wifi hotspot service control design & case study overview
DESCRIPTION
WiFi Hotspot Service Control Design & Case Study Overview. Simon Newstead APAC Product Manager [email protected]. Agenda. Overview of different access models Identifying the user location Secure access options Case studies (as we go). WiFi control - access models PPPoE. RADIUS. - PowerPoint PPT PresentationTRANSCRIPT
Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1
WiFi Hotspot Service ControlDesign & Case Study Overview
Simon NewsteadAPAC Product [email protected]
2Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Agenda Overview of different access
models Identifying the user location Secure access options Case studies (as we go)
3Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
MPLS Backbone
WiFi control - access modelsPPPoE
WiFi User with PPPoE client
(WinXP or 3rd party)
Access Controller
BRAS
Layer 2 Backhaul Transport
(Bridged1483, Metro E)
RADIUS
LNS*
PPPoE connection
AAAATerminate PPP session into VR/VRF or
tunnel on via L2TPFine grained QoS / bandwidth controlDynamic Policy Enforcement (COPS)
Lawful Intercept etc…
Policy Server
4Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
PPPoE access model - discussion Pros:
• Full per user control with inbuilt PPP mechanisms (authentication, keepalives etc.)
• Individual policy control per user simplified• Wholesale is simplified and possible at layer 2 and layer 3• Leverages the broadband BRAS model used in DSL – virtually no
changes Cons:
• Requires external client software (maybe even with XP) – no “auto launch” by default
• Only works in a bridged access environment; often not possible• Layer 3 access network requires use of native LAC client (BRAS acts
as LNS or tunnel switch) – client support issues
5Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
PPPoE access modelCase Study – Japanese Provider
WiFi Users with PPPoE client
Access Controller
BRAS
ATM Bridged
1483
RADIUS
Mapping of user to VR based on RADIUS, domain mapping
Bridging DSL
modem
Hotspot AP
Bridging DSL
modem
Backbone
WiFi VR
ISP VR
DSL Users with PPPoE client
WiFi operator network
6Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
MPLS Backbone
WiFi control - access modelsDHCP model – Web Login
WiFi User with inbuilt DHCP client.
Access Controller
BRAS
Layer 2 or Layer 3
Backhaul (any)
External DHCP
Server*DHCP
DHCP Server or Relay*Initial policy route to Web logon serverFine grained QoS / bandwidth control
Dynamic Policies (COPS)Accounting
Lawful Intercept etc…
Policy Server / Web Login Server
7Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
DHCP Web Login model - discussion Pros
• No external client software – inbuilt DHCP – lower barriers • Any access network – eg L3 wholesale DSL, routed Ethernet etc• Web Login provides extra options to operator (branding, advertising, location based content…)
Cons:• Wholesale options restricted eg- address allocation – NAT introduces complications (ALG support etc), no tunnelling with L2TP• Greater security / DoS implications – attack DHCP server, Web server• No autologon by default (manual web login process)
Need to introduce mechanisms to enable per user control in DHCP environment (mimic PPP)
8Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
DHCP / Web login Case Study – Telstra Mobile
Mobile centric service, launched in August 2003• Available in hotspot locations throughout Australia• Target of 600 hotspot locations in 2004 (Qantas, McDonalds,
Hilton etc)• International roaming through the Wireless Broadband Alliance• Time based billing; hourly rate• Login via a password delivered by SMS to a Telstra mobile
(credit card payment option for non-Telstra post-paid mobile customers)
Lowered barriers to uptake• No special WLAN subscription needed – casual pay-per-user• Captive portal logon using DHCP – no client software required
9Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
• User opens up webbrowser and triesto go to Google
• Session directedto captive portal on policy server
• Choice to entermobile phone number or username andpassword
• Mobile phonenumber entered
How it works - Step One
10Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
• One-time passwordsent via SMS touser’s mobilephone
• Received password entered into portal page
Step Two
11Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
• Upon successfulauthentication,captive portal isreleased and original webdestination isloaded.
• Mini-logout window to facilitate signoff.
