Browserless Federated SignOn Techniques Contrasted: Shibboleth/ECP and ABFAB/Moonshot

One of the key puzzle pieces for federated ID is how to deal with sign on outside the browser. When you peek behind the curtain of the web  you will see tools like SSH and SCP and jobs running on machines pushing content everywhere and people signing in to accomplish tasks ill suited for the web.  In other areas you’ll see people wanting to use their ID to sign into a cloud application on their smartphone (like mail) or a specialized application on their desktop (think Google Earth).

We want to mask some of the complexity of using a Federated ID behind the curtain as much as we can and only reveal what is REALLY needed to get the job done.  In this posting we’ll be exploring two candidate technologies to do this.

WARNING! Some technical content ahead!    Ok, this posting  may be a bit of a technical read, but I’ve tried to keep the acronyms to a minimum.  I am also assuming that you know a bit about Single Sign On techniques and have slightly more than a passing familiarity with Shibboleth and SAML.

So put on your gear for something beyond a shallow dive, but not the full deep dive it could be, I don’t think you’ll get the bends but if the comments drag us into that territory don’t blame me

The Contenders

We are going to take a look at two approaches to non web sign on; Shibboleth with the ECP (Enhanced Client or Proxy) plugin and the IETF’s ABFAB (Application Bridging for Federated Access Beyond web) that was formally known as Project Moonshot.  Both techniques have their merits and drawbacks.  I hope that  by offering this comparison I can help identify some of the things to think about and hear back from others about how on target (or not) I am with the analysis.

Non Web Federated ID Use Cases

Use cases take the shape of many things:

• IMAP mail access for your smartphone
• plain SSH/SFTP for secure shell access
• A rich or ‘fat’ client that leverages local graphic and compute capabilities.
• Insert your clever outside the browser use of id/passwords.

Use Case: Mail in the Cloud

This is/was slide 51 from the Live@edu slide deck from one of their TechNet in late 2010 (credit: Microsoft).  It illustrates the use of the Microsoft Federation Gateway communicating with Shib ECP for authentication.  The end users offers their userid scoped with their domain (e.g. joe@my-university.ca) and the ‘hint’ of the domain allows the gateway component to direct the authentication request to the appropriate ECP enabled interface.  This hint is not part of the SAML protocol at all, but a function of how the cloud service provider will route the request it receives to the right provider. The password DOES transit the cloud  so it is up to the Identity Provider to have sufficient assurance from the vendor that the right steps are taken (e.g. IMAPS, safe transit within the cloud etc).

The reply by the Shibboleth IdP via a reverse SOAP call (PAOS, yes soap written in reverse) and carries a special identifier for the Live@EDU service: PersistentID.  This value is special to the cloud mail service as it links the person to their mailbox.  My understanding from IdPs participating in this space is that the PersistentID is generated upon account creation in the institutions person registry.It is just an attribute passed over the wire instead of a dynamically computed attribute like eduPersonTargetedID. It is also BASE32 encoded which eduPersonTargetID is not.

Use Case: Federation Aware Rich Desktop Client

Screenshots of some of the OpenJump documentation that uses SAML. OpenJump deals with the discovery issue by having you as the user enter the Metadata URL into the actual application.  Good? Bad?  Well, you judge, but if you say bad, help us understand how you would do it to minimize the user managed discovery aspect? Hand waves don’t cut it, please be specific…

Key Considerations – Tipping Point Concerns

You can argue that we need to look at many facets of the conversation, but I contend that there exists tipping point ones you need to pay attention to and are the key drivers — these are ‘the who’ and ‘the what’. Once you wrestle those to the ground, the rest will follow when going through a comparison on what to use in your situation.

The Who

‘The who’ is your audience of users and the important question to ask about them is ‘How diverse a group are they?’  If you can influence/control the diversity as in keep them all originating from the same bucket, then this may work to your advantage — more on this in a moment.  If you can’t and are talking about a diverse set of users originating from many identity providers then this is important too.  In either case, there will always be an identity provider of last resort to capture the corner cases and our goal is to minimize this set as much as possible.

The What

‘The what’ is what are you trying to deliver or improve?  Are you trying to allow a smartphone or tablet access to their email or are you trying to allow SSH/SFTP access to unix boxen under your control?  Are you trying to do both?  Your endpoints you want to serve are going to influence your selection.

