400 likes | 639 Views
WiFi Hotspot Service Control Design & Case Study Overview. Simon Newstead APAC Product Manager snewstead@juniper.net. Agenda. Overview of different access models Identifying the user location Secure access options Case studies (as we go). WiFi control - access models PPPoE. RADIUS.
E N D
WiFi Hotspot Service ControlDesign & Case Study Overview Simon Newstead APAC Product Managersnewstead@juniper.net
Agenda • Overview of different access models • Identifying the user location • Secure access options • Case studies (as we go)
WiFi control - access modelsPPPoE RADIUS PPPoE connection MPLS Backbone Layer 2 Backhaul Transport (Bridged1483, Metro E) Access Controller BRAS LNS* WiFi User with PPPoE client (WinXP or 3rd party) Policy Server AAAA Terminate PPP session into VR/VRF or tunnel on via L2TP Fine grained QoS / bandwidth control Dynamic Policy Enforcement (COPS) Lawful Intercept etc…
PPPoE access model - discussion • Pros: • Full per user control with inbuilt PPP mechanisms (authentication, keepalives etc.) • Individual policy control per user simplified • Wholesale is simplified and possible at layer 2 and layer 3 • Leverages the broadband BRAS model used in DSL – virtually no changes • Cons: • Requires external client software (maybe even with XP) – no “auto launch” by default • Only works in a bridged access environment; often not possible • Layer 3 access network requires use of native LAC client (BRAS acts as LNS or tunnel switch) – client support issues
PPPoE access modelCase Study – Japanese Provider Hotspot AP RADIUS ATM Bridged 1483 ISP VR Bridging DSL modem Backbone WiFi Users with PPPoE client joe@wifi-isp.co.jp WiFi VR WiFi operator network Access Controller BRAS Bridging DSL modem DSL Users with PPPoE client joe@dsl-isp.co.jp Mapping of user to VR based on RADIUS, domain mapping
WiFi control - access modelsDHCP model – Web Login External DHCP Server* DHCP MPLS Backbone Layer 2 or Layer 3 Backhaul (any) Access Controller BRAS WiFi User with inbuilt DHCP client. Policy Server / Web Login Server DHCP Server or Relay* Initial policy route to Web logon server Fine grained QoS / bandwidth control Dynamic Policies (COPS) Accounting Lawful Intercept etc…
DHCP Web Login model - discussion • Pros • No external client software – inbuilt DHCP – lower barriers • Any access network – eg L3 wholesale DSL, routed Ethernet etc • Web Login provides extra options to operator (branding, advertising, location based content…) • Cons: • Wholesale options restricted eg- address allocation – NAT introduces complications (ALG support etc), no tunnelling with L2TP • Greater security / DoS implications – attack DHCP server, Web server • No autologon by default (manual web login process) • Need to introduce mechanisms to enable per user control in DHCP environment (mimic PPP)
DHCP / Web login Case Study – Telstra Mobile • Mobile centric service, launched in August 2003 • Available in hotspot locations throughout Australia • Target of 600 hotspot locations in 2004 (Qantas, McDonalds, Hilton etc) • International roaming through the Wireless Broadband Alliance • Time based billing; hourly rate • Login via a password delivered by SMS to a Telstra mobile (credit card payment option for non-Telstra post-paid mobile customers) • Lowered barriers to uptake • No special WLAN subscription needed – casual pay-per-user • Captive portal logon using DHCP – no client software required
How it works - Step One • User opens up webbrowser and triesto go to Google • Session directedto captive portal on policy server • Choice to entermobile phone number or username andpassword • Mobile phonenumber entered
Step Two • One-time passwordsent via SMS touser’s mobilephone • Received password entered into portal page
