WiFi Hotspot Service Control Design & Case Study Overview Simon Newstead APAC Product Manager snewstead@juniper.net Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1 Agenda Overview of different access models Identifying the user location Secure access options Case studies (as we go) Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 2 WiFi control - access models PPPoE RADIUS PPPoE connection MPLS Backbone WiFi User with PPPoE client (WinXP or 3rd party) Layer 2 Backhaul Transport (Bridged1483, Metro E) Access Controller BRAS LNS* Policy Server AAAA Terminate PPP session into VR/VRF or tunnel on via L2TP Fine grained QoS / bandwidth control Dynamic Policy Enforcement (COPS) Lawful Intercept etc… Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 3 PPPoE access model - discussion Pros: • Full per user control with inbuilt PPP mechanisms (authentication, keepalives etc.) • Individual policy control per user simplified • Wholesale is simplified and possible at layer 2 and layer 3 • Leverages the broadband BRAS model used in DSL – virtually no changes Cons: • Requires external client software (maybe even with XP) – no “auto launch” by default • Only works in a bridged access environment; often not possible • Layer 3 access network requires use of native LAC client (BRAS acts as LNS or tunnel switch) – client support issues Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 4 PPPoE access model Case Study – Japanese Provider Hotspot AP ATM Bridged 1483 RADIUS ISP VR Bridging DSL modem Backbone WiFi Users with PPPoE client joe@wifi-isp.co.jp WiFi VR DSL Users with PPPoE client joe@dsl-isp.co.jp Bridging DSL modem WiFi operator network Access Controller BRAS Mapping of user to VR based on RADIUS, domain mapping Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 5 WiFi control - access models DHCP model – Web Login External DHCP Server* DHCP MPLS Backbone WiFi User with inbuilt DHCP client. Layer 2 or Layer 3 Backhaul (any) Access Controller BRAS Policy Server / Web Login Server DHCP Server or Relay* Initial policy route to Web logon server Fine grained QoS / bandwidth control Dynamic Policies (COPS) Accounting Lawful Intercept etc… Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 6 DHCP Web Login model - discussion Pros • No external client software – inbuilt DHCP – lower barriers • Any access network – eg L3 wholesale DSL, routed Ethernet etc • Web Login provides extra options to operator (branding, advertising, location based content…) Cons: • Wholesale options restricted eg- address allocation – NAT introduces complications (ALG support etc), no tunnelling with L2TP • Greater security / DoS implications – attack DHCP server, Web server • No autologon by default (manual web login process) Need to introduce mechanisms to enable per user control in DHCP environment (mimic PPP) Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 7 DHCP / Web login Case Study – Telstra Mobile Mobile centric service, launched in August 2003 • Available in hotspot locations throughout Australia • Target of 600 hotspot locations in 2004 (Qantas, McDonalds, Hilton etc) • International roaming through the Wireless Broadband Alliance • Time based billing; hourly rate • Login via a password delivered by SMS to a Telstra mobile (credit card payment option for non-Telstra post-paid mobile customers) Lowered barriers to uptake • No special WLAN subscription needed – casual pay-per-user • Captive portal logon using DHCP – no client software required Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 8 How it works - Step One • User opens up web browser and tries to go to Google • Session directed to captive portal on policy server • Choice to enter mobile phone number or username and password • Mobile phone number entered Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 9 Step Two • One-time password sent via SMS to user’s mobile phone • Received password entered into portal page Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 10 Step Three • Upon successful authentication, captive portal is released and original web destination is loaded. • Mini-logout window to facilitate signoff. • Usage billed to user’s mobile phone bill once finished Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 11 Dynamic Policies • Allow greater flexibility of services eg• Free access to Internet for 15 mins without login… or • Internet access only, mail port blocked…or • Internet access but only at 64kbps…or • Walled garden content only • Bandwidth can be dynamically increased and restrictions moved on user authentication and login • Also helps protect