wifi hotspot service control -...
TRANSCRIPT
Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1
WiFi Hotspot Service Control
Design & Case Study Overview
Simon Newstead
APAC Product Manager
2 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Agenda
Overview of different access models
Identifying the user location
Secure access options
Case studies (as we go)
3 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
MPLS
Backbone
WiFi control - access models PPPoE
WiFi User with
PPPoE client
(WinXP or 3rd party)
Access
Controller
BRAS
Layer 2
Backhaul
Transport
(Bridged1483,
Metro E)
RADIUS
LNS*
PPPoE
connection
AAAA
Terminate PPP session into VR/VRF or
tunnel on via L2TP
Fine grained QoS / bandwidth control
Dynamic Policy Enforcement (COPS)
Lawful Intercept etc…
Policy
Server
4 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
PPPoE access model - discussion
Pros:
• Full per user control with inbuilt PPP mechanisms (authentication, keepalives etc.)
• Individual policy control per user simplified
• Wholesale is simplified and possible at layer 2 and layer 3
• Leverages the broadband BRAS model used in DSL – virtually no changes
Cons:
• Requires external client software (maybe even with XP) – no “auto launch” by default
• Only works in a bridged access environment; often not possible
• Layer 3 access network requires use of native LAC client (BRAS acts as LNS or tunnel switch) – client support issues
5 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
PPPoE access model Case Study – Japanese Provider
WiFi Users with
PPPoE client
Access
Controller
BRAS
ATM
Bridged
1483
RADIUS
Mapping of user to VR based on
RADIUS, domain mapping
Bridging
DSL
modem
Hotspot
AP
Bridging
DSL
modem
Backbone
WiFi VR
ISP VR
DSL Users with
PPPoE client
WiFi
operator
network
6 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
MPLS
Backbone
WiFi control - access models DHCP model – Web Login
WiFi User with
inbuilt DHCP client.
Access
Controller
BRAS
Layer 2 or
Layer 3
Backhaul
(any)
External
DHCP
Server* DHCP
DHCP Server or Relay*
Initial policy route to Web logon server
Fine grained QoS / bandwidth control
Dynamic Policies (COPS)
Accounting
Lawful Intercept etc…
Policy Server /
Web Login Server
7 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
DHCP Web Login model - discussion
Pros
• No external client software – inbuilt DHCP – lower barriers
• Any access network – eg L3 wholesale DSL, routed Ethernet etc
• Web Login provides extra options to operator (branding, advertising, location based content…)
Cons:
• Wholesale options restricted eg- address allocation – NAT introduces complications (ALG support etc), no tunnelling with L2TP
• Greater security / DoS implications – attack DHCP server, Web server
• No autologon by default (manual web login process)
Need to introduce mechanisms to enable per user control in DHCP environment (mimic PPP)
8 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
DHCP / Web login Case Study –
Telstra Mobile
Mobile centric service, launched in August 2003
• Available in hotspot locations throughout Australia
• Target of 600 hotspot locations in 2004 (Qantas, McDonalds, Hilton etc)
• International roaming through the Wireless Broadband Alliance
• Time based billing; hourly rate
• Login via a password delivered by SMS to a Telstra mobile (credit card payment option for non-Telstra post-paid mobile customers)
Lowered barriers to uptake
• No special WLAN subscription needed – casual pay-per-user
• Captive portal logon using DHCP – no client software required
9 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
• User opens up web browser and tries to go to Google
• Session directed to captive portal on policy server
• Choice to enter mobile phone number or username and password
• Mobile phone number entered
How it works - Step One
10 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
• One-time password sent via SMS to user’s mobile phone
• Received password entered into portal page
Step Two
11 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
• Upon successful authentication, captive portal is released and original web destination is loaded.
• Mini-logout window to facilitate signoff.
