Salsa call
9-March-06
*Attendees*
Mark Poepping, CMU (chair)
Ken Klingenstein, Internet2
Terry Gray, U. Washington
Charles
Yun, Internet2
Chas DiFatta, CMU
Renee Frost, Internet2
Rodney
Petersen, Educause
Chris Misra, U. Mass.
Jack Suess, UMBC
Steve
Olshansky, Internet2 (scribe)
*Discussion*
- REN-ISAC focus
group update -
REN-ISAC has now staffed the open position,
now looking at the results of the focus group with an eye toward
defining/refining service offerings. In the time since the
focus groups were held a few months ago, has the landscape
changed in a way which would or should affect this? Are there
specific recommendations that they would not want or need to
follow because there are others offering similar services,
e.g. SANS?
[AI] Charles will circulate summaries of the focus group outputs for Salsa review and comment in this context. Goal is to flesh out current top priorities...
- FWNA/Merit
update -
Internet2 is working with Merit to submit a proposal
to the state of Michigan for funding to accelerate our work
in FWNA. Since Merit is engaged in the pilot with UTK, and
given their extensive expertise in this area, this seems to
be a natural fit.
We have received a proposal from the Europeans about how to add attribute passing to a RADIUS infrastructure, for a similar set of use cases.
Q: would policies which govern access on campus for roaming scholars be similar enough that this won't be an obstacle for users as they move to other campuses? E.g. in Europe, a number of countries will not allow K12 students to connect to their networks as roaming users, even if they are properly credentialed. How will exceptions like this be accommodated in the US context?
Given the NREN orientation in the EU, they are seeking to have roughly uniform policies for roaming across campuses, across a country. In the US we don't have an NREN in a position to assert that sort of control, nor are we likely to. Thus it will be left to individual campuses or systems to decide their policies for guest access.
If we can expect to be able to consistently offer access for the broadest class of roaming users, across higher ed in the US, that would be optimal. How likely is that?
If we think that the policies will be radically different from campus to campus, even for faculty, then we may need to question whether this is a path we should be going down... It could be very challenging for users to be required to determine guest access policies in advance for any campus they expect to visit.
Q: do we think that for the broadest class of user we are most focused on, faculty and staff, that campuses will not want to grant network access to visitors?
It was observed that on many campuses, they already have to provision guest accounts whether the visitors are affiliated elsewhere or not. If a user has to pre-configure their machines to use Eduroam, then test it on any every campus they visit only to find that it may not work, that would likely be a severe obstacle to wide adoption. If a campus already has a guest access policy, and if it is convenient for users to use existing credentials, then they are likely to do so, so long as it is a relatively transparent process.
It was noted that in the library space, while the capability exists to assert faculty/staff/student/walk-in, many of the vendors have asked instead for a common attribute to cover all of these, since all are licensed for their content and they have no need to be that granular.
Is there a common class of user in the FWNA context that would cover at least most faculty/staff? Probably not, however in regional consortium or similar affinity group contexts (e.g. for state systems or metro areas that share library resources) this may be more viable.
The conclusion is that while this may not fly at the national level, there is likely going to be enough traction among these regional or affinity groups to make it worthwhile to pursue this effort.
So long as an organization has the flexibility to define their trust relationship - which organizations they are willing to accept credentials from - there are likely to be a number of these bilateral roaming relationships established. This in turn may lead to some sort of broader national approach, due to user demand, but that remains to be seen.
One question still remaining is many campuses need to provision guest access anyway, regardless of guest affiliation, so why then would they bother with FWNA for a particular group of users? If there are enough of these FWNA visiting users who carry enough clout with your supported faculty, that may be enough of a driver to adopt it.
Some campuses are implementing a service open to the community, with no authentication and limited bandwidth, would FWNA be able to provide a differentiated level of service to real guest roaming users? This scenario is not currently in scope, but may be worth examining later.
- DNSSEC Update -
A mailing list has been formed, centered
around the group which met at Joint Techs. The goal is to foster
a community interested in pursuing a testbed. More to come
on this...
- I2MM -
Charles will be sending out a list of Security
sessions at the upcoming I2MM. Among others, there will be
an 802.1x BoF, and an EDDY (Diagnostics) session.
- CSI2 -
The site is now live, linked from the Security main page, and
calls are revving up. First tasks will be to clarify early
deliverables and charter. There will be a dinner at the Security
Professionals Conference, for those attending.
- Reconnections
Workshop -
Proceedings will be posted soon, in final editing
stage now.