Comparing and Contrasting

The table below highlights some of the comparison points to be considered:

	Shibboleth+ECP	Moonshot/ABFAB
Password Treatment	Userid/Password pair seen & transits outside classic Shibboleth infrastructure boundaries	Userid/Password seen @ endpoint & transits through RADIUS infrastructure via SSL tunnel
Home Institution Discovery	Somehow preconfigured either via user or by static configuration in proxy & proxy under an infrastructure providers control	Userid contains hint to institution so it is present in credential and implicitly discoverable on usage (e.g. <id>@realm.ca)
Attribute Exchange	Exchanged via SAML2, aggregated via standard Shibboleth fashion (DB/LDAP/static values etc)	Exposed via GSS API, delivered via RADIUS pack/unpack technique, aggregated from many potential sources
‘Breadth’ of accounts	ECP configuration or end user intervention drives breadth of coverage	If RADIUS uses eduroam, entire set of  federation accounts are available
Environment Used in	Mobile devices, IMAP clients, very targeted and controlled infrastructures. Unix machines with a preconfigured Id Provider.	Unix shell environments, rich clients, anywhere that the GSS-API exists.

There are more, but to me these are the big ones.  I’m sure there are readers out there that have thoughts, so please share them and I’ll see if they fit in.

Conclusions…for now

If you were looking for me to declare one method over the other, I’m sorry to disappoint — the answer is of course it depends.  It will depend on how you respond to  ’the who’ and ‘the what’ and then feed that into the calculation of Total Cost of Ownership (TCO) of the approach you choose.

Some of these things are going to be intangibles too, like ‘are you staffed with the right skills?’ and ‘how many calls to the helpdesk can you avoid?’.  I think anyone going through the decision process on deploying one or the other or even both needs to think about the big picture topics.

I accept that this comparison is incomplete but I believe it to be complete enough for the purpose of kick starting a dialog about it. I look forward to the comments and emails to see how well my position holds…

R&E Network Model of the Future?

Contributing author: Bill St. Arnaud

There is a growing momentum among the major Research & Education (R&E) networks around the world to move to Open Lightpath Exchanges (OLEs where, as Cees de Laat explains, hybrid networks meet to:

• exchange traffic
• facilitate international interconnections
• minimize quantity of colo, equipment and cards required
• minimize call blocking probability at optical exchange points

OLEs will fundamentally change the future of R&E networking. At the spring 2011 Internet2 meeting and in follow-up discussion at the Terena meeting, a joint statement was drafted representing the views of many of the attendees on why OLEs are so critical to the future of R&E networking and represent significant opportunity for network innovation.

OLEs Allow Choice

OLEs will allow individual institutions, even researchers to directly peer with each other with no policy constraints and eliminate or minimize the need for a traditional “network.” Point-to-point links will still be required

Virtual Infrastructure: The diagram above shows how virtual infrastructures are created. They are assembled by creating « slices » of the physical substrates, which are then aggregated into a working virtual infrastructure from which services can be delivered. The physical infrastructure consists mainly of servers, disc arrays and network elements such as switches and routers, whereas the virtual infrastructure consists of virtual machines, virtual storage, virtual routers and virtual switches. (Image courtesy: GreenStar Network)

between exchange points and these will need to be provisioned through a variety of means. But now it is the choice of those who connect to the OLE, whether it is an institution, researcher or virtual organization, to compose their own network topology.

As some of you may remember this was one of the original concepts of the CA*net 3/CA*net 4 (CANARIE) architecture and drove the design of Universal Commerce Language and Protocol (UCLP). I am pleased to see that Internet2’s Open Science, Scholarship and Services Exchange (OS3E) (http://www.internet2.edu/network/ose/) is a similar strategy in this regard.

The driver for these developments, of course, is the demand of big science. But just as importantly OLEs will enable a new wave in network innovation with such new concepts as “software defined networks,” “Just in time networking,” “network as a service,” “pay as you go networking,” etc. OLE architecture is also a fundamental underpinning for zero carbon networks like the GreenStar Network which is based on a hub (OLE) and spoke model.

Financial Challenges

No question OLEs may cause serious financial challenges for many regional networks and NRENs, as institutions and researchers need only pay for direct costs of interconnecting at an OLE as opposed to a bundled membership package.