Step Three • Upon successfulauthentication,captive portal isreleased and original webdestination isloaded. • Mini-logout window to facilitate signoff. • Usage billed to user’s mobile phone bill once finished
Dynamic Policies • Allow greater flexibility of services eg- • Free access to Internet for 15 mins without login… or • Internet access only, mail port blocked…or • Internet access but only at 64kbps…or • Walled garden content only • Bandwidth can be dynamically increased and restrictions moved on user authentication and login • Also helps protect against abusive or Worm users (eg- dynamically limit users down on sliding window basis; consumed more than x MB in past 15 mins)
Per user control in a DHCP environment • Objective - make an IP host on single aggregated interface appear like its own IP interface • Treat hosts as separate logical (demultixed) IP interfaces aka “Subscriber Interfaces” • Individual policy control on subscriber interface (linked to policy server) – eg filters, bandwidth control • Ties into DHCP dynamically Subscriber Interface A IP Demux 192.168.1.1 Rate Limit Internet to 512k Subscriber Interface B IP Demux 192.168.1.2 Rate Limit Internet to 2M Prioritise VoIP to strict priority queue Add firewall policies User A: 192.168.1.1 L3 Switch VLAN 101 User B: 192.168.1.2 Access Controller BRAS
Generic Web Login process Weblogin - Policy Server Radius DHCP relay point Access ControllerBRAS RoutingLayer Upstream Router AP Switch Layer FE GE GE GE inbuilt DHCP server WEB login sequence 1. IP assignments through DHCP & subscriber interface come up – Dynamic SI 2. HTTP redirected and show the portal web page 3. Input subscriber ID and password 4. Radius authentication 4. Download policies Internet & service access WEB logout sequence 1. (Access the portal & click on logout button) or (DHCP lease expired) 2. Radius accounting 2. (Reset policies) or (Delete subscriber interface) – Dynamic SI
Location information – why?? • Generates portal pages based on hotspot location • Enables targeted advertising. eg- promotions for the owner of the hotspot location, revenue sharing (charging models) etc… Hotspot – Train Station Portal - Free access to timetables, fares.. Access ControllerBRAS Portal - Free sports news.. Hotspot – Cafe Weblogin - Policy Server
Location information – how? • PPPoE model • Easy – layer 2 circuit per hotspot to AC/BRAS • RADIUS will contain NAS Port ID etc…map back centrally • DHCP model (rely on relay to provide) • Gateway address (GiAddr field) • Option 82 information, suboptions (ala RADIUS VSAs) • Or even layer 3 GRE tunnel back if access network can’t provide info required (also simplifies routing)
Side topic – routing back to WiFi userin DHCP environment • Use location based info to allocate users from address pools; one pool per • Aggregate routes • Static, redistributed to IGP; simplified • Central pools ok but.. • Require DHCP relay to store state - snoop address coming back from the server in DHCP offer / ACK • Also requires redistribution into IGP; scaling issues with that…
Secure access • Why? • Various access vulnerabilities in simple models • Session hijacking / spoofing, man in the middle • Two main approaches: • IPSEC tunneling model • 802.1x/EAP
WiFi secured accessIPSEC option RADIUS L2TP/IPSEC connection (RFC3193) MPLS Backbone Any Backhaul Transport Access Controller BRAS LNS* WiFi User with inbuilt IPSEC client Eg- Win2k, WinXP Policy Server Terminate IPSEC BRAS control of PPP session
IPSEC WiFi access • Pros • No external client software – inbuilt into Windows • PPP model gives full per user control (eg- terminate IPSEC and tunnel on L2TP) • Integrates well into a VPN environment; user sessions terminated to MPLS VPNs at AC/BRAS (PE) • Can use digital certificates to ensure identity (server and maybe clients also) • Cons: • Client issues – overhead, PDA support (eg- WinCE today only supports MSCHAPv2?)