• Usage billed to user’s mobile phone bill once finished
Step Three
12 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
• Allow greater flexibility of services eg-
• Free access to Internet for 15 mins without login… or
• Internet access only, mail port blocked…or
• Internet access but only at 64kbps…or
• Walled garden content only
• Bandwidth can be dynamically increased and restrictions moved on user authentication and login
• Also helps protect against abusive or Worm users (eg- dynamically limit users down on sliding window basis; consumed more than x MB in past 15 mins)
Dynamic Policies
13 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Per user control in a DHCP environment
Objective - make an IP host on single aggregated interface appear like its own IP interface
• Treat hosts as separate logical (demultixed) IP interfaces aka “Subscriber Interfaces”
• Individual policy control on subscriber interface (linked to policy server) – eg filters, bandwidth control
• Ties into DHCP dynamically
VLAN
101
L3 Switch
User A: 192.168.1.1
User B: 192.168.1.2
Subscriber Interface A IP Demux 192.168.1.1
Rate Limit Internet to 512k
Subscriber Interface B IP Demux 192.168.1.2
Rate Limit Internet to 2M Prioritise VoIP to strict
priority queue Add firewall policies
Access
Controller
BRAS
14 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Access Controller
BRAS
1. IP assignments through DHCP & subscriber interface come up – Dynamic SI
DHCP relay point
Upstream Router Routing
Layer AP
GE GE GE FE
2. HTTP redirected and show the portal web page
3. Input subscriber ID and password
Radius
Weblogin - Policy Server
Switch Layer
4. Radius authentication
4. Download policies
Internet & service access
inbuilt DHCP server
1. (Access the portal & click on logout button) or (DHCP lease expired)
WEB login sequence
WEB logout sequence
2. Radius accounting
2. (Reset policies) or (Delete subscriber interface) – Dynamic SI
Generic Web Login process
15 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Location information – why??
Generates portal pages based on hotspot location
Enables targeted advertising. eg- promotions for the owner of the hotspot location, revenue sharing (charging models) etc…
Hotspot –
Cafe
Hotspot –
Train Station Portal - Free access
to timetables, fares..
Portal - Free
sports news..
Access Controller
BRAS
Weblogin - Policy Server
16 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Location information – how?
PPPoE model
• Easy – layer 2 circuit per hotspot to AC/BRAS
• RADIUS will contain NAS Port ID etc…map back centrally
DHCP model (rely on relay to provide)
• Gateway address (GiAddr field)
• Option 82 information, suboptions (ala RADIUS VSAs)
• Or even layer 3 GRE tunnel back if access network can’t provide info required (also simplifies routing)
17 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Side topic – routing back to WiFi user in DHCP environment
Use location based info to allocate users from address pools; one pool per
• Aggregate routes
• Static, redistributed to IGP; simplified
Central pools ok but..
• Require DHCP relay to store state - snoop address coming back from the server in DHCP offer / ACK
• Also requires redistribution into IGP; scaling issues with that…
18 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Secure access
Why?
• Various access vulnerabilities in simple models
• Session hijacking / spoofing, man in the middle
Two main approaches:
• IPSEC tunneling model
• 802.1x/EAP
19 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
MPLS
Backbone
WiFi secured access IPSEC option
WiFi User with
inbuilt IPSEC client
Eg- Win2k, WinXP
Access
Controller
BRAS
Any Backhaul
Transport
RADIUS
LNS*
L2TP/IPSEC
connection
(RFC3193)
Terminate IPSEC
BRAS control of PPP session
Policy
Server
20 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
IPSEC WiFi access
Pros
• No external client software – inbuilt into Windows
• PPP model gives full per user control (eg- terminate IPSEC and tunnel on L2TP)
• Integrates well into a VPN environment; user sessions terminated to MPLS VPNs at AC/BRAS (PE)
• Can use digital certificates to ensure identity (server and maybe clients also)
Cons:
• Client issues – overhead, PDA support (eg- WinCE today only supports MSCHAPv2?)
21 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
IPSEC WiFi access Japan Case Study
Integration of VPN access for mobile corporate users regardless of
access type
Outsource remote access management from corporates, and aggregate
users in a layer 3 VPN – common point of subscriber management
Network diagram:
Access Controller
- BRAS (PE)
WiFi User with native
Windows Client
IPSEC / L2TP
(RFC 3193)
3G and 2G users
MPLS
Backbone
LAC
GGSN
Native
L2TP
Users mapped into
corporate VPNs
VRFs
PE
Corp HQ CE
GE VLAN
22 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
MPLS
Backbone
WiFi secured access 802.1/EAP option
WiFi User with
EAP/802.1x client
eg- WinXP, iPass,
Odyssey..
Access
Controller
BRAS
Any Backhaul
Transport
RADIUS EAPoL
802.1x
Policy
Server
EAP/RADIUS
EAP
AP
Note- DHCP happens after EAP authentication
23 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Option - Authentication using 802.1X and EAP on 802.11 - overview
RADIUS
Server
EAPOW-Start
EAP-Response/Identity
Radius-Access-Challenge
EAP-Response (credentials)
Access blocked
Association
Radius-Access-Accept
EAP-Request/Identity
EAP-Request
Radius-Access-Request
Radius-Access-Request
RADIUS
EAPOW
802.11 802.11 Associate-Request
EAP-Success
Access allowed EAPOW-Key (WEP..)
