Re: Internet access and telco usage patterns
At 10:51 AM 7/5/96 -0700, Hong Chen wrote:
As a matter of fact, it is quite doable. Aimnet developed a roaming server (check www.aimnet.com) that allows international ISPs to use each other's network to provide dialup services. A group of ISPs have joined a consortium GRIC (Global Reach Internet Consortium) lead by Aimnet. The roaming server is based on Radius protocol.
A telco company can install modems and route the authentication to the specific ISP for authentication.
Hong, I looked at this doing this about a year ago but the major stumbling block was that if ISPs share the authentication responsibility using distributed RADIUS, they have the capability of keeping each other's passwords for the user's that used the global access service. Also, a service you likely know about, started up around the same time in Vancouver, where I was living at the time, called GeoAccess (www.globalexpo.com/goeaccess), was going to target this idea much more aggressively than I (and plus I did not feel like competing with him in particular), and decided on the model on centralized authentication, effectivele becoming a worldwide access ISP without purchasing a single modem or terminal server. But even ISPs participating in his "network" can log the entered passwords. Telephone companies might have a problem with the legal ramifications of this "roaming" service.
I just came back from Montreal INet 96 last week and a new roaming IETF group will be started. We are working on the IETF draft for the roaming and stay tuned.
Please let me know what the name of working group is, and perhaps take this to private email. I would be very interested to know how the password access problem is worked around, or at very least, rationaly pushed aside, and even contribute. Eric Woodward. ejw@globecomm.net
On Sat, 6 Jul 1996, Eric Woodward wrote:
I looked at this doing this about a year ago but the major stumbling block was that if ISPs share the authentication responsibility using distributed RADIUS, they have the capability of keeping each other's passwords for the user's that used the global access service.
This has changed slightly, now. We are able to use the "realm" concept and have the end-user travel to, say, ISP-B (with which end-user's ISP has reciprocity) and given that his login is joeblow, then he could login as: joeblow@isp-a and the TS would then relay to the default RADIUS server at which point that RADIUS server would ensure it had reciprocity with the "ISP-A" realm and then forward that authentication request onto ISP-A's RADIUS server. After being authenticated, the TS would then issue an IP and accounting would be sent off to the appropriate ISP(s). So, the only "secrets" that are shared are the md5 digest keys used between the RADIUS server and TS. Barry Barry James | Mikrotec Internet Services, Inc (AS3801) Sr Internet Engineer | 1001 Winchester Rd bjames@mis.net | Lexington KY 40505 http://www.mis.net/ | 606/225.1488
On Mon, 8 Jul 1996, Barry James wrote:
So, the only "secrets" that are shared are the md5 digest keys used between the RADIUS server and TS.
Not quite. The user must "share" their password with the first RADIUS client in order for it to be encrypted via MD5 in the first place. There is a hole here. But there is a solution as well. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com
participants (3)
-
Barry James
-
Eric Woodward
-
Michael Dillon