But I still believe there will be a critical role for R&E networks of all types. In the future the major focus of their revenue I believe will not be in provisioning pipes or IP networks, but in new network services such as national 5G wireless initiatives, content peering and distribution, outsourcing campus IT and managing science DMZ, energy CO2 reduction services in relocating data centers to remote locations, supporting continent-wide or global cyber-infrastructure or e-Infrastructure.

What are the implications of the OLE concept for Canadian R&E networks?

---

About the author

Bill St. Arnaud, formerly a Chief Research Officer at CANARIE, is a Green IT consultant who works with clients on a variety of subjects such as the next generation Internet and practical solutions to reduce GHG emissions such as free broadband and electrical highways. He currently also works as a consultant at CANARIE.

Disturb. Dislocate. Disorder. Disrupt?

Contributing author: Bill St. Arnaud

Some argue that the role of Research & Education (R&E) networks should only be as a low-cost Internet service provider to the R&E community.

Others counter that R&E networks should focus on providing services to support e-Science and perhaps even integrate with other e-Infrastructure providers such as High-Performance Computing (HPC) and grid.

And yet still others argue that R&E networks should work closely with industry by providing testbeds to develop and/or improve industry products and enable commercialization of university R&D.

In my opinion R&E networks can play far more important role, first in supporting e-Science, but also in helping industry and creating a knowledge society by being an innovative “disrupter.” This is where R&E networks have been hugely successful in the past:

• first in the build out of the original Internet,
• next in deployment of low-cost user-owned fibre networks,
• and more recently in areas of new architecture for low-carbon Internet networks and global authentication schemes.

These disruptive developments were first intended, in many cases, to support the needs of science, but also had a beneficial effect of creating new network business models and enabling knowledge transformation of society as a whole.

I am pleased to see that we are now on the verge of another disruptive change with respect to R&E networks.

Once again, while these network transformations are first being driven by the needs of eScience the network architectures are starting already to have a beneficial effect on broadband architectures in general. A good example, of course, is the unique facilitation role that Internet2 is playing in the rollout of national broadband through its partnership in UCAN. Other examples include the deployment of community transit exchange points by BCNET and peering points by KAREN in New Zealand.

Do you see R&E networks as disruptive technologies?

---

About the author

Bill St. Arnaud, formerly a Chief Research Officer at CANARIE, is a Green IT consultant who works with clients on a variety of subjects such as the next generation Internet and practical solutions to reduce GHG emissions such as free broadband and electrical highways. He currently also works as a consultant at CANARIE.

Innovating our policies along with our practices

Richard Hawkins speaking on innovation policy at the Tech Futures Summit.

An interesting conversation was happening today at the Alberta Innovates Technology Futures Summit. Richard Hawkins, University of Calgary Professor and Canada Research Chair in Science, Technology and Innovation Policy, presented on how to determine whether or not innovation policies are working.

He talked about how one of the challenges faced by government-sponsored innovation programs is to demonstrate impact from public investment, especially in the short to medium term. Unfortunately, that is not always enough time to collect conclusive data or tangible results.

According to Hawkins, the solution to this un-complementary fit is to re-calibrate performance expectations and broaden our measurements. These days, we should be looking at program impacts on multiple and different parts of the innovation system, including the social and economic sectors.

Also, developing more technology should be a means, not an end, he said. “There is no shortage of technology, but there is a shortage of innovation,” Hawkins said. Policies that focus on simply producing technology rather than deploying it are missing the point.

So, shifting our perspective from technology as the innovation to technology as the conduit (or “platform”, to give a pointed nod to CANARIE’s Network-Enabled Platforms Program as an example), we see that innovation and the resulting impacts are then driven by who uses the technology, what they use it for, and how that changes what they were doing before.

As innovation is built around change and disruption, it makes sense that our policies and policy-building approaches should evolve in response. Measuring short-term impacts will always be a challenge, but if we change what we’re looking at and where we’re looking for it, that can help uncover new measures of success.

What are your thoughts? Do current metrics accurately measure innovation impacts? If not, how should policies change? Please leave your comments below.

The RISQ is in great shape!

La version française suit – French version follows

Québec’s roads network may be giving motorists plenty of headaches, but judging by the successes of the most recent projects spearheaded by the Réseau d’informations scientifiques du Québec (RISQ), its network is as reliable and robust as ever. No doubt about it, the RISQ is in great shape!

