キャンパスネットワークローミングのためのアクセス制御技術(3.2 第5回情報シナジー研究会, 3. 研究活動報告)

キャンパスネットワークローミングのためのアクセ

ス制御技術(3.2 第5回情報シナジー研究会, 3. 研

究活動報告)

著者

今井 哲郎, 後藤 英昭, 曽根 秀昭

雑誌名

年報

巻

6

ページ

95-100

発行年

2007-07

URL

http://hdl.handle.net/10097/48530

ࠠࡖࡦࡄࠬࡀ࠶࠻ࡢ࡯ࠢࡠ࡯ࡒࡦࠣߩߚ߼ߩ

ࠕࠢ࠮ࠬ೙ᓮᛛⴚ

੹੗ື㇢  ᓟ⮮⧷ᤘᦥᩮ⑲ᤘ

᧲ർᄢቇᖱႎࠪ࠽ࠫ࡯࠮ࡦ࠲࡯࡮ᦨవ┵ቇⴚᖱႎၮ⋚⎇ⓥቶ

  ޽ࠄ߹ߒ ή✢ LAN ߥߤߩࠠࡖࡦࡄࠬࡀ࠶࠻ࡢ࡯ࠢߩࠗࡦࡈ࡜ࠍᄢቇ㑆ߢ⋧੕೑↪ߔࠆ࠾࡯࠭ ߇ㄭᐕ㜞߹ߞߡ߅ࠅޔࡀ࠶࠻ࡢ࡯ࠢࡠ࡯ࡒࡦࠣࠍታ⃻ߔࠆ⹜ߺ߇࿖ౝᄖߢⴕࠊࠇߡ޿ࠆޕ ࿖ౝߢߪޔ࿖┙ᖱႎቇ⎇ⓥᚲߣ 7 ᄢቇ(ർᶏ㆏ޔ᧲ർޔ᧲੩ޔฬฎደޔ੩ㇺޔᄢ㒋ޔ਻ Ꮊ)ߩᖱႎၮ⋚࠮ࡦ࠲࡯ޔ᧲੩Ꮏᬺᄢቇޔ߅ࠃ߮㜞ࠛࡀ࡞ࠡ࡯ടㅦེ⎇ⓥᯏ᭴߇ޔో࿖ ౒ห㔚ሶ⹺⸽ၮ⋚᭴▽੐ᬺ(UPKI ੐ᬺ)ࠍផㅴߒߡ߅ࠅޔᒰ⎇ⓥቶߢߪࠠࡖࡦࡄ࡙ࠬࡆ ࠠ࠲ࠬࡀ࠶࠻ࡢ࡯ࠢ߅ࠃ߮ࡠ࡯ࡒࡦࠣߩታ⃻ߩߚ߼ߩࡀ࠶࠻ࡢ࡯ࠢ೙ᓮᛛⴚߩ⎇ⓥ㐿 ⊒ࠍᜂᒰߒߡ޿ࠆޕ਎⇇⊛ߦߪޔ࡛࡯ࡠ࠶ࡄࠍਛᔃߦ⊒ዷߒߡ߈ߚ eduroam ߇࠺ࡈࠔ ࠢ࠻ࠬ࠲ࡦ࠳࡯࠼ߦߥࠅߟߟ޽ࠅޔᣣᧄ߽ᖱႎࠪ࠽ࠫ࡯࠮ࡦ࠲࡯ߣ࿖┙ᖱႎቇ⎇ⓥᚲߩ ਥዉߢ 2006 ᐕ 8 ᦬ߦ eduroam ߳ߩട⋖߇ታ⃻ߒߚޕ eduroam ࠍߪߓ߼ޔᓥ᧪ߩᄙߊߩࡠ࡯ࡒࡦࠣᣇᑼߢߪޔ⸰໧వᯏ㑐ߩ IP ࠕ࠼࡟ࠬࠍ ࠥࠬ࠻ߦ೑↪ߐߖࠆߩ߇৻⥸⊛ߢ޽ࠆޕߒ߆ߒߎߩࠃ߁ߥᣇᑼߢߪޔࠥࠬ࠻ߦࠃࠆήᗧ ⼂޽ࠆ޿ߪ᡿ᗧߩࡀ࠶࠻ࡢ࡯ࠢਇᱜ೑↪ߦኻߔࠆ⽿છߩᚲ࿷߇ᦌᤒߦߥࠅޔ⸰໧వᯏ㑐 ߇ਇ೑⋉ࠍⵍࠆෂ㒾ᕈ߇޽ࠆޕ৻ᣇޔࠥࠬ࠻ߦᚲዻᯏ㑐ߩ IP ࠕ࠼࡟ࠬࠍ૶ࠊߖࠆᣇᑼ ߽޽ࠆ߇ޔ⸰໧వᯏ㑐ߩࠨ࡯ࡆࠬࠍࠥࠬ࠻ߦឭଏߒߦߊ޿ߣ޿߁໧㗴߇޽ࠆޕᧄႎ๔ߢ ߪߎߩࠃ߁ߥ໧㗴ࠍ߹ߣ߼ߚ਄ߢޔ⽿છ໧㗴ߩ⸃ᶖߣല₸⊛ߥࠨ࡯ࡆࠬ೑↪ߩ෺ᣇࠍታ ⃻ߢ߈ࠆࠃ߁ߥޔ࡙࡯ࠩ⹺⸽ᖱႎߦၮߠߊࡀ࠶࠻ࡢ࡯ࠢࠕࠢ࠮ࠬ೙ᓮߩࡕ࠺࡞ࠍឭ᩺ߔ ࠆޕ

