SALSA-NetAuth - FWNA Working Group conference call
April 5, 2007

*Attendees*
Kevin Miller, Duke U. (co-chair)
Philippe Hanset, UTK (co-chair)
Rich Cropp, Penn State U.
Mark Linton, Penn State U.
Andy Rosenzweig, Merit
John Vollbrecht, Internet2
Michael Gettes, Internet2
Steve Olshansky, Internet2
[Jessica Bibbee, Internet2 (scribe)]

New *Action Items*
[AI] Contact {Kevin} with agenda topics for discussion at the Internet2 Member Meeting.
[AI] {Philippe} will post a request to the list for everyone to reply with comments to {Philippe and Mark} about what they would like to have as discussion topics at the Visitor Access session.
[AI] {Mark} will work with {Philippe} to get a rough draft of the results to {SteveO} by Tuesday, 17-Apr.
[AI] {John} will put together a few slides for the Member Meeting showing a Shibboleth-ish web access capability and how it would work.

Carry-over *Action Items*
[AI] {Kevin} will follow up with {Chris} on the NEA discussion and how it relates to FWNA work.
[AI] {Kevin} will forward resulting notes of the 802.1x next steps to JANET folks.
[AI] {John} will draft a general intro and scope of the RADIUS/SAML work.
[AI] {Kevin} will gather focal points and questions from the RADIUS/SAML discussion for sharing with {Ken} and continuing discussions. (22-Fe-07)
[AI] Group will begin a search for someone who is willing to do an implementation of the proposed RADIUS/SAML integration. (8-Feb-07)
[AI] {Kevin} will address the EDUCAUSE-WLAN list to get feedback on the RADIUS-SAML. (11-Jan-07)
[AI] {Steve C.} will review the draft RADIUS-SAML document and update with conversations with {Bob Morgan and Scott Cantor} and forward to the list for feedback from an operational perspective. (11-Jan-07)
[AI] {John} will contribute questions towards identifying and compiling trust issues for a document(s).

Future *Agenda Items*
- TF-Mobility about ITF meeting in Prague (22-Mar-07)
- Group will consider holding an additional call to further discuss 802.1x and Microsoft (re: Vista). (25-Jan-07)
- Spring Internet2 Member Meeting – Group will discuss RADIUS/SAML Integration. (8-Feb-07)

*Agenda*
1. Introductions
2. Review Working Group efforts
3. Review Charter
4. Discuss future group activities

1. Upcoming Meetings: Spring 2007 Internet2 Member Meeting
2. SALSA-DR
3. Guest access survey
4. RADIUS/SAML

*Discussion*
Mark l
John -
Andy r
Derrek moore
Dale smith
Shumon
Mark poepping
Chris Misra
Kevin Miller
Phillipe

FWNA products
- Eduroam pilot
- next steps with 802.1x
- SAML profile for radius
- Guest access survey

Kevin – re: Eduroam pilot – 2 servers

Chris – have not seen a great deal of interest in the

Andy - people seem interested, but when it comes to offering money/research, say it seems to offer less

Philippe – (utilization?) close to zero

Kevin – last year Member Meeting, next steps….

 

Kevin - - 802.1x Good turnout, short summary

 

Kevin – Steve has made a few changes on the SAML profile for radius

John – is a useful topic for networking environment in general

Chris – is important and interesting. But…. Haven’t seen much real interest in terms of activity.

 

Philippe – survey was easier than expected. People offered creative responses.

Mark – going to present results, not too much analysis..

Chris – looks like work with netreg – those documents were used well.

Kevin – last 2.5 years

 

Kevin – charter

Chris – NetAuth. Worth noting…. Look at work we did, and compare to commercial products, see more standards. We’ve been trying to engage with TCG folks, engaged with people…. Steve Hanna. Young in the client list space. In HE, lot of products don’t have sale-ability… not Working Group property, but might see some ramp up in that area.

Shumon – NEA?

Chris – complicated group – difficult charter… 12 mo reaching charter. What is point of NEA if can’t trust the endpt? Lot of interest, but no consensus. If have trusted platform module, can make secure on proof arguments… Looks like is more active because is vendor driven, but

Chris - …. Am engaged with them, trying to sign an agreement…. Going trhu standards process. NEA is solving similar problem but under IETF. Trying to solve this provl for more…

John – read some stuff

Chris – out of control. IETF is happy now, but charter is narrow. TNC… protocol may roll out in vendor space and roll up into IETF.

John – haven’t seen acceptance

Chris – good to have Steve H in both for alignment, but could be liability.