against abusive or Worm users (egdynamically limit users down on sliding window basis; consumed more than x MB in past 15 mins) Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 12 Per user control in a DHCP environment Objective - make an IP host on single aggregated interface appear like its own IP interface • Treat hosts as separate logical (demultixed) IP interfaces aka “Subscriber Interfaces” • Individual policy control on subscriber interface (linked to policy server) – eg filters, bandwidth control • Ties into DHCP dynamically User A: 192.168.1.1 User B: 192.168.1.2 Copyright © 2003 Juniper Networks, Inc. Subscriber Interface A IP Demux 192.168.1.1 Rate Limit Internet to 512k L3 Switch VLAN 101 Access Controller BRAS Subscriber Interface B IP Demux 192.168.1.2 Rate Limit Internet to 2M Prioritise VoIP to strict priority queue Add firewall policies CONFIDENTIAL www.juniper.net 13 Weblogin - Policy Server Generic Web Login process DHCP relay point Access Controller BRAS Routing Layer AP FE GE Radius Upstream Router Switch Layer GE GE inbuilt DHCP WEB login sequence server 1. IP assignments through DHCP & subscriber interface come up – Dynamic SI 2. HTTP redirected and show the portal web page 3. Input subscriber ID and password 4. Radius authentication 4. Download policies Internet & service access WEB logout sequence 1. (Access the portal & click on logout button) or (DHCP lease expired) 2. Radius accounting 2. (Reset policies) or (Delete subscriber interface) – Dynamic SI Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 14 Location information – why?? Generates portal pages based on hotspot location Enables targeted advertising. eg- promotions for the owner of the hotspot location, revenue sharing (charging models) etc… Portal - Free access to timetables, fares.. Hotspot – Train Station Access Controller BRAS Portal - Free sports news.. Copyright © 2003 Juniper Networks, Inc. Hotspot – Cafe Weblogin - Policy Server CONFIDENTIAL www.juniper.net 15 Location information – how? PPPoE model • Easy – layer 2 circuit per hotspot to AC/BRAS • RADIUS will contain NAS Port ID etc…map back centrally DHCP model (rely on relay to provide) • Gateway address (GiAddr field) • Option 82 information, suboptions (ala RADIUS VSAs) • Or even layer 3 GRE tunnel back if access network can’t provide info required (also simplifies routing) Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 16 Side topic – routing back to WiFi user in DHCP environment Use location based info to allocate users from address pools; one pool per • Aggregate routes • Static, redistributed to IGP; simplified Central pools ok but.. • Require DHCP relay to store state - snoop address coming back from the server in DHCP offer / ACK • Also requires redistribution into IGP; scaling issues with that… Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 17 Secure access Why? • Various access vulnerabilities in simple models • Session hijacking / spoofing, man in the middle Two main approaches: • IPSEC tunneling model • 802.1x/EAP Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 18 WiFi secured access IPSEC option RADIUS L2TP/IPSEC connection (RFC3193) MPLS Backbone Any Backhaul Transport WiFi User with inbuilt IPSEC client Eg- Win2k, WinXP Access Controller BRAS LNS* Policy Server Terminate IPSEC BRAS control of PPP session Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 19 IPSEC WiFi access Pros • No external client software – inbuilt into Windows • PPP model gives full per user control (eg- terminate IPSEC and tunnel on L2TP) • Integrates well into a VPN environment; user sessions terminated to MPLS VPNs at AC/BRAS (PE) • Can use digital certificates to ensure identity (server and maybe clients also) Cons: • Client issues – overhead, PDA support (eg- WinCE today only supports MSCHAPv2?) Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 20 IPSEC WiFi access Japan Case Study Integration of VPN access for mobile corporate users regardless of access type Outsource remote access management from corporates, and aggregate users in a layer 3 VPN – common point of subscriber management Corp HQ CE Network diagram: Users mapped into corporate VPNs PE GE VLAN IPSEC / L2TP (RFC 3193) MPLS Backbone WiFi User with native Windows Client LAC GGSN Native VRFs L2TP Access Controller - BRAS (PE) 3G and 2G users Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 21 WiFi secured access 802.1/EAP option EAP EAPoL EAP/RADIUS RADIUS 802.1x MPLS Backbone AP Any Backhaul Transport Access Controller BRAS WiFi User with EAP/802.1x client eg- WinXP, iPass, Odyssey.. Copyright © 