• Usage billed to user’s mobile phone bill once finished
Step Three
12Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
• Allow greater flexibility of services eg-• Free access to Internet for 15 mins without
login… or• Internet access only, mail port blocked…or• Internet access but only at 64kbps…or• Walled garden content only
• Bandwidth can be dynamically increased and restrictions moved on user authentication and login
• Also helps protect against abusive or Worm users (eg- dynamically limit users down on sliding window basis; consumed more than x MB in past 15 mins)
Dynamic Policies
13Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Per user control in a DHCP environment
Objective - make an IP host on single aggregated interface appear like its own IP interface• Treat hosts as separate logical (demultixed) IP interfaces
aka “Subscriber Interfaces”• Individual policy control on subscriber interface (linked to
policy server) – eg filters, bandwidth control • Ties into DHCP dynamically
VLAN 101
L3 Switch
User A:192.168.1.1
User B:192.168.1.2
Subscriber Interface AIP Demux 192.168.1.1Rate Limit Internet to
512k
Subscriber Interface BIP Demux 192.168.1.2
Rate Limit Internet to 2MPrioritise VoIP to strict
priority queueAdd firewall policies
Access Controller
BRAS
14Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Access Controlle
rBRAS
1. IP assignments through DHCP & subscriber interface come up – Dynamic SI
DHCP relay point
Upstream Router
RoutingLayerAP
GE GE GEFE
2. HTTP redirected and show the portal web page3. Input subscriber ID and password
Radius
Weblogin - Policy
Server
Switch Layer
4. Radius authentication4. Download policies
Internet & service access
inbuilt DHCP server
1. (Access the portal & click on logout button) or (DHCP lease expired)
WEB login sequence
WEB logout sequence
2. Radius accounting2. (Reset policies) or (Delete subscriber interface) – Dynamic SI
Generic Web Login process
15Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Location information – why?? Generates portal pages based on hotspot location Enables targeted advertising. eg- promotions for the
owner of the hotspot location, revenue sharing (charging models) etc…
Hotspot –Cafe
Hotspot –Train StationPortal - Free access
to timetables, fares..
Portal - Free sports news..
Access Controlle
rBRAS
Weblogin - Policy
Server
16Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Location information – how? PPPoE model
• Easy – layer 2 circuit per hotspot to AC/BRAS• RADIUS will contain NAS Port ID etc…map back
centrally
DHCP model (rely on relay to provide)• Gateway address (GiAddr field)• Option 82 information, suboptions (ala RADIUS VSAs)• Or even layer 3 GRE tunnel back if access network
can’t provide info required (also simplifies routing)
17Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Side topic – routing back to WiFi userin DHCP environment
Use location based info to allocate users from address pools; one pool per • Aggregate routes• Static, redistributed to IGP; simplified
Central pools ok but..• Require DHCP relay to store state - snoop address coming back from the server in DHCP offer / ACK• Also requires redistribution into IGP; scaling issues with that…
18Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Secure access Why?
• Various access vulnerabilities in simple models
• Session hijacking / spoofing, man in the middle
Two main approaches:• IPSEC tunneling model• 802.1x/EAP
19Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
MPLS Backbone
WiFi secured accessIPSEC option
WiFi User with inbuilt IPSEC clientEg- Win2k, WinXP
Access Controller
BRAS
Any Backhaul Transport
RADIUS
LNS*
L2TP/IPSEC connection (RFC3193)
Terminate IPSECBRAS control of PPP session
Policy Server
20Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
IPSEC WiFi access Pros
• No external client software – inbuilt into Windows• PPP model gives full per user control (eg- terminate IPSEC and tunnel on L2TP)• Integrates well into a VPN environment; user sessions terminated to MPLS VPNs at AC/BRAS (PE)• Can use digital certificates to ensure identity (server and maybe clients also)
Cons:• Client issues – overhead, PDA support (eg- WinCE today only supports MSCHAPv2?)
21Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
IPSEC WiFi accessJapan Case Study
Integration of VPN access for mobile corporate users regardless of access type
Outsource remote access management from corporates, and aggregate users in a layer 3 VPN – common point of subscriber management
Network diagram:
Access Controller- BRAS (PE)
WiFi User with native Windows Client
IPSEC / L2TP (RFC 3193)
3G and 2G users
MPLS Backbone
LACGGSN
NativeL2TP
Users mapped into corporate VPNs
VRFs
PE
Corp HQ CE
GE VLAN
22Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
MPLS Backbone
WiFi secured access802.1/EAP option
WiFi User with EAP/802.1x client
eg- WinXP, iPass, Odyssey..