Chris – Chris Hessing has been doing Open.1x stuff. Working with TNC stuff. Knows Steve H. Deployed the first TNC compatible software. That is being done open source. Open 1x is

Philippe – started at UMD, but

Chris – seen anyone using 1x? posture assessment or supplicant. How to do the former with existing latter? Open 1x is first taking os supplicant…

Philippe – idnetiy engines. Complained that wasn’t compatible. They charge

 

Kevin – back to charter

Mark – network management and how it relates to security… is this place to do it?

Chris – isn’t really any other place…

Mark – started with netreg, added module… wanted to acknowloedg started with inventory…. And __ access control. Not saying should work there, but think aabout it.

Chris – some of NetAuth… could look at in architecture framework. But missing standards of transport protocols. Not necessary not worth doing, but

Mark – hard to get hands on support for forensic work

Kevin – FWNA was offshoot of 3) forensic support for investigation of abuse

Mark – people are doing stuff with CMTBs?..

Chris – defining futre work steps…. Maybe does need to be refined

 

Philippe – if look at this and look at survey. Combine theoretical thing where we are going – and what are people doing today. Where lacking… continuum problem.

Chris - …__ extend va to… so guy down road can onnect to network. Need to do better job of casting that space.

Mark – people don’t understand that address different communities… guest, visitor, federated…. Different skill sets…

Mark – if dependent onsuch a federation to exist in order to leverage…. We see it coming, but many don’t. Belief that it will work…. But when. It will be easier then, when we have to…. But is optional interest now.

Philippe – if apply filter to exsting solution, and realized that can’t do 1 or 2, but maybe 3 – show the weaknesses.

Chris – common taxonomy has helped to see commonalities.

Chris – guest and visitor. But what does guest access mean? No taxonomy to talk consistency about terms.

Mark – occurs to me that, in terms of survey…. Sequence of interaction based on policy… has bugged me, forensic support. If can trust someone who knows that person is better than tracking down someone on their own. Why doing this stuff, and how. Do I have to collect all that information per person or can I collect from one source.

Chris – what are we trying to do?.. consensus across communities is important.

Kevin – FWNA charter. Thoughts. Where to go from here. Can talk about additional projects. 1) What are current hot issues?

Kevin – 2) can these Working Group help address these concerns?

Kevin – want to narrow activities to help focus and stay on track. Start with guest access. A dictionary/taxonomy of space. Good approach?

Philippe – we don’t have a definition of the visiting scholar, but if look at scholar. If look at what people said, started with a narrow problem… mostly non-edus visiting edus. Community partnership.There goes 802.1x.

Mark – didn’t understand what described as guests. These schools gave computers to faculty staff and students they saw as guests.

Philippe – time of day, bandwitdth. Easy to say…. But when look at box, what do you say.

Chris - … lets schools make an informed choice…

Mark – many didn’t realize that they were doing limit, but is on a T1…

Philippe – we want to be ahead of the wave, but bandwidth control… is still useful to community.

Kevin – extrapolate commonalities in terminology and… build a bit of a constituency… where do you want to go.

Mark – what is going on today (can do easily), things that will take awhile (but are useful),… what are things you do now that fit into class, how do you classify

Kevin – consensus that it’s a good idea to do a paper for the guest access survey.

Philippe – one more issue. None of vendors talked about 802.1x. But they talk about convergence. How whole AuthN of device. The web portal won’t be successful… previous work will be revised keep in mind, be aware.

Kevin – guest access document. Can we articulate what is intent?

Mark – would help us to define a taxonomy so can establish a baseline, see which communities are there, which are addressed, and the problem one is left for us.

Chris – lot of stealing from NetAuth

[AI] Mark will pass around a sentence defining the goal of a guest access document.

Chris – having some organization around this work is important.

Philippe – they solve it, but are not happy about how they solve it.

 

 

Kevin - What other deliverables do we want to have?

Philippe – the way we interact with MS and 802.1x? How can we interact with 802.1x…. interested because could be a gateway. Some way we can make it better to hand back?

Chris – MS have talked to us…will keep pushing privately, is orthogonal coming to us. This is what’s missing,…

Philippe – mix – taxonomy with guest access and compare to 802.1x… look at elegant solution.

Chris – some bridging between the two with a time variable. One component is relationship with MS. Get clarity.

Kevin – agree. 802.1x as a protocol? Not adding more capabilities, but rewrote the code. Ha. Useful space?

Mark – like the presentation. Used to JT… and the high level at Member Meeting … but gave good perspetive…

Kevin and Chris will post slides from Fall Member Meeting.