Demands and expectations in telecommunications, a sector in the midst of sweeping changes, are increasing all the time. As is well known, in the space of a few decades, the telecom industry has seen a massive shift from analog systems to distributed digital technology.

One of the goals of the RISQ is to track, and even anticipate, when possible, the fast-paced evolution of telecommunications technologies; another is to respond to the specific needs of its members.

Three projects are deserving of particular attention as proof that the RISQ is forging ahead in these directions. Each reflects the new demands of telecommunications and new technologies, and each is a unifying project that stakeholders can rally around. One involves an institution of higher learning, and the other two are emblematic of the cultural and social vitality of Québec youth, in the performing arts and sports spheres respectively.

PoP implemented at the Cité du Savoir

 On June 11, the RISQ team proceeded to implement a point of presence (PoP) at the Cité du Savoir in Laval. With this connection, the  Université de Montréal campus set to open its doors in the fall of 2011 will be able to provide future users with access to all of the varied  content sources offered through the RISQ network. The multi-wavelength infrastructure will deliver high-level performance, enabling  Université de Montréal to operate an active backup site using four separate 10 Gbps wavelengths.

This new PoP brings significant benefits for all RISQ members. Each new PoP added actually increases the network’s robustness. This also  allows for provision of alternate access to members located off the Island of Montréal. Lastly, traffic is less dense, allowing the network to  retain its full flexibility.

CMIM 2011: RISQ lends expertise to Radio-Canada

 For this mandate, with the collaboration of Université du Québec à Montréal, the RISQ team installed equipment in the Pierre-Mercure concert hall of  Centre Pierre-Péladeau to assist Radio-Canada (the CBC’s French network) with its live Web broadcast of the Concours de musique international de  Montréal (CMIM) over the RISQ.

The interconnection made in the concert hall allowed Radio-Canada to broadcast performances by contestants in the music competition, held from May 23  to June 3, 2011, to several countries around the world, while ensuring superior stability, a high bit rate and very large upload and download capacities.  Mario Haché, Support Analyst with CBC/Radio-Canada Internet and Digital Services, said: “For this live-broadcast event, the RISQ enabled us to deliver  clear, fast and very fluid data transmissions to our Web users.”

The CMIM, which brings together the ideal conditions to ensure the highest possible level of artistry and an international reach as broad as it is  exceptional, is today considered as one of the country’s great artistic achievements.

2011 Québec Winter Games: RISQ gets into the sporting spirit

For its 46th edition, the Québec Winter Games in Valleyfield built an interactive website to ensure it could properly meet the informational needs of its various audiences. Online games and contests, webcasting—with live coverage of events provided on up to seven different channels at once—a photo gallery and an interactive zone were all accessible on the website throughout the nine days of the Games, from February 25 to March 7, 2011.

To meet the requirements of the organizers, participants and the many Web users, the RISQ installed a dedicated router with a 1 Gbps connection, ensuring maximum stability and sufficient bandwidth capacity to respond to user needs—for example, friends and relatives following the exploits of the young athletes on the site via live webcast.

This marks the second time that the RISQ has partnered with an event of this type. Up to now, the realm of sports events has been seldom served by the RISQ. Given the importance of sport for young people, the RISQ hopes to respond to needs from such clients more often in the future. In addition, this project allowed the RISQ to broaden its services a little more and, once again, to confirm the stability and reliability of its network.

__________________________________________________________________________

Le RISQ est en grande forme !

Au Québec, pendant que le réseau routier donne des maux de têtes aux automobilistes, le succès remporté par les derniers projets du Réseau d’informations scientifiques du Québec (RISQ) prouve que son réseau est toujours aussi fiable et robuste. Le RISQ est en grande forme !

Les exigences et les attentes en matière de télécoms, un secteur en pleine mutation, sont de plus en plus grandes. On le sait, en quelques décennies seulement, ce secteur est passé d’une technologie analogique à une technologie numérique et distribuée.

L’un des objectifs du RISQ est de suivre, et même de précéder, quand c’est possible de le faire, l’évolution rapide des technologies de télécommunications, mais également de répondre aux besoins particuliers de ses membres.