802.11 Associate-Response
Source:
Microsoft
24 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
EAP/802.1x WiFi access
Pros
• EAP/802.1x built into WinXP
• Flexible authentication architecture – many different EAP options eg- GSM SIM using EAP/SIM, EAP-MD5, LEAP, Smartcards etc…
• Can handle interAP roaming with 802.11f
• Adopted in the corporate market
Cons:
• Doesn’t address core network / VPN portion, just secures access layer
• Today uses session keys vs temporal (WPA, coming in 802.11i)
• Need smarts to keep per user control in the network without double logon
25 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Maintaining subscriber control when using 802.1x/EAP environment
“RADIUS relay” concept
802.1x access points have Radius client, EAP messages encapsulated in Radius messages
Host MAC address in the calling-station-attribute
Radius relay (BRAS) uses @domain name to forward Radius request to an external EAP capable Radius proxy or server
BRAS relay stores Host MAC address (and maybe user) and awaits authorization data (VR to use, IP pool/address to use, filters, etc)
DHCP request, based on the host MAC address, creates subscriber interface in proper context allocates IP address, assign default policies. Policy server control with no Web login
Access point creates Radius authentication and accounting (stop)
Radius Relay
DHCP
802.1x AP
Any Backhaul
Transport
Policy
Server
RADIUS
Server
26 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Summary
Which access model?
• PPPoE is nice, but often not practical
• DHCP – web login models now can provide good per user control, and location info etc
Where am I? Location information
• Key for WiFi business models eg- generate content based on location (virtualised)
Security
• IPSEC is a good end-end mechanism, integration with VPNs
• EAP is flexible and useful in access, but needs to tie in with core network and per user control
27 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Thank you…!
Contact: [email protected]
28 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
802.11 variants
802.11a 5.4MHz, OFDM, 54 Mbps, 10+ channels
802.11b 2.4GHz, DSSS, 11 Mbps, 3 channels
802.11d Enhancements to meet country specific regulations
802.11e Quality of Service
802.11f Inter-Access Point Protocol, handover between close APs
802.11g 2.4GHz, OFDM, 54Mbps, 3 channels
802.11h Specifically for 5GHz; power control and frequency selection
802.11i Security framework, reference to 802.1x and EAP
See PowerPoint comments page below for more details
29 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Wireless LAN Technologies
802.11b 802.11a HiperLAN2
2.4 GHz
Public 5 GHz / Public / Private 5 GHz
Worldwide US/AP Europe
1-11 Mbps 20-54 Mbps (1-2 yrs)
100+ Mbps (future) 20-54 Mbps (1-2 yrs)
Freq. Band
Coverage
Data Rate
802.11g
2.4 GHz
Public
Worldwide
1-54 Mbps
30 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
PWLAN and Security
WEP encryption (Wireless Equivalent Protocol) much criticized in enterprise
• Also it uses static keys which is not valid for PWLAN as keys would need to be published
802.1x and EAP delivers improved security for PWLAN
• Introduces dynamic keys at start of session, and PWLAN sessions are short lived (unlike enterprise)
802.11i
• Uses 802.1x which uses EAP and allows dynamic keys
• Firmware upgrade for TKIP then hardware upgrade for improved AES encryption
• Poses transition complexity for existing user base
WPA (Wi-Fi Protected Access) is an interim step to 802.11i
• Uses 802.1x and EAP and TKIP but no AES
31 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
802.1x Overview Make up for deficiencies in WEP which uses static keys
IEEE 802.1x-2001: Port-Based Network Access Control
• Prior to authentication traffic is restricted to the authentication server
RFC 2284 (1998): PPP Extensible Authentication Protocol (EAP)
• EAP encapsulated in Radius for transport to EAP enabled AAA server
• Many variations EAP/TLS and EAP-PEAP supported by Microsoft, MD5, OTP, LEAP (Cisco), and SIM (GSM Subscriber Identity Module)
IEEE 802.11i Framework Specification
• Specifies use of 802.1x and EAP for authentication and encryption key
• New encryption in access point
• Access Points need firmware upgrade to TKIP then new hardware for AES