Access Controller
BRAS
Any Backhaul Transport
RADIUSEAPoL
802.1x
Policy Server
EAP/RADIUS
EAP
AP
Note- DHCP happens after EAP authentication
23Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Option - Authentication using802.1X and EAP on 802.11 - overview
RADIUSServer
EAPOW-Start
EAP-Response/IdentityRadius-Access-Challenge
EAP-Response (credentials)
Access blockedAssociation
Radius-Access-Accept
EAP-Request/Identity
EAP-RequestRadius-Access-Request
Radius-Access-Request
RADIUS
EAPOW
802.11802.11 Associate-Request
EAP-Success
Access allowedEAPOW-Key (WEP..)
802.11 Associate-Response
Source: Microsoft
24Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
EAP/802.1x WiFi access Pros
• EAP/802.1x built into WinXP • Flexible authentication architecture – many different EAP
options eg- GSM SIM using EAP/SIM, EAP-MD5, LEAP, Smartcards etc…
• Can handle interAP roaming with 802.11f• Adopted in the corporate market
Cons:• Doesn’t address core network / VPN portion, just secures
access layer• Today uses session keys vs temporal (WPA, coming in 802.11i)• Need smarts to keep per user control in the network without
double logon
25Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Maintaining subscriber control when using 802.1x/EAP environment“RADIUS relay” concept 802.1x access points have Radius client, EAP messages encapsulated in Radius messages Host MAC address in the calling-station-attribute Radius relay (BRAS) uses @domain name to forward Radius request to an external EAP capable Radius proxy or server BRAS relay stores Host MAC address (and maybe user) and awaits authorization data (VR to use, IP pool/address to use, filters, etc) DHCP request, based on the host MAC address, creates subscriber interface in proper context allocates IP address, assign default policies. Policy server control with no Web login Access point creates Radius authentication and accounting (stop)
RadiusRelay
DHCP
802.1x APAny Backhaul
Transport
Policy Server
RADIUS Server
26Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Summary Which access model?
• PPPoE is nice, but often not practical• DHCP – web login models now can provide good per
user control, and location info etc Where am I? Location information
• Key for WiFi business models eg- generate content based on location (virtualised)
Security• IPSEC is a good end-end mechanism, integration
with VPNs• EAP is flexible and useful in access, but needs to tie
in with core network and per user control
27Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Thank you…!
Contact: [email protected]
28Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
802.11 variants 802.11a 5.4MHz, OFDM, 54 Mbps, 10+ channels 802.11b 2.4GHz, DSSS, 11 Mbps, 3 channels 802.11d Enhancements to meet country specific regulations 802.11e Quality of Service 802.11f Inter-Access Point Protocol, handover between close APs 802.11g 2.4GHz, OFDM, 54Mbps, 3 channels 802.11h Specifically for 5GHz; power control and frequency
selection 802.11i Security framework, reference to 802.1x and EAP
See PowerPoint comments page below for more details
29Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Wireless LAN Technologies802.11b 802.11a HiperLAN2
2.4 GHzPublic
5 GHz / Public / Private 5 GHz
Worldwide US/AP Europe
1-11 Mbps 20-54 Mbps (1-2 yrs) 100+ Mbps (future) 20-54 Mbps (1-2 yrs)
Freq.Band
Coverage
DataRate
802.11g
2.4 GHz Public
Worldwide
1-54 Mbps
30Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
PWLAN and Security WEP encryption (Wireless Equivalent Protocol) much
criticized in enterprise• Also it uses static keys which is not valid for PWLAN as
keys would need to be published 802.1x and EAP delivers improved security for PWLAN
• Introduces dynamic keys at start of session, and PWLAN sessions are short lived (unlike enterprise)
802.11i• Uses 802.1x which uses EAP and allows dynamic keys• Firmware upgrade for TKIP then hardware upgrade for
improved AES encryption• Poses transition complexity for existing user base
WPA (Wi-Fi Protected Access) is an interim step to 802.11i• Uses 802.1x and EAP and TKIP but no AES
31Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
802.1x Overview Make up for deficiencies in WEP which uses static keys IEEE 802.1x-2001: Port-Based Network Access Control
• Prior to authentication traffic is restricted to the authentication server RFC 2284 (1998): PPP Extensible Authentication Protocol (EAP)
• EAP encapsulated in Radius for transport to EAP enabled AAA server• Many variations EAP/TLS and EAP-PEAP supported by Microsoft, MD5,
