phillips To Everyone:
feels like a shot across the bow on shared secrets…
16:05:34 From Paul Dekkers To Everyone:
TLS-PSK is identifier + PSK, or is it also IP-address?
16:05:50 From Jan-Frederik Rieckers To Everyone:
identifier+PSK
16:05:58 From Paul Dekkers To Everyone:
That’s more flexible also
16:06:11 From Paul Dekkers To Everyone:
I thought 1.1 was mostly also about TLS-PSK, but not even just that
16:06:21 From Chris Phillips To Everyone:
@jan — that’s a lot of IETF docs to track… great update! Will you throw those into the notes or do you have another location for those?
16:06:34 From Paul Dekkers To Everyone:
It’s both add TLS-PSK, and 1.1 defines that we no longer use old style shared secrets, right
16:07:25 From Paul Dekkers To Everyone:
The NREN network comment was a bit of a joke, but I indeed think that inside an NREN with institutions doing NPS, it will remain RADIUS-UDP for quite a while :-/
16:07:39 From Paul Dekkers To Everyone:
Though Cisco and Clearness may do it
16:08:07 From Anders Nilsson To Everyone:
@Paul ClearPass?
16:08:13 From Chris Phillips To Everyone:
so what say ‘we’ (eduroam devs) about NRO to NRO servers —> radsec everything??
16:08:17 From Paul Dekkers To Everyone:
The stuff that’s plaintext is also sent unencrypted through the air BTW ;-)
16:08:59 From Paul Dekkers To Everyone:
@chris you can indeed also do RadSec with the static links even (like to etlr) even without doing dynamic discovery
16:09:26 From Paul Dekkers To Everyone:
Bear in mind the loop trics in your radius logic may be different
16:09:39 From Paul Dekkers To Everyone:
(So it’s not exactly the same)
16:10:06 From Paul Dekkers To Everyone:
RADIUS doesn’t identify the RadSec clients as unique clients per se - perhaps that will happen with TLS-PSK
16:10:28 From Paul Dekkers To Everyone:
Oh, I can look up the amount of RadSec connections on the etlr
16:11:22 From Paul Dekkers To Everyone:
19% of the connections is radsec
16:14:03 From Jan-Frederik Rieckers To Everyone:
NPS is dead anyway. duck and run
16:14:39 From Paul Dekkers To Everyone:
We now have institutions that do without RADIUS server at all; only geteduroam and their controller directly connected to our proxies…
16:20:03 From Jan-Frederik Rieckers To Everyone:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
16:20:30 From Paul Dekkers To Everyone:
So the security people may get the NPS server to be extinct if that’s the case; I’m optimistic
16:20:51 From Stefan Winter To Everyone:
Jan-Fredrick is crying out loud?
16:21:13 From Chris Phillips To Everyone:
There’s a big move away from NPS on our doorsteps so yes, and to what is the guidance… this is going to happen anyways with sites all in on Azure so letswifi + federated login to get a cert is a thing …
16:21:38 From Jan-Frederik Rieckers To Everyone:
Nooooo, never. Me? how could I? I don’t see a problem. Not like I wrote my bachelor thesis about TLS in eduroam…
16:22:10 From Anders Nilsson To Everyone:
Reacted to “Nooooo, never. Me? h…” with 😇
16:22:19 From Stefan (Jisc) To Everyone:
Reacted to “Nooooo, never. Me? h…” with 🤣
16:22:44 From Stefan Winter To Everyone:
It’s an elephant in a room with windows.
16:23:28 From Anders Nilsson To Everyone:
Fragile Glass Windows…… 🐘
16:23:48 From Chris Phillips To Everyone:
to be clear — I’m optimistic we have great stories (more than one) on security… it will take more than one style is my point on this topic — we need some great pathways available that we’re all willing to endorse is my nudge on things
16:24:00 From Anders Nilsson To Everyone:
Nooo it’s just resting…. 🦜
16:24:41 From Chris Phillips To Everyone:
The IETF update highlights that these stories need some elaboration — if our docs for eduroam don’t already have them.