2003 Juniper Networks, Inc. Policy Server Note- DHCP happens after EAP authentication CONFIDENTIAL www.juniper.net 22 Option - Authentication using 802.1X and EAP on 802.11 - overview RADIUS Server Association Access blocked 802.11 Associate-Request 802.11 RADIUS 802.11 Associate-Response EAPOW-Start EAPOW EAP-Request/Identity EAP-Response/Identity EAP-Request EAP-Response (credentials) EAP-Success Source: Microsoft Copyright © 2003 Juniper Networks, Inc. EAPOW-Key (WEP..) Radius-Access-Request Radius-Access-Challenge Radius-Access-Request Radius-Access-Accept Access allowed CONFIDENTIAL www.juniper.net 23 EAP/802.1x WiFi access Pros • EAP/802.1x built into WinXP • Flexible authentication architecture – many different EAP options egGSM SIM using EAP/SIM, EAP-MD5, LEAP, Smartcards etc… • Can handle interAP roaming with 802.11f • Adopted in the corporate market Cons: • Doesn’t address core network / VPN portion, just secures access layer • Today uses session keys vs temporal (WPA, coming in 802.11i) • Need smarts to keep per user control in the network without double logon Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 24 Maintaining subscriber control when using 802.1x/EAP environment “RADIUS relay” concept 802.1x access points have Radius client, EAP messages encapsulated in Radius messages Host MAC address in the calling-station-attribute Radius relay (BRAS) uses @domain name to forward Radius request to an external EAP capable Radius proxy or server BRAS relay stores Host MAC address (and maybe user) and awaits authorization data (VR to use, IP pool/address to use, filters, etc) DHCP request, based on the host MAC address, creates subscriber interface in proper context allocates IP address, assign default policies. Policy server control with no Web login Access point creates Radius authentication and accounting (stop) Policy Server DHCP Radius Relay Any Backhaul 802.1x AP Transport Copyright © 2003 Juniper Networks, Inc. RADIUS Server CONFIDENTIAL www.juniper.net 25 Summary Which access model? • PPPoE is nice, but often not practical • DHCP – web login models now can provide good per user control, and location info etc Where am I? Location information • Key for WiFi business models eg- generate content based on location (virtualised) Security • IPSEC is a good end-end mechanism, integration with VPNs • EAP is flexible and useful in access, but needs to tie in with core network and per user control Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 26 Thank you…! Contact: snewstead@juniper.net Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 27 802.11 variants 802.11a 5.4MHz, OFDM, 54 Mbps, 10+ channels 802.11b 2.4GHz, DSSS, 11 Mbps, 3 channels 802.11d Enhancements to meet country specific regulations 802.11e Quality of Service 802.11f Inter-Access Point Protocol, handover between close APs 802.11g 2.4GHz, OFDM, 54Mbps, 3 channels 802.11h Specifically for 5GHz; power control and frequency selection 802.11i Security framework, reference to 802.1x and EAP See PowerPoint comments page below for more details Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 28 Wireless LAN Technologies 802.11b 802.11g 2.4 GHz Public 2.4 GHz Public Coverage Worldwide Worldwide Freq. Band Data Rate 1-11 Mbps Copyright © 2003 Juniper Networks, Inc. 1-54 Mbps 802.11a 5 GHz / Public / Private US/AP 20-54 Mbps (1-2 yrs) 100+ Mbps (future) HiperLAN2 5 GHz Europe 20-54 Mbps (1-2 yrs) CONFIDENTIAL www.juniper.net 29 PWLAN and Security WEP encryption (Wireless Equivalent Protocol) much criticized in enterprise • Also it uses static keys which is not valid for PWLAN as keys would need to be published 802.1x and EAP delivers improved security for PWLAN • Introduces dynamic keys at start of session, and PWLAN sessions are short lived (unlike enterprise) 802.11i • Uses 802.1x which uses EAP and allows dynamic keys • Firmware upgrade for TKIP then hardware upgrade for improved AES encryption • Poses transition complexity for existing user base WPA (Wi-Fi Protected Access) is an interim step to 802.11i • Uses 802.1x and EAP and TKIP but no AES Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 30 802.1x Overview Make up for deficiencies in WEP which uses static keys IEEE 802.1x-2001: Port-Based Network Access Control • Prior to authentication traffic is restricted to the authentication server RFC 2284 (1998): PPP Extensible Authentication Protocol (EAP) • EAP encapsulated in Radius for transport to EAP enabled AAA server • Many variations EAP/TLS and EAP-PEAP supported by Microsoft, MD5, OTP, LEAP (Cisco), and SIM (GSM Subscriber Identity Module) IEEE 