Pour poursuivre sur cette lancée, trois projets méritent une attention particulière. Ils reflètent les nouvelles exigences en matière de télécommunications et de nouvelles technologies et ont tous les trois en commun d’être des projets rassembleurs. L’un est un haut lieu du savoir, les deux autres sont des emblèmes de la vitalité culturelle et sociale de la jeunesse québécoise.

Implantation d’un PoP à la Cité du Savoir

 Le 11 juin dernier l’équipe du RISQ a procédé à la mise en place d’un point de présence à La Cité du Savoir à Laval.

Grâce à ce raccordement, le campus de l’Université de Montréal, qui ouvrira ses portes à l’automne 2011, pourra offrir à ses futurs  usagers un accès aux diverses sources de contenus offertes par le biais du réseau du RISQ. L’infrastructure multilongueur d’ondes  fournira une performance de haut niveau qui permettra à l’Université de Montréal de disposer d’un site de relève actif utilisant quatre  longueurs d’ondes à 10 Gbps.

Ce nouveau point de présence ou PoP comporte des avantages notables pour l’ensemble des membres du RISQ. Chaque point de présence  supplémentaire permet de renforcer le réseau en augmentant sa robustesse. Cela permet également d’offrir un accès alternatif aux  membres localisés à l’extérieur de l’île de Montréal. Enfin, le trafic est mieux aéré et le réseau conserve ainsi toute sa flexibilité.

CMIM 2011 : Le RISQ offre son expertise à Radio-Canada

 
 Dans le cadre de ce mandat, grâce à la collaboration de l’UQÀM, l’équipe du RISQ a installé des équipements à la salle Pierre-Mercure du  Centre Pierre-  Péladeau afin de permettre à Radio-Canada de diffuser en direct le Concours de musique international de Montréal (CMIM)  en utilisant le RISQ.

Le branchement effectué à la salle Pierre-Mercure a permis  à Radio-Canada de diffuser du 23 mai au 3 juin 2011 les prestations des  participants au  concours dans de nombreux pays du monde, tout en bénéficiant d’une grande stabilité, d’un débit élevé et d’une grande  capacité de téléchargement et de  téléversement. Selon l’analyste de soutien Internet et services numériques de la SRC, Mario Haché, «  L’événement était diffusé en direct. Le RISQ nous a  permis d’offrir à nos internautes une transmission de l’événement claire, rapide et très  fluide ». Le Concours, qui réunit les conditions idéales pour se  situer au plus haut niveau artistique et s’assurer un rayonnement aussi  vaste qu’exceptionnel est aujourd’hui considéré comme l’une des grandes  réalisations artistiques du pays.

 Jeux du Québec Hiver 2011 : le RISQ a l’esprit sportif !

La 46^e Finale des Jeux du Québec s’est dotée d’un site Internet interactif de manière à pouvoir répondre aux besoins informationnels de ses différents publics. Jeux, concours, web diffusion ─ Jusqu’à sept chaînes différentes diffusaient les Jeux en direct ─, galerie de photos, et une zone interactive étaient accessibles sur le site Internet des Jeux du Québec de Valleyfield durant les neuf jours de l’événement qui avait lieu du 25 février au 7 mars 2011.

Pour répondre aux besoins des organisateurs, des participants et des nombreux internautes, le RISQ a installé un routeur dédié avec un lien d’un Gbps pour favoriser le plus de stabilité possible et une capacité en bande passante capable de répondre aux besoins des utilisateurs, tels les parents et amis, par exemple, qui pouvaient suivre les prouesses des jeunes athlètes directement sur le site Internet par le biais de la webdiffusion.

C’est la seconde fois que le RISQ s’associe à un tel événement. Jusqu’à ce jour, ce secteur a été  peu desservi par le RISQ. En raison de l’importance que cela a pour la jeunesse, le RISQ souhaite pouvoir y répondre davantage dans le futur. Par ailleurs, ce projet a permis d’étendre encore un peu plus les services du RISQ et, encore une fois, de confirmer la stabilité et la fiabilité du réseau.

Ontario researchers monitor vineyards in real time

Imagine being a grape grower and being able to check on any one vine at any given time. Or being able to know exactly when to spray pesticides to protect the crops – or not.

University and college researchers have partnered with Ontario vineyards to supply them with real-time weather forecast information based on regional data sources. Part of this collaboration uses newly developed sensor technology that will continuously report on variables such as temperature and humidity in each participating vineyard.