16:25:06 From Anders Nilsson To Everyone:
Look!! This NPS wouldn’t do RadSec if you put 4000 Volts through it.
16:26:11 From Anders Nilsson To Everyone:
Of curse there has to be a grace period I guess……
16:26:36 From Janfred Rieckers To Everyone:
“Every machine is a smoke machine, you just have to operate it wrong enough”
16:26:51 From Paul Dekkers To Everyone:
Reacted to "“Every machine is a …” with 😆
16:26:57 From Anders Nilsson To Everyone:
Reacted to "“Every machine is a …” with 😆
16:27:03 From Mike Zawacki (he/him) To Everyone:
Reacted to "“Every machine is a …” with 🤘🏻
16:27:25 From Paul Dekkers To Everyone:
Azure IaaS is already a good example of not being able to do RADIUS-UDP by default BTW, due to fragmentation. Needs a support ticket to fix that.
16:27:32 From Chris Phillips To Everyone:
it’s not about NPS dead — it’s RADIUS is improving and does YOUR server support the optimal security architecture?
16:27:57 From Anders Nilsson To Everyone:
That’s a job for the eduroam inspector. 🙂
16:28:26 From Paul Dekkers To Everyone:
TLS 1.3, not having RADIUS 1.1, not doing TLS (neither PSK NOR PKI) is indeed enough to highlight weaknesses
16:28:50 From Chris Phillips To Everyone:
have to jump in 2 min to another mtg I host 🙂 thanks for the great conversation today 🙂
16:28:58 From Tomasz Wolniewicz To Everyone:
Alan’s interest in radsecproxy was mainly to let people live with NPS while getting Radius traffic to the proper level.
16:29:09 From Chris Phillips To Everyone:
+1 @tomasz
16:29:48 From Paul Dekkers To Everyone:
Is everybody coming to mobility day BTW? We could discuss something there also ;-)
16:30:01 From Paul Dekkers To Everyone:
(Registration is about to be closed, FWIW)
16:30:08 From Anders Nilsson To Everyone:
We put RadSec proxies in front of pretty much everything……😇
16:31:12 From Paul Dekkers To Everyone:
You can also save chat via the 3 dots next to smiley
16:31:27 From Paul Dekkers To Everyone:
OH NO, now people will read our chats
16:31:45 From Stefan (Jisc) To Everyone:
🤣🤣🤣
16:32:02 From Anders Nilsson To Everyone:
Darn!!! Now my jokes are archived…. 😅
16:32:56 From Zenon Mousmoulas To Everyone:
Replying to “Darn!!! Now my joke…”
and the polar bear comments!!
16:33:17 From Stefan (Jisc) To Everyone:
https://events.geant.org/event/1391/
16:33:23 From Stefan (Jisc) To Everyone:
Go register there.
16:33:42 From Paul Dekkers To Everyone:
^^ that’s optional, but welcome
16:33:48 From Paul Dekkers To Everyone:
The day pass is mandatory
16:33:54 From Paul Dekkers To Everyone:
(Or no coffee, no lunch, grumpy people)
16:34:11 From Paul Dekkers To Everyone:
https://wiki.geant.org/display/TFMNM/Mobility+Day+at+TNC23
16:34:28 From Paul Dekkers To Everyone:
Add topics soon, because I will work on the programme with Casper soon also
16:35:19 From Paul Dekkers To Everyone:
(Share the plan in slack or on the wiki page)
16:35:37 From Paul Dekkers To Everyone:
Meeting is powered by Stefan’s gadgets
16:36:07 From Ed Kingscote To Everyone:
I have to drop now I’m afraid, thanks everyone
16:36:31 From Anders Nilsson To Everyone:
@Stefan Inspector Gadget? Beware of those MAD agents. 😉