IPSEC WiFi accessJapan Case Study • Integration of VPN access for mobile corporate users regardless of access type • Outsource remote access management from corporates, and aggregate users in a layer 3 VPN – common point of subscriber management • Network diagram: Corp HQ CE Users mapped into corporate VPNs PE GE VLAN IPSEC / L2TP (RFC 3193) MPLS Backbone WiFi User with native Windows Client NativeL2TP VRFs LAC GGSN Access Controller- BRAS (PE) 3G and 2G users
WiFi secured access802.1/EAP option EAP EAPoL802.1x EAP/RADIUS RADIUS MPLS Backbone Any Backhaul Transport AP Access Controller BRAS WiFi User with EAP/802.1x client eg- WinXP, iPass, Odyssey.. Policy Server Note- DHCP happens after EAP authentication
Association Access blocked 802.11 Associate-Request EAPOW-Start 802.11 Associate-Response EAP-Request/Identity Radius-Access-Request EAP-Response/Identity Radius-Access-Challenge EAP-Request Radius-Access-Request EAP-Response (credentials) Radius-Access-Accept EAP-Success Access allowed EAPOW-Key (WEP..) Option - Authentication using802.1X and EAP on 802.11 - overview RADIUSServer 802.11 RADIUS EAPOW Source: Microsoft
EAP/802.1x WiFi access • Pros • EAP/802.1x built into WinXP • Flexible authentication architecture – many different EAP options eg- GSM SIM using EAP/SIM, EAP-MD5, LEAP, Smartcards etc… • Can handle interAP roaming with 802.11f • Adopted in the corporate market • Cons: • Doesn’t address core network / VPN portion, just secures access layer • Today uses session keys vs temporal (WPA, coming in 802.11i) • Need smarts to keep per user control in the network without double logon
Maintaining subscriber control when using 802.1x/EAP environment “RADIUS relay” concept • 802.1x access points have Radius client, EAP messages encapsulated in Radius messages • Host MAC address in the calling-station-attribute • Radius relay (BRAS) uses @domain name to forward Radius request to an external EAP capable Radius proxy or server • BRAS relay stores Host MAC address (and maybe user) and awaits authorization data (VR to use, IP pool/address to use, filters, etc) • DHCP request, based on thehost MAC address, creates subscriber interface in proper context allocates IP address, assign default policies. Policy server control with no Web login • Access point creates Radius authentication and accounting (stop) Policy Server DHCP RadiusRelay Any Backhaul Transport RADIUS Server 802.1x AP
Summary • Which access model? • PPPoE is nice, but often not practical • DHCP – web login models now can provide good per user control, and location info etc • Where am I? Location information • Key for WiFi business models eg- generate content based on location (virtualised) • Security • IPSEC is a good end-end mechanism, integration with VPNs • EAP is flexible and useful in access, but needs to tie in with core network and per user control
Thank you…! Contact: snewstead@juniper.net
802.11 variants • 802.11a 5.4MHz, OFDM, 54 Mbps, 10+ channels • 802.11b 2.4GHz, DSSS, 11 Mbps, 3 channels • 802.11d Enhancements to meet country specific regulations • 802.11e Quality of Service • 802.11f Inter-Access Point Protocol, handover between close APs • 802.11g 2.4GHz, OFDM, 54Mbps, 3 channels • 802.11h Specifically for 5GHz; power control and frequency selection • 802.11i Security framework, reference to 802.1x and EAP • See PowerPoint comments page below for more details
Wireless LAN Technologies 802.11b 802.11g HiperLAN2 802.11a Freq. Band 2.4 GHz Public 2.4 GHz Public 5 GHz 5 GHz / Public / Private Coverage Worldwide Worldwide Europe US/AP Data Rate 20-54 Mbps (1-2 yrs) 100+ Mbps (future) 1-11 Mbps 1-54 Mbps 20-54 Mbps (1-2 yrs)
PWLAN and Security • WEP encryption (Wireless Equivalent Protocol) much criticized in enterprise • Also it uses static keys which is not valid for PWLAN as keys would need to be published • 802.1x and EAP delivers improved security for PWLAN • Introduces dynamic keys at start of session, and PWLAN sessions are short lived (unlike enterprise) • 802.11i • Uses 802.1x which uses EAP and allows dynamic keys • Firmware upgrade for TKIP then hardware upgrade for improved AES encryption • Poses transition complexity for existing user base • WPA (Wi-Fi Protected Access) is an interim step to 802.11i • Uses 802.1x and EAP and TKIP but no AES