OTP, LEAP (Cisco), and SIM (GSM Subscriber Identity Module) IEEE 802.11i Framework Specification
• Specifies use of 802.1x and EAP for authentication and encryption key
• New encryption in access point• Access Points need firmware upgrade to TKIP then new hardware for AES
32Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
PWLAN and Mobile 3GPP standards org defined five scenarios for PWLAN integration with 3G
• From common authentication to seamless handover of voice service• Specified 802.1x based authentication• Part of 3GPP Release 6, specified in TS 23.234
But, real deployments are occurring well in advance of 3GPP R6……so:
GSM Association WLAN Task Force issued guidelines for pre Release 6• Wed based login initially transitioning to 3GPP release 6 spec
A SIM located in WLAN cards will use authentication based on EAP/SIM• Eg- Use of SIM dongle
EAP to SS7 gateways will allow mobile HLR / HSSs to authenticate the WLAN card
33Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Authenticating against the GSM HLR Existing database with all mobile subscriber information Existing provisioning and customer care systems are used EAP/SIM can offer GSM equivalent authentication and encryption Gateway between RADIUS/IP and MAP/SS7 is required
• Eg Funk Software Steel Belted Radius/SS7 Gateway• Ulticom Signalware SS7 software• Sun server E1/T1 interface card• An overview of the product is in this attachment:
• Major vendors Ericsson, Siemens, Nokia all have or are developing their own offer
34Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
802.1x EAP/SIM authentication from HLRTransparent RADIUS relay
BRAS AC, (RADIUS Relay)Authenticator
RADIUS/SS-7 GW HLR
EAPoL RADIUS
RADIUS Gr Interface
DHCP Discover
Client
DHCP Request
DHCP Offer
DHCP Ack {address = End User address from GGSN}
Client - Authentication
Client – IP Address Assignment
GW HLRMAPSS7
35Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Tight integration proposed by 3GPP
GGSNAccess Controller,
RADIUS RelayAuthenticatorRADIUS/SS-7
GW HLR
EAPoL RADIUSRADIUS Gr Interface
Create PDP Context {IP, transparent mode APN, IMSI/NSAPI, MSISDN, dynamic address requested}
Create PDP Context Response {End User Address}
DHCP Discover
Client
DHCP Request
DHCP Offer
DHCP Ack {address = End User address from GGSN} Lease
expirationDelete PDP Context Request
Client - Authentication
Client – IP Address Assignment
GGSN
HLR
GPRS Tunneling Protocol
36Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Real time handover… Many access types – WLAN, 3G, GPRS… Mobile IP could provide reasonable real-time macro roaming
between cellular and WLAN access types (also alternates such as 802.16/WiMax)
Supported for dual mode CPE/handsets• Eg- Dual Mode NEC cellphone with WLAN as trialed in DoCoMo• PDAs with WLAN and CDMA 1x/EVDO or GPRS/WCDMA• Notebooks with cellular data or dual mode cards
Off the shelf client software available today – IPUnplugged, Birdstep Challenges- VoIP, WLAN automated logon (eg- 802.1x could solve
this), applications/OS can handle address changes
37Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Overview of Mobile IPv4 (RFC2002)
1. MN discovers Foreign Agent (FA) 2. MN obtains COA (FA - Care Of Address) 3. MN registers with FA which relays registration to HA 4. HA tunnels packets from CN to MN through FA 5. FA forwards packets from MN to CN or reverse tunnels through HA
(RFC3024)
HA FA
1. and 2. 3.MN
CN
5. 4.
Internet
38Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Mobile IP Interworking with UMTS/GPRS
Recommends use of FA Care Of Addresses (CoA), not collocated, to conserve IPv4 addresses
Source:3GPP
39Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Registration Process to GGSN FA
5. Activate PDPContext Accept
(no PDP address)
4. Create PDPContext Response(no PDP address)
2. Activate PDP Context Request
( APN=MIPv4FA )
IPv4 - Registration UMTS/GPRS + MIP , FA care-of address
TE MT HomeNetwork
SGSN GGSN/FA
3. Create PDPContext Request
( APN=MIPv4FA )
6. Agent Advertisement
7. MIP Registration Request
9. MIP Registration Reply10. MIP Registration Reply
1. AT Command (APN)
8. MIP Registration Request
A. Select suitable GGSN
40Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Overview of Mobile IPv6Removes need for external FA in future 3GPP systems
1. MN obtains IP address using stateless or stateful autoconfiguration 2. MN registers with HA 3. HA tunnels packets from CN to MN 4. MN sends packets directly to CN or via tunnel to HA
• Binding Update from MN to CN removes HA from path.
HA
1. 2.MN
CN
4. 3.
Internet