1

䉨䊞䊮䊌䉴䊈䉾䊃䊪䊷䉪䊨䊷䊚䊮䉫

䈱䈢䉄䈱䉝䉪䉶䉴೙ᓮᛛⴚ

2007.2.14 ᧲ർᄢቇ ᖱႎ䉲䊅䉳䊷䉶䊮䉺䊷 ੹੗ື㇢䋬ᓟ⮮⧷ᤘ䋬ᦥᩮ⑲ᤘ 2

Agenda

• ⎇ⓥ䈱⢛᥊ • 䊨䊷䊚䊮䉫䈮䈍䈔䉎IP䉝䊄䊧䉴ઃਈ䈮㑐䈜䉎 ໧㗴 • 䊨䊷䊚䊮䉫䉲䉴䊁䊛䈮䈍䈔䉎ⷐ᳞᧦ઙ • ᣢሽᚻᴺ䈱⺞ᩏ • ⷐ᳞᧦ઙ䉕ో䈩ḩ䈢䈜䊨䊷䊚䊮䉫ᚻᴺ䈱ឭ᩺ • ឭ᩺ᚻᴺ䈱೑ὐ䈫ᰳὐ䈱ᢛℂ • 䉁䈫䉄䈫੹ᓟ䈱⺖㗴 3

⢛᥊

visitor The Internet 䊖䉴䊃 ᯏ㑐 䊖䊷䊛 ᯏ㑐 ⸰໧వ䈪䉅઀੐䉕䈚䈢䈇䈫 䈇䈉䊆䊷䉵 ᢎ᝼ห჻䈱⋧੕⸰໧䉇੤ ឵ቇ↢䈭䈬䈱੤ᵹ䈏㕖Ᏹ 䈮ᵴ⊒ ಴వ䈫䊖䊷䊛䈱෺ ᣇ䈱䊥䉸䊷䉴䈮䉝䉪 䉶䉴䈚䈢䈇 4 visitor The Internet ਇᱜ䉝䉪䉶䉴 䉅䈚⸰໧వ䈱IP䉝䊄䊧 䉴䉕䈧䈔䈢೑↪⠪䈏ᄖ ㇱ䈮ኻ䈚䈩ਇᱜ䉝䉪䉶 䉴䉕䈚䈢䉌䊶䊶䊶䋿䋿䋿 䊖䉴䊃 ᯏ㑐 䊖䊷䊛 ᯏ㑐 ⸰໧వ䈱IP䉝䊄䊧䉴䉕 ೑↪䈜䉎⸰໧⠪䈲䈠䈱 ⚵❱䈱䊜䊮䊋䈫䈚䈩ᛒ 䉒䉏䉎 ⸰໧వ䈱IP䉝䊄䊧䉴䉕೑↪ 䈜䉎䈫⥄ಽ䈱䊖䊷䊛䈱䊥䉸䊷 䉴䈮䉝䉪䉶䉴䈪䈐䈭䈇 䊖䉴䊃IP䉝䊄䊧䉴