Each individual vine in each vineyard has been GPS located, tagged and recorded into a database of the PrAgMatic system developed by Niagara Research at Niagara College. Large datasets collected by sensors are three-dimensionally mapped, and researchers involved in the project at other institutions are able to access the results over ORION, Ontario’s advanced research and education network. Vineyard owners are then able to access real-time, remote-sensed data that allows them to better manage and control operations, inputs and yields.

One of the goals of this project is to tell growers in real time if and when they need to spray pesticides and other agrochemicals. Research results may save growers time and money, improve the taste of Ontario wines, and improve vineyards’ impact on the environment by reducing the overall use of agrochemicals.

The recipient of this year’s ORION Discovery Award, the PrAgMatic project includes a collaboration of researchers from Niagara College, Brock University, the University of Guelph, Nova Scotia Community College, and Queen’s University, as well as partners from the Grape Growers of Ontario, Ontario Ministry of Agriculture Food and Rural Affairs (OMAFRA), and IBM Research.  The project has been supported by the Ontario Centres of Excellence (OCE), Natural Sciences and Engineering Research Council (NSERC), and the Ontario Ministry of Agriculture, Food, and Rural Affairs (OMAFRA).

“Over the next few years, the ORION network will be very useful in allowing us to share these massive datasets with our expanding family of collaborators,” says Dr. Michael Duncan, Chair, Visualization Sciences at Niagara College. “The most data intensive applications will involve the sensor networks – as they kick in, the data volumes will become huge.”

The PrAgMatic data management system collects, processes and disseminates data and information to growers and researchers. The system consists of numerous ‘channels’, each representing a view into a vineyard’s data-space. Researchers involved in vineyard research are able to take their research results and encapsulate them as a channel that provides a grower with a view into their own vineyard.

“It is very Web 2.0 oriented,” says Duncan, “and very reliant on network bandwidth and latency to make the whole thing look integrated. The more robust the network, the more cohesive PrAgMatic will look – another advantage of using ORION.”

 

 

Canada needs to seize the green energy opportunity

The world’s Information and Communications Technology (ICT) sector is in need of a green energy provider, and, according to Mohamed Cheriet, spokesperson for the GreenStar Network (GSN) project, that’s where Canada has the potential to make its mark.

Cheriet, a Professor in the Department of Synchromedia at the École de technologie supérieure in Montreal, gave an overview of the GSN project at the CANARIE Annual General Meeting (AGM) held on Tuesday, June 21. The virtual AGM was videoconferenced across four sites using CANARIE’s advanced network and the GSN. Cybera’s Calgary facility was one of the broadcast locations, joining Montreal, Ottawa and Vancouver.

Cheriet showed a map plotting 2,000 datacentres in the world. Of those, he said that half are based in the United States (US), 57 in Canada, and the rest are spread around the world. These centres are one of the ICT sector’s largest energy consumers. As more and more research organizations, institutions and businesses of all sizes turn to cloud, virtualization and remote storage as data solutions, the reliance on ICT — and the amount of greenhouse gases this sector produces — is expected to grow. Currently, Cheriet noted, the ICT industry in the US accounts for 8% of its national power consumption. The carbon dioxide produced from that energy consumption is growing by at least 6% per year.

This is where Canada and the GSN come in.

The Calgary-based GreenStar Network node is operated by Cybera and powered by eight solar panels located on the roof of the Alastair Ross Technology Centre.

As we’ve already noted in past blogs, the GSN project draws renewable energy from five nodes across Canada. Cybera is a local partner in the project, operating the Calgary solar-powered node located on the roof of the Alastair Ross Technology Centre (pictured at right). With a global reach in mind, the GSN project has expanded overseas to host nodes in Ireland, the Netherlands, Belgium, Iceland, and Spain. A Memorandum of Understanding has also been signed with partners in China, and one with Egypt is in the works.

Cheriet says Canada offers unique advantages which make it an ideal green energy producer. The country’s expanding investment into hydro, wind and solar resources means energy can be provisioned at a low price. Access to high-speed optical network infrastructure (such as that provided by CANARIE) enables high-performance connections with major content providers, allowing for large-scale research projects and leading-edge network-enabled platforms. This has also set the stage for the GSN project to experiment with key areas of ICT operation and management technology, namely virtualization, cloud management, carbon monitoring and energy optimization. The next step, argues Cheriet, is to continue rallying and building government and industry support for adopting green IT and green energy platforms.