802.1x Overview • Make up for deficiencies in WEP which uses static keys • IEEE 802.1x-2001: Port-Based Network Access Control • Prior to authentication traffic is restricted to the authentication server • RFC 2284 (1998): PPP Extensible Authentication Protocol (EAP) • EAP encapsulated in Radius for transport to EAP enabled AAA server • Many variations EAP/TLS and EAP-PEAP supported by Microsoft, MD5, OTP, LEAP (Cisco), and SIM (GSM Subscriber Identity Module) • IEEE 802.11i Framework Specification • Specifies use of 802.1x and EAP for authentication and encryption key • New encryption in access point • Access Points need firmware upgrade to TKIP then new hardware for AES
PWLAN and Mobile • 3GPP standards org defined five scenarios for PWLAN integration with 3G • From common authentication to seamless handover of voice service • Specified 802.1x based authentication • Part of 3GPP Release 6, specified in TS 23.234 • But, real deployments are occurring well in advance of 3GPP R6……so: • GSM Association WLAN Task Force issued guidelines for pre Release 6 • Wed based login initially transitioning to 3GPP release 6 spec • A SIM located in WLAN cards will use authentication based on EAP/SIM • Eg- Use of SIM dongle • EAP to SS7 gateways will allow mobile HLR / HSSs to authenticate the WLAN card
Authenticating against the GSM HLR • Existing database with all mobile subscriber information • Existing provisioning and customer care systems are used • EAP/SIM can offer GSM equivalent authentication and encryption • Gateway between RADIUS/IP and MAP/SS7 is required • Eg Funk Software Steel Belted Radius/SS7 Gateway • Ulticom Signalware SS7 software • Sun server E1/T1 interface card • An overview of the product is in this attachment: • Major vendors Ericsson, Siemens, Nokia all have or are developing their own offer
RADIUS 802.1x EAP/SIM authentication from HLRTransparent RADIUS relay MAPSS7 GW HLR BRAS AC, (RADIUS Relay) RADIUS/SS-7 GW HLR Client Authenticator EAPoL RADIUS Gr Interface Client - Authentication DHCP Discover DHCP Offer Client – IP Address Assignment DHCP Request DHCP Ack {address = End User address from GGSN}
Access Controller, RADIUS Relay RADIUS/SS-7 GW HLR Client Authenticator EAPoL RADIUS Gr Interface Client - Authentication Create PDP Context {IP, transparent mode APN, IMSI/NSAPI, MSISDN, dynamic address requested} Create PDP Context Response {End User Address} DHCP Discover RADIUS Client – IP Address Assignment DHCP Offer DHCP Request DHCP Ack {address = End User address from GGSN} Lease expiration Delete PDP Context Request Tight integration proposed by 3GPP HLR GPRS Tunneling Protocol GGSN GGSN
Real time handover… • Many access types – WLAN, 3G, GPRS… • Mobile IP could provide reasonable real-time macro roaming between cellular and WLAN access types (also alternates such as 802.16/WiMax) • Supported for dual mode CPE/handsets • Eg- Dual Mode NEC cellphone with WLAN as trialed in DoCoMo • PDAs with WLAN and CDMA 1x/EVDO or GPRS/WCDMA • Notebooks with cellular data or dual mode cards • Off the shelf client software available today – IPUnplugged, Birdstep • Challenges- VoIP, WLAN automated logon (eg- 802.1x could solve this), applications/OS can handle address changes
Overview of Mobile IPv4 (RFC2002) • 1. MN discovers Foreign Agent (FA) • 2. MN obtains COA (FA - Care Of Address) • 3. MN registers with FA which relays registration to HA • 4. HA tunnels packets from CN to MN through FA • 5. FA forwards packets from MN to CN or reverse tunnels through HA (RFC3024) CN 5. 4. FA HA Internet 1. and 2. 3. MN
Mobile IP Interworking with UMTS/GPRS • Recommends use of FA Care Of Addresses (CoA), not collocated, to conserve IPv4 addresses Source: 3GPP
Overview of Mobile IPv6Removes need for external FA in future 3GPP systems CN • 1. MN obtains IP address using stateless or stateful autoconfiguration • 2. MN registers with HA • 3. HA tunnels packets from CN to MN • 4. MN sends packets directly to CN or via tunnel to HA • Binding Update from MN to CN removes HA from path. 4. 3. HA Internet 1. 2. MN