32 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
PWLAN and Mobile
3GPP standards org defined five scenarios for PWLAN integration with 3G
• From common authentication to seamless handover of voice service
• Specified 802.1x based authentication
• Part of 3GPP Release 6, specified in TS 23.234
But, real deployments are occurring well in advance of 3GPP R6……so:
GSM Association WLAN Task Force issued guidelines for pre Release 6
• Wed based login initially transitioning to 3GPP release 6 spec
A SIM located in WLAN cards will use authentication based on EAP/SIM
• Eg- Use of SIM dongle
EAP to SS7 gateways will allow mobile HLR / HSSs to authenticate the WLAN card
33 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Authenticating against the GSM HLR
Existing database with all mobile subscriber information
Existing provisioning and customer care systems are used
EAP/SIM can offer GSM equivalent authentication and encryption
Gateway between RADIUS/IP and MAP/SS7 is required
• Eg Funk Software Steel Belted Radius/SS7 Gateway
• Ulticom Signalware SS7 software
• Sun server E1/T1 interface card
• An overview of the product is in this attachment:
• Major vendors Ericsson, Siemens, Nokia all have or are developing their own offer
34 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
802.1x EAP/SIM authentication from HLR Transparent RADIUS relay
BRAS AC,
(RADIUS Relay) Authenticator
RADIUS/SS-7
GW HLR
EAPoL RADIUS
RADIUS Gr Interface
DHCP Discover
Client
DHCP Request
DHCP Offer
DHCP Ack {address = End
User address from GGSN}
Client -
Authentication
Client –
IP Address
Assignment
GW HLR MAP
SS7
35 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Tight integration proposed by 3GPP
GGSN Access Controller,
RADIUS Relay Authenticator RADIUS/SS-7
GW HLR
EAPoL RADIUS
RADIUS Gr Interface
Create PDP Context {IP, transparent mode APN,
IMSI/NSAPI, MSISDN, dynamic address requested}
Create PDP Context Response {End User Address}
DHCP Discover
Client
DHCP Request
DHCP Offer
DHCP Ack {address = End User
address from GGSN} Lease
expiration
Delete PDP Context Request
Client -
Authentication
Client –
IP Address
Assignment
GGSN
HLR
GPRS Tunneling Protocol
36 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Real time handover…
Many access types – WLAN, 3G, GPRS…
Mobile IP could provide reasonable real-time macro roaming between cellular and WLAN access types (also alternates such as 802.16/WiMax)
Supported for dual mode CPE/handsets
• Eg- Dual Mode NEC cellphone with WLAN as trialed in DoCoMo
• PDAs with WLAN and CDMA 1x/EVDO or GPRS/WCDMA
• Notebooks with cellular data or dual mode cards
Off the shelf client software available today – IPUnplugged, Birdstep
Challenges- VoIP, WLAN automated logon (eg- 802.1x could solve this), applications/OS can handle address changes
37 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Overview of Mobile IPv4 (RFC2002)
1. MN discovers Foreign Agent (FA)
2. MN obtains COA (FA - Care Of Address)
3. MN registers with FA which relays registration to HA
4. HA tunnels packets from CN to MN through FA
5. FA forwards packets from MN to CN or reverse tunnels through HA (RFC3024)
HA FA
1. and 2. 3.
MN
CN
5. 4.
Internet
38 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Mobile IP Interworking with UMTS/GPRS
Recommends use of FA Care Of Addresses (CoA), not collocated, to conserve IPv4 addresses
Source:
3GPP
39 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Registration Process to GGSN FA
5. Activate PDP
Context Accept
(no PDP address)
4. Create PDP
Context Response
(no PDP address)
2. Activate PDP
Context Request
( APN=MIPv4FA )
IPv4 - Registration UMTS/GPRS + MIP , FA care-of address
TE MTHome
NetworkSGSN GGSN/FA
3. Create PDP
Context Request
( APN=MIPv4FA )
6. Agent Advertisement
7. MIP Registration Request
9. MIP Registration Reply
10. MIP Registration Reply
1. AT Command (APN)
8. MIP Registration Request
A. Select suitable GGSN
40 Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Overview of Mobile IPv6 Removes need for external FA in future 3GPP systems
1. MN obtains IP address using stateless or stateful autoconfiguration
2. MN registers with HA
3. HA tunnels packets from CN to MN
4. MN sends packets directly to CN or via tunnel to HA
• Binding Update from MN to CN removes HA from path.
HA
1. 2.
MN
CN
4. 3.
Internet