IP䉝䊄䊧䉴ઃਈ䈱໧㗴

5 visitor The Internet (1)䊖䊷䊛䈱䊡䊷䉱ID䉕↪ 䈇䈩䉟䊮䉺䊷䊈䉾䊃䈻ធ⛯ 䊖䉴䊃 ᯏ㑐 䊖䊷䊛 ᯏ㑐 (2)䊖䊷䊛䈱䊥䉸䊷䉴䈻䉝 䉪䉶䉴น⢻ 䊖䊷䊛IP䉝䊄䊧䉴+ 䊖䉴䊃IP䉝䊄䊧䉴 (3)⸰໧వ䈱䊥䉸䊷 䉴䈻䉝䉪䉶䉴น⢻ (4)᦭✢/ή✢䈱⚻〝਄ 䈪චಽ䈭䉶䉨䊠䊥䊁䉞 䉕⏕଻

䊨䊷䊚䊮䉫䉲䉴䊁䊛䈱ⷐ᳞᧦ઙ

(5)⸰໧వ䈱IP䉝䊄䊧䉴䈱ഀ 䉍ᒰ䈩 (6)䊖䊷䊛IP䉝䊄䊧䉴 䈱೑↪ 6

⎇ⓥ䈱⋡⊛

• 䈖䉏䉌ⷐ᳞᧦ઙ䉕ḩ䈢䈜䊨䊷䊚䊮䉫䉲䉴䊁䊛 䈱ឭ᩺ • ឭ᩺ᚻᴺ䈱೑ὐ䈫ᰳὐ䈱ᢛℂ

96

-7

ᣢሽᚻᴺ䈱⺞ᩏ

1. eduroam

• TERENA Taskforce on Mobility䈏ⷙቯ䈚䈢࿖㓙 䊨䊷䊚䊮䉫ၮ⋚ • 䊣䊷䊨䉾䊌ోၞ䊶⽕Ꮊ䋬บḧ䈭䈬䈮ᐢ䈒᥉෸䈚䈩䈇䉎 䊂䊐䉜䉪䊃䉴䉺䊮䉻䊷䊄 • ၮᧄ䈲IEEE802.1X䋫RADIUS䊒䊨䉨䉲䉿䊥䊷 Client supplicant S/W The Internet Authenticator (AP or SW) RADIUS server Institution A UserDB RADIUS server Institution B UserDB National RADIUS Proxy server Organization A Organization B data signaling Guest imai@organization_b.jp 8

Eduroam䈱઀⚵䉂

• IEEE802.1X – ⹺⸽䈱ᣇᑼ䈲5⒳㘃 • EAP-MD5 • LEAP • EAP-TLS • EAP-TTLS • PEAP – Eduroam䈪䈲EAP-TTLS䈏ផᅑ • 䈏䋬ᵹേ⊛䋮PEAP䈱ㆇ↪䉅䈅䉍 9 㽲䉰䊷䊋⸽᣿ᦠ䉕 䉟䊮䉴䊃䊷䊦

Eduroam䈱઀⚵䉂

• EAP-TTLS – ┵ᧃ஥䈲ID䊶䊌䉴䊪䊷䊄⹺⸽ – ⹺⸽䉰䊷䊋䈲䉰䊷䊋⸽᣿ᦠ䉕䉟䊮䉴䊃䊷䊦 – ┵ᧃ䈮䉰䊒䊥䉦䊮䊃䉸䊐䊃䉡䉢䉝䈏ᔅⷐ ┵ᧃ (䉰䊒䊥䉦䊮䊃) LAN䉴䉟䉾䉼䋬AP (䉥䊷䉶䊮䊁䉞䉬䊷䉺) RADIUS䉰䊷䊋_{(⹺⸽䉰䊷䊋) (⹺⸽ዪ)}CA 㽳ID,PW䉕ᛩ౉ 㽵ᥧภൻ _{㽴⋧੕⹺⸽} 10 㽲䉰䊷䊋⸽᣿ᦠ䉕 䉟䊮䉴䊃䊷䊦