Feedback from audience was that

Philippe – if we could solve problem of 802.1x for a conference. Is diverse and bulky. Quantity and quality.

Kevin – is interest, but what is next step.

Kevin – make sense to…. Part is just selling, but would a 2-page document that tries to cast that… get a list of people that support it. Use in discussion with vendors.

Mark – like that. Also worthwhile to id what 802.1x doesn’t do for us. if someone on your network, know who they are, but gives no mechanism to terminate… is good as a link layer, but…

Mark – bullet points as to why we are not using 802.1x

Kevin – 2 key things to work on.

Kevin – things we’d like to work on, also… make sense to keep a parking lot?

Chris – another idea… if folks in community that could help move forward, would be good contact them.

 

 

 

-Upcoming Event: sig-gro combined working group session at I2 Spring meeting -
The next face-to-face opportunity for the SALSA-NetAuth and FWNA Working Groups will be at the Spring 2007 Internet2 Member Meeting <http://events.internet2.edu/2007/spring-mm/>.

In particular, there will be a combined Net-Auth/FWNA BoF on Tuesday morning, 23-April, at 7:30am EDT. Stay current with meeting room location and detailed meeting abstract at the following link <http://events.internet2.edu/2007/spring-mm/sessionDetails.cfm?session=3220&event=267>. {Kevin} is putting together an agenda with topics including a) the future direction of the FWNA Working Group, and b) next steps for implementation of the proposed RADIUS/SAML work. [AI] Contact {Kevin} with agenda topics for discussion at the Internet2 Member Meeting.

See also the following link for more information on the Visitor Access session: Analysis of a Worldwide Survey, Tuesday afternoon at 4:30pm EDT at <http://events.internet2.edu/2007/spring-mm/sessionDetails.cfm?session=3170&event=267>. [AI] {Philippe} will post a request to the list for everyone to reply with comments to {Philippe and Mark} about what they would like to have as discussion topics at the Visitor Access session.

-SALSA-DR-
{SteveO} gave a brief update on SALSA-Disaster Planning & Recovery (SALSA-DR), the newest working group formed under the Internet2 Security umbrella. {Don MacLeod} of Cornell University has volunteered to chair the group. Among many issues, the group aims to explore and document best practices for disaster planning and recovery. More than sixty people have joined the mailing list since the group was announced (c.f. SteveO’s email 3-Apr-07). All are welcome and encouraged to participate.

The SALSA-DR Working Group will hold a BoF at the Member Meeting <http://events.internet2.edu/2007/spring-mm/sessionDetails.cfm?session=3224&event=267>, but are deferring the first conference call until after the meeting in Arlington.

-Guest access survey-
{Mark} reported that the survey had been closed on 2-April, and he had only had a chance to pull some rough, though interesting, numbers from the results: 107 valid responses from 94 institutions in 10 countries spanning 3 continents. From those responding in the US, campuses stretched across 40 states and Puerto Rico. 84% of respondents do have visitor access, and over half of those provide unauthenticated access (details forthcoming.)

[AI] {Mark} will work with {Philippe} to get a rough draft of the results to {SteveO} by Tuesday, 17-Apr. {Mark} cautioned against writing survey questions in the future which may be centric to the US practices, as the survey might likely be viewed all over the world.

-RADIUS/SAML-
{John} wondered if the results from the survey might point towards a SAML solution. {Mark} said that if people were looking for a federated solution, it could be tied into resources mentioned in the report. {Philippe} voiced his concern about the complexity of institutions using the 802.1x interface, let alone for a visitor solution. {Michael} suggested that folks providing guest access may want finer-grained controls, aside from any specific technology. {Philippe} responded by saying that people would rather not deal with compliance issues and requirements, if they can be avoided.

The Guest Access survey did not have a question that specifically addressed control issues. If there were an elegant way for people to connect via 802.1x, incorporating SAML would simply be an added bonus. {Kevin} saw a relationship between the guest access survey and RADIUS/SAML proposal, and thought it would make for a good agenda item at the Member Meeting. What are the next steps for the RADIUS/SAML work, and are those activities sufficient? Who should be the acting body for the next steps?

{Philippe} said that they may get many answers from the guest access survey. He also suggested that it may make sense for the FWNA group to divide into multiple interdependent chapters, which could isolate specific issues that campuses are facing. [AI] {John} will put together a few slides for the Member Meeting showing a Shibboleth-ish web access capability and how it would work.

The next SALSA-NetAuth - FWNA WG call will be held on Thursday, April 19, 2007 at 11am EST.