CANARIE, a major funder of the project, is on board with GSN’s vision.
“If we can become a leader in green IT, it creates economic advantages for all Canadians,” said Mark Roman, CANARIE President and CEO.

As CANARIE begins its mandate renewal process, the GSN is one of many funded projects that demonstrate CANARIE’s impact on advancing Canada’s digital economy strategy. Both Roman and Mark Whitmore, Chair of CANARIE’s Board of Directors, highlighted the following as priority areas for the organization’s mandate renewal:

• reach out to more Canadian users and enhance international collaborations
• incorporate emerging technologies such as cloud and wireless
• spearhead economic development and job creation

Strong collaborations remain a cornerstone to these plans, Whitmore noted, and CANARIE will continue to develop and support partnerships in Canada’s research, education and industry sectors.

So what does the upcoming year look like for you? Is green energy or some form of green IT on the horizon for your organization? Are you using Cybera’s or CANARIE’s advanced network for a project or pilot? We want to hear about it. Leave your comments below!

Big Data is feeding Canadian research innovation

Big Data is feeding Canadian research innovation http://bit.ly/iVNetm

“Researchers in Canada are taking advantage of the opportunity to accelerate discovery by mining rich data sets in virtually all domains, including the humanities and social sciences,” says Mark Roman, President and CEO of CANARIE. “We anticipate this trend to continue, and are investing in increased network capacity to meet the growing demand and secure a place for Canadian researchers on the world stage. We are very appreciative of the continued support from the Government of Canada to this end.”

Reports of our demise are greatly exaggerated.

Mark Twain, who was the recipient of a premature obituary, cleverly quipped, “The reports of my death are greatly exaggerated.”  Likewise, despite what you may have heard in the blogosphere, CANARIE is alive and well and looking forward to a renewed mandate in the 2012 budget.

Yesterday, Nancy Leblanc wrote glowingly of CANARIE at Impolitical, but was distraught at, as she put it, “the government’s decision to no longer fund Canada’s Advanced Research and Innovation Network (aka the ‘CANARIE network’) as of 2012, confirmed in the budget.”

We’d like to set the record straight and ease those anxious minds …

CANARIE receives funding in five-year blocks, so the current Government estimates indicate that CANARIE’s funding is to be retired. That language can be confusing — what it really means is that this five-year funding block expires this year. BUT — CANARIE will apply for another five-year funding block, which will be included in the March 2012 budget.

CANARIE’s senior leadership team have been working closely with Industry Canada in putting the final touches on our proposal for mandate renewal, which presents a strong case for the need for ongoing funding of CANARIE if Canada is to continue to engage in world-leading science, research, innovation and discovery.

If you want more detail on the proposal, go to our website at www.canarie.ca and watch our CEO, Mark Roman present the elements we are proposing. Of course we are mindful of the fiscal environment the Government is managing right now, and our proposal reflects a balanced approach to the need for advanced digital infrastructure in a challenging environment.

The Honourable Gary Goodyear, Minister of State for Science and Technology

The Government of Canada is committed to supporting leading-edge research in Canada, which relies on the CANARIE Network. Earlier this week Minister of State for Science and Technology Gary Goodyear put it nicely:

“Science drives Canada’s economy. Our government is committed to investing in the people and ideas that will produce tomorrow’s breakthroughs, in order to create jobs and improve the quality of life of Canadians.”

Hear, hear!

So, thank you for your support (keep it coming!) but don’t fret; we’re still going strong.

But, since we’re on the topic — chime in: what would it mean to you if the government DID stop funding CANARIE?

What could the open wireless movement learn from eduroam?

Prologue:

Welcome to my first formal blog posting.  I’ve resisted for years but recently have been getting more and more involved online and have found that blogging is the instrument of choice to respond to and propagate your personal perspective online.  Participating in the blogosphere reminds me of Cory Doctorow’s take on Social Capital so if I’m going to get in on it, I might as well jump in with both feet.  Let the fun and games begin and I hope I provoke some interesting discussion because isn’t that what blogging is all about?  Thanks for stopping by and I hope you come back for more. Now on with the show…

What Could the Open Wireless Movement Learn from Eduroam?