Eduroam䈱઀⚵䉂

• PEAP – ┵ᧃ஥䈲ID䊶䊌䉴䊪䊷䊄⹺⸽ – ⹺⸽䉰䊷䊋䈲䉰䊷䊋⸽᣿ᦠ䉕䉟䊮䉴䊃䊷䊦 – ┵ᧃ䈱䉰䊒䊥䉦䊮䊃䉸䊐䊃䉡䉢䉝䈏ਇⷐ ┵ᧃ (䉰䊒䊥䉦䊮䊃) LAN䉴䉟䉾䉼䋬AP (䉥䊷䉶䊮䊁䉞䉬䊷䉺) RADIUS䉰䊷䊋_{(⹺⸽䉰䊷䊋) (⹺⸽ዪ)}CA 㽳ID,PW䉕ᛩ౉ 㽵ᥧภൻ _{㽴⋧੕⹺⸽} 11

eduroam䈱઀⚵䉂

• RADIUS䊒䊨䉨䉲䉿䊥䊷 JP National RADIUS Proxy server Tohoku Univ. RADIUS server Hokkaido Univ. RADIUS server Asia-Pacific RADIUS Proxy server other countries… other institutes… 12

eduroam䈱઀⚵䉂

• 䊖䊷䊛䈮䈇䉎䈫䈐 ID:[email protected] PW:***** JP National RADIUS Proxy server Tohoku Univ. RADIUS server Hokkaido Univ. RADIUS server Asia-Pacific RADIUS Proxy server other countries… other institutes…

13

eduroam䈱઀⚵䉂

• ઁᄢቇ䈮䈇䉎䈫䈐 ID:[email protected] PW:***** JP National RADIUS Proxy server Tohoku Univ.

RADIUS server RADIUS serverHokkaido Univ. Asia-Pacific RADIUS Proxy server other countries… other institutes… 14

eduroam䈱઀⚵䉂

• 䈾䈎䈱࿖䈮䈇䉎䈫䈐 ID:[email protected] PW:***** JP National RADIUS Proxy server Tohoku Univ.

RADIUS server Hokkaido Univ.RADIUS server Asia-Pacific RADIUS Proxy server other countries… other institutes… 15

ᣢሽᚻᴺ䈱⺞ᩏ

1. eduroam

visitor The Internet ਇᱜ䉝䉪䉶䉴 䉅䈚⸰໧వ䈱IP䉝䊄䊧 䉴䉕䈧䈔䈢೑↪⠪䈏ᄖ ㇱ䈮ኻ䈚䈩ਇᱜ䉝䉪䉶 䉴䉕䈚䈢䉌䊶䊶䊶䋿䋿䋿 䊖䉴䊃 ᯏ㑐 䊖䊷䊛 ᯏ㑐 䊖䉴䊃IP䉝䊄䊧䉴䉕୫䉍 䉎 ⸰໧వ䈱IP䉝䊄䊧䉴䉕೑↪ 䈜䉎䈫⥄ಽ䈱䊖䊷䊛䈱䊥䉸䊷 䉴䈮䉝䉪䉶䉴䈪䈐䈭䈇 䊖䉴䊃IP䉝䊄䊧䉴 16

ᣢሽᚻᴺ䈱⺞ᩏ

1. eduroam

• eduroam䈱䉋䈉䈭ᓥ᧪䈱䊨䊷䊚䊮䉫ᚻᴺ䈪䈲 ⷐ᳞᧦ઙ(1)䈫(5)䈲ḩ䈢䈜䈏䋬䈠䈱ઁ䈱᧦ઙ 䈲ḩ䈢䈘䈭䈇䋮 (1)䊖䊷䊛䈱䊡䊷䉱ID䉕↪䈇䈩䉟䊮䉺䊷䊈䉾䊃䈻 ធ⛯ (5)⸰໧వ䈱IP䉝䊄䊧䉴䈱ഀ䉍ᒰ䈩 ⷐ᳞᧦ઙ ⷐ᳞᧦ઙ 17