802.11i Framework Specification • Specifies use of 802.1x and EAP for authentication and encryption key • New encryption in access point • Access Points need firmware upgrade to TKIP then new hardware for AES Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 31 PWLAN and Mobile 3GPP standards org defined five scenarios for PWLAN integration with 3G • From common authentication to seamless handover of voice service • Specified 802.1x based authentication • Part of 3GPP Release 6, specified in TS 23.234 But, real deployments are occurring well in advance of 3GPP R6……so: GSM Association WLAN Task Force issued guidelines for pre Release 6 • Wed based login initially transitioning to 3GPP release 6 spec A SIM located in WLAN cards will use authentication based on EAP/SIM • Eg- Use of SIM dongle EAP to SS7 gateways will allow mobile HLR / HSSs to authenticate the WLAN card Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 32 Authenticating against the GSM HLR Existing database with all mobile subscriber information Existing provisioning and customer care systems are used EAP/SIM can offer GSM equivalent authentication and encryption Gateway between RADIUS/IP and MAP/SS7 is required • Eg Funk Software Steel Belted Radius/SS7 Gateway • Ulticom Signalware SS7 software • Sun server E1/T1 interface card • An overview of the product is in this attachment: • Major vendors Ericsson, Siemens, Nokia all have or are developing their own offer Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 33 802.1x EAP/SIM authentication from HLR Transparent RADIUS relay MAP SS7 GW Authenticator Client EAPoL BRAS AC, RADIUS/SS-7 (RADIUS Relay) GW HLR HLR RADIUS RADIUS Client Authentication Gr Interface DHCP Discover Client – IP Address Assignment DHCP Offer DHCP Request DHCP Ack {address = End User address from GGSN} Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 34 Tight integration proposed by 3GPP HLR GPRS Tunneling Protocol Client Authenticator EAPoL Access Controller, RADIUS/SS-7 RADIUS Relay GW HLR GGSN GGSN RADIUS RADIUS Client Authentication Gr Interface Create PDP Context {IP, transparent mode APN, IMSI/NSAPI, MSISDN, dynamic address requested} Create PDP Context Response {End User Address} DHCP Discover Client – IP Address Assignment DHCP Offer DHCP Request DHCP Ack {address = End User address from GGSN} Lease expiration Delete PDP Context Request Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 35 Real time handover… Many access types – WLAN, 3G, GPRS… Mobile IP could provide reasonable real-time macro roaming between cellular and WLAN access types (also alternates such as 802.16/WiMax) Supported for dual mode CPE/handsets • Eg- Dual Mode NEC cellphone with WLAN as trialed in DoCoMo • PDAs with WLAN and CDMA 1x/EVDO or GPRS/WCDMA • Notebooks with cellular data or dual mode cards Off the shelf client software available today – IPUnplugged, Birdstep Challenges- VoIP, WLAN automated logon (eg- 802.1x could solve this), applications/OS can handle address changes Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 36 Overview of Mobile IPv4 (RFC2002) CN 5. 4. FA 1. and 2. HA 3. Internet MN 1. MN discovers Foreign Agent (FA) 2. MN obtains COA (FA - Care Of Address) 3. MN registers with FA which relays registration to HA 4. HA tunnels packets from CN to MN through FA 5. FA forwards packets from MN to CN or reverse tunnels through HA (RFC3024) Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 37 Mobile IP Interworking with UMTS/GPRS Recommends use of FA Care Of Addresses (CoA), not collocated, to conserve IPv4 addresses Source: 3GPP Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 38 Registration Process to GGSN FA IPv4 - Registration UMTS/GPRS + MIP , FA care-of address TE SGSN MT 1. AT Command (APN) 2. Activate PDP Context Request ( APN=MIPv4FA ) A. Select suitable GGSN 5. Activate PDP Context Accept (no PDP address) GGSN/FA Home Network 3. Create PDP Context Request ( APN=MIPv4FA ) 4. Create PDP Context Response (no PDP address) 6. Agent Advertisement 7. MIP Registration Request 8. MIP Registration Request 9. MIP Registration Reply 10. MIP Registration Reply Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 39 Overview of Mobile IPv6 Removes need for external FA in future 3GPP systems CN 4. 3. HA 1. MN 2. Internet 1. MN obtains IP address using stateless or stateful autoconfiguration 2. MN registers with HA 3. HA tunnels packets from CN to MN 4. MN sends packets directly to CN or via tunnel to HA • Binding Update from MN to CN removes HA from path. Copyright © 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net 40