As I was reading the Electronic Frontier Foundation (EFF) article bemoaning the loss of open access points  across the land I was struck by how closely it tracked the final chase scene  in Ferris Bueller’s Day Off. It’s the one where Ferris is running home but going through people’s back yards as the quick way to get home.  If you are looking for your dose of 80s flashback, here’s the clip

That’s what I think using someones access point uninvited is like…a little exciting, but really crosses into  someones private space (that’s why people build fences, right?) but the shortcut accomplishes your goal at the sacrifice of someones privacy and rights.   As a scene in the movie, it’s great, Ferris gets home but is it really like that in reality? Are open wireless points free game for those who walk by?  As enticing as it is, the risk of transiting someone’s wi-fi ranks up there with don’t talk to strangers and don’t hitchhike: you never know what trouble you are going to get into.

What caught my eye though was the exclamation of “We need WiFi that is open and encrypted at the same time!” and immediately thought of the eduroam service that is part of the Canadian Access Federation .  How does this let you get online? If your institution participates with eduroam there are two main elements.  Allowing access to other eduroam participants and in return you have access to the others participants network.  To do this, you need to have an 802.1x ready wi-fi network and RADIUS as an available technology to support the eduroam SSID.  To use the service you connect with your network_id@your_institution_here.com and you are signed in through the use of chained RADIUS proxy servers.  The simplicity of this is that ANYWHERE you see eduroam, the experience is the same.  In fact, in most cases, you will have signed in automatically  anytime you open your laptop or even walk by with your smartphone, it will connect and you are online.  This has happened to me numerous times.  My favorite was when arriving at the Internet2 spring members meeting hotel and not even checked in at 11pm at night, my phone was already online with eduroam.  No fuss no muss, it just works.

So how prevalent is this in Canada?  Well at the time of writing the AUCC folks  say there are 95 universities registered and 27 of them or 28%  are participating in the Canadian Access Federation which operate the Canadian eduroam presence. Europe coverage is even higher.

In the US there are approximately the same number of sites live (27 according to the map at the time of writing) and another 20 or so more either interested or actively testing out of thousands of universities.  It is hard to explain why the uptake is not as big as Canada or elsewhere.  It can have something to do with being 802.1x ready or maybe it is just not rated high enough priority.  It’s hard to say.

Membership has its privileges.

With eduroam, reciprocity is a big part of the service and has a lot of benefits.  The active Ids inyour system have the ability to roam to other institutions but when someone comes to yours, you don’t have to provision them to get on the network. Opening the laptop really equates to getting online and there’s nothing more satisfying to a traveller that to being able to get online without having to follow some 7 and a half step process to signing in. I was recently at the TERENA conference which had great eduroam coverage and never used my termporary id.  The TERENA conference had 500+ people, 800+ devices connected via eduroam (one person has both a laptop and smartphone/ipad) and had >10,000 authentications over 5 days.

At a recent TERENA conference, hundreds of attendees used eduroam and their home credentials and could ignore the temporary userid/password. 

What about security you ask? Eduroam uses 802.1x and WPA2 protocols and your credential is verified at the home institution.  As for what the acceptable use policies (AUPs) are, as the visitor your are expected to abide by your home institutions and the one in which you are a visitor to.  It is all authenticated using your identity so transiting the network is permitted, but not anonymously.

So can just anyone sign up to be on eduroam?  In short, no.  it is geared to higher education institutions and there is a reciprocity balance to be struck.  It is plausible that if one location were to not participate according to the community’s expectations that branch (aka country root server) could be orphaned from the eduroam trust-framework.

Coming full circle, what does this mean to the EFF plea for technology? Is eduroam for them?  Possibly, but unlikely.  Whoever implements wouldn’t even come close to meeting eligibility and then there’s this hard question to answer of whose password store to authenticate against.  I can see the eduroam technique being duplicated much like the dynamic DNS folks who are now found in the actual routers firmware.  So, in theory, you could enable this  ’feature at your convenience as a personal decision to contribute bandwidth to the common good’.  There are still a bunch of challenges to overcome to meet the EFF free wifi service: administration, findability, getting the word out, does it violate your AUP with your internet provider all come to mind. At the end of the day though it needs to be ubiquitous,  something that works without too much fuss, and is straightforward  for both the enduser and the access point maintainer — kind of like eduroam