ᣢሽᚻᴺ䈱⺞ᩏ

2. 䊝䊋䉟䊦IP

• 䊝䊋䉟䊦IP䈲䊝䊋䉟䊦䉪䊤䉟䉝䊮䊃䈮න৻䈱 IP䉝䊄䊧䉴䉕೑↪䈘䈞䉎䈖䈫䈱䈪䈐䉎ᛛⴚ䋮 • ┵ᧃ஥䈪᳇ઃIP䉝䊄䊧䉴䈫䊖䊷䊛IP䉝䊄䊧䉴 䉕ᄌ឵䈜䉎䈖䈫䈮䉋䈦䈩ታ⃻䈘䉏䉎䋮

Client _{Foreign Agent Home Agent}

Registration Registration Fowarding 18

ᣢሽᚻᴺ䈱⺞ᩏ

2. 䊝䊋䉟䊦IP

• 䊝䊋䉟䊦IP䈪䈲䊖䊷䊛IP䉝䊄䊧䉴䉕೑↪䈜䉎 䈖䈫䈏䈪䈐䉎䈱䈪䋬ⷐ᳞᧦ઙ (1)䋬(2)䋬 (6)䉕 ḩ䈢䈜䈏䋬಴వ䈱䊥䉸䊷䉴䈻䉝䉪䉶䉴䈪䈐䈝䋬 䉁䈢䉶䉨䊠䊥䊁䉞䉅⏕଻䈘䉏䈭䈇䋮 (1) 䊖䊷䊛䈱䊡䊷䉱ID䉕↪䈇䈩䉟䊮䉺䊷䊈䉾䊃 䈻ធ⛯ (2) 䊖䊷䊛䈱䊥䉸䊷䉴䈻䉝䉪䉶䉴น⢻ (6)䊖䊷䊛IP䉝䊄䊧䉴䈱೑↪ ⷐ᳞᧦ઙ ⷐ᳞᧦ઙ

98

-19

ឭ᩺ᚻᴺ

(䉨䊞䊮䊌䉴䊡䊎䉨䉺䉴䊈䉾䊃䊪䊷䉪)

RADIUS Local Resources VPN AP FW Client Home Institute Host Institute Client supplicant S/W The Internet FW FW RADIUS Local Resources VPN AP FW FW FW supplicant S/W After authentication at AP, a user access VPN server and go outside. (Use a home

IP address)

After authentication at AP, a user access VPN server and go outside. (Use a home

IP address) AP䈪䈱⹺⸽ᓟ䋬䊡䊷䉱 䈲䊖䊷䊛䈱VPN䉰䊷䊋 䈻䉝䉪䉶䉴䈚䈩䉟䊮䉺䊷 䊈䉾䊃䈻಴䈩ⴕ䈒 (FW䈪 䈲VPN䊌䉬䉾䊃䉕ㅘㆊ) ಴వ䈱䊥 䉸䊷䉴䈻䉝 䉪䉶䉴䈜䉎 䈢䉄䋬಴వ 䈱VPN 䉰䊷䊋䈻 ធ⛯

Exchange of authorization information and access control

⹺นᖱႎ䈱੤឵䈫䉝䉪䉶䉴೙ᓮ 20

ឭ᩺ᚻᴺ

(䉨䊞䊮䊌䉴䊡䊎䉨䉺䉴䊈䉾䊃䊪䊷䉪)

RADIUS Local Resources VPN AP FW Client Home Institute Host Institute Client supplicant S/W The Internet FW FW RADIUS Local Resources VPN AP FW FW FW supplicant S/W (1) 䊖䊷䊛䈱䊡䊷䉱ID䉕↪䈇䈩䉟䊮䉺䊷䊈䉾 䊃䈻ធ⛯ (6)䊖䊷䊛IP䉝䊄䊧䉴䈱೑↪ ⷐ᳞᧦ઙ ⷐ᳞᧦ઙ • RADIUS㓏ጀ᭴ㅧ䈱೑↪ 21

ឭ᩺ᚻᴺ

(䉨䊞䊮䊌䉴䊡䊎䉨䉺䉴䊈䉾䊃䊪䊷䉪)

RADIUS Local Resources VPN AP FW Client Home Institute Host Institute Client supplicant S/W The Internet FW FW RADIUS Local Resources VPN AP FW FW FW supplicant S/W (2)䊖䊷䊛䈱䊥䉸䊷䉴䈻䉝䉪䉶䉴น⢻ (4)᦭✢/ή✢䈱⚻〝਄䈪චಽ䈭䉶 䉨䊠䊥䊁䉞䉕⏕଻ (5)⸰໧వ䈱IP䉝䊄䊧䉴䈱ഀ䉍ᒰ䈩 ⷐ᳞᧦ઙ ⷐ᳞᧦ઙ • 䊖䊷䊛VPN䉰䊷䊋䈻䈱ធ⛯䈫䊖䊷䊛IP䉝䊄 䊧䉴䈱೑↪ 22

ឭ᩺ᚻᴺ

(䉨䊞䊮䊌䉴䊡䊎䉨䉺䉴䊈䉾䊃䊪䊷䉪)

RADIUS Local Resources VPN AP FW Client Home Institute Host Institute Client supplicant S/W The Internet FW FW RADIUS Local Resources VPN AP FW FW FW supplicant S/W (3) ⸰໧వ䈱䊥䉸䊷䉴䈻䉝䉪䉶 䉴น⢻ (4) ᦭✢/ή✢䈱⚻〝਄䈪චಽ 䈭䉶䉨䊠䊥䊁䉞䉕⏕଻ ⷐ᳞᧦ઙ ⷐ᳞᧦ઙ • ಴వ䈱VPN䉰䊷䊋䈻ធ⛯ • 䊘䊥䉲䊷䊔䊷䉴䈱䉝䉪䉶䉴೙ᓮ䈏 ᔅⷐ 23 FW

⹺นᖱႎ੤឵䈱䈢䉄䈱䊒䊨䊃䉺䉟䊒䉲

䉴䊁䊛

AP FW PEP RADIUS PIP ᭴ᢥ⸃㉼ ᯏ⢻ㇱ PDP PAP 䊘䊥䉲ᖱႎ ዻᕈᖱႎ FW AP FW PEP RADIUS ᭴ᢥ⸃㉼ ᯏ⢻ㇱ PDP PAP 䊘䊥䉲ᖱႎ PIP ዻᕈᖱႎ The Internet Home Host 24 FW

⹺นᖱႎ੤឵䈱䈢䉄䈱䊒䊨䊃䉺䉟䊒䉲

䉴䊁䊛

AP FW PEP RADIUS PIP ᭴ᢥ⸃㉼ ᯏ⢻ PDP PAP 䊘䊥䉲ᖱႎ ዻᕈᖱႎ FW AP FW PEP RADIUS ᭴ᢥ⸃㉼ ᯏ⢻ PDP PAP 䊘䊥䉲ᖱႎ PIP ዻᕈᖱႎ The Internet Home Host ⹺⸽ⷐ᳞ 䉼䊞䊧䊮䉳ⷐ᳞ 䉼䊞䊧䊮䉳ᔕ╵ ⹺⸽ ⹺น ⹺น FW⸳ቯ

25

䉁䈫䉄

• 䉟䊮䉺䊷䊈䉾䊃␠ળ䈪䈲IP䉝䊄䊧䉴䈏ᚲዻ⚵❱ 䈱ᖱႎ䈫䈚䈩ᛒ䉒䉏䉎䈖䈫䈎䉌↢䈛䉎໧㗴ὐ 䈮䈧䈇䈩ᜰ៰䈚䈢 • 䊨䊷䊚䊮䉫䉲䉴䊁䊛䈱ⷐ᳞᧦ઙ䉕6䈧䈱㗄⋡ 䈮䉁䈫䉄䈢 • ᣢሽ䈱ᚻᴺ䉕⺞ᩏ䈚䋬䈠䈱೑ὐ䈫ᰳὐ䈫䉕ᢛ ℂ䈚䈢 • ⷐ᳞᧦ઙ䉕ో䈩ḩ䈢䈜䉨䊞䊮䊌䉴䊡䊎䉨䉺䉴 䊈䉾䊃䊪䊷䉪䈮䈧䈇䈩ၮᧄℂᔨ䉕ឭ᩺䈚䈢䋮 26

੹ᓟ䈱⺖㗴

• IEEE802.1X⹺⸽䈫VPN⹺⸽䈱2㊀䈱⹺⸽ 䈎䉌ᒁ䈐⿠䈖䈘䉏䉎ᾘ㔀䈘䈱໧㗴䈮䈧䈇䈩 ข䉍⚵䉃ᔅⷐ䈏䈅䉎䋮 27

Thank you!

100