Upload
chitichitichiti
View
13
Download
0
Embed Size (px)
DESCRIPTION
WIFI
Citation preview
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
1/40Copyright 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1
WiFi Hotspot Service Control
Design & Case Study Overview
Simon Newstead
APAC Product Manager
mailto:[email protected]:[email protected]5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
2/40
2Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
Agenda
Overview of different access models
Identifying the user location
Secure access options
Case studies (as we go)
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
3/40
3Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
MPLS
Backbone
WiFi control - access modelsPPPoE
WiFi User with
PPPoE client
(WinXP or 3rdparty)
Access
Controller
BRAS
Layer 2
Backhaul
Transport
(Bridged1483,
Metro E)
RADIUS
LNS*
PPPoE
connect ion
AAAA
Terminate PPP session into VR/VRF or
tunnel on via L2TP
Fine grained QoS / bandwidth control
Dynamic Policy Enforcement (COPS)
Lawful Intercept etc
Policy
Server
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
4/40
4Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
PPPoE access model - discussion
Pros:
Full per user control with inbuilt PPP mechanisms (authentication,keepalives etc.)
Individual policy control per user simplified
Wholesale is simplified and possible at layer 2 and layer 3
Leverages the broadband BRAS model used in DSLvirtually nochanges
Cons:
Requires external client software (maybe even with XP)no autolaunch by default
Only works in a bridged access environment; often not possible
Layer 3 access network requires use of native LAC client (BRAS actsas LNS or tunnel switch)client support issues
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
5/40
5Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
PPPoE access modelCase StudyJapanese Provider
WiFi Users with
PPPoE client
Access
Controller
BRAS
ATM
Bridged
1483
RADIUS
Mapping of user to VR based on
RADIUS, domain mapping
Bridging
DSL
modem
Hotspot
AP
Bridging
DSL
modem
Backbone
WiFi VR
ISP VR
DSL Users withPPPoE client
WiFi
operator
network
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
6/40
6Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
MPLS
Backbone
WiFi control - access modelsDHCP modelWeb Login
WiFi User with
inbuilt DHCP client.
Access
Controller
BRAS
Layer 2 or
Layer 3
Backhaul
(any)
External
DHCP
Server*DHCP
DHCP Server or Relay*Initial policy route to Web logon server
Fine grained QoS / bandwidth control
Dynamic Policies (COPS)
Accounting
Lawful Intercept etc
Policy Server /
Web Login Server
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
7/40
7Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
DHCP Web Login model - discussion
Pros
No external client softwareinbuilt DHCPlower barriers
Any access networkeg L3 wholesale DSL, routed Ethernet etc
Web Login provides extra options to operator (branding,advertising, location based content)
Cons:
Wholesale options restrictedeg- address allocationNAT introduces complications (ALGsupport etc), no tunnelling with L2TP
Greater security / DoS implicationsattack DHCP server, Webserver
No autologon by default (manual web login process)
Need to introduce mechanisms to enable per user control inDHCP environment (mimic PPP)
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
8/40
8Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
DHCP / Web login Case Study
Telstra Mobile
Mobile centric service, launched in August 2003
Available in hotspot locations throughout Australia
Target of 600 hotspot locations in 2004 (Qantas, McDonalds,Hilton etc)
International roaming through the Wireless Broadband Alliance
Time based billing; hourly rate
Login via a password delivered by SMS to a Telstra mobile
(credit card payment option for non-Telstra post-paid mobilecustomers)
Lowered barriers to uptake
No special WLAN subscription neededcasual pay-per-user
Captive portal logon using DHCPno client software required
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
9/40
9Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
User opens up webbrowser and triesto go to Google
Session directed
to captiveportal on policyserver
Choice to entermobile phonenumber orusername andpassword
Mobile phonenumber entered
How it works - Step One
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
10/40
10Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
One-time passwordsent via SMS tousers mobilephone
Received passwordentered intoportal page
Step Two
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
11/40
11Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
Upon successfulauthentication,captive portal isreleasedand original web
destination isloaded.
Mini-logoutwindow tofacilitate signoff.
Usage billed tousers mobilephone bill once finished
Step Three
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
12/40
12Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
Allow greater flexibility of services eg-
Free access to Internet for 15 mins without login or
Internet access only, mail port blockedor
Internet access but only at 64kbpsor Walled garden content only
Bandwidth can be dynamically increased and restrictionsmoved on user authentication and login
Also helps protect against abusive or Worm users (eg-dynamically limit users down on sliding window basis;consumed more than x MB in past 15 mins)
Dynamic Policies
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
13/4013Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
Per user control in a DHCPenvironment
Objective - make an IP host on single aggregated interface appearlike its own IP interface
Treat hosts as separate logical (demultixed) IP interfacesaka Subscriber Interfaces
Individual policy control on subscriber interface (linked topolicy server)eg filters, bandwidth control
Ties into DHCP dynamically
VLAN
101
L3 Switch
User A:192.168.1.1
User B:192.168.1.2
Subscriber Interface AIP Demux 192.168.1.1
Rate Limit Internet to 512k
Subscriber Interface BIP Demux 192.168.1.2
Rate Limit Internet to 2MPrioritise VoIP to strict
priority queueAdd firewall policies
Access
Controller
BRAS
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
14/4014Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
AccessController
BRAS
1. IP assignments through DHCP & subscriber interface come up Dynamic SI
DHCP relay point
Upstream RouterRouting
LayerAP
GE GE GEFE
2. HTTP redirected and show the portal web page
3. Input subscriber ID and password
Radius
Weblogin- PolicyServer
Switch Layer
4. Radius authentication
4. Download policies
Internet & service access
inbuiltDHCPserver
1. (Access the portal & click on logout button) or (DHCP lease expired)
WEB login sequence
WEB logout sequence
2. Radius accounting
2. (Reset policies) or (Delete subscriber interface) Dynamic SI
Generic Web Loginprocess
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
15/4015Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
Location informationwhy??
Generates portal pages based on hotspot location
Enables targeted advertising. eg- promotions for the owner of thehotspot location, revenue sharing (charging models) etc
HotspotCafe
Hotspot
Train Station
Portal - Free access
to timetables, fares..
Portal - Freesports news..
AccessController
BRAS
Weblogin- PolicyServer
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
16/4016Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
Location informationhow?
PPPoE model
Easylayer 2 circuit per hotspot to AC/BRAS
RADIUS will contain NAS Port ID etcmap back
centrally
DHCP model (rely on relay to provide)
Gateway address (GiAddr field)
Option 82 information, suboptions (ala RADIUSVSAs)
Or even layer 3 GRE tunnel back if access networkcant provide info required (also simplifies routing)
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
17/4017Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
Side topicrouting back to WiFi userin DHCP environment
Use location based info to allocate users from addresspools; one pool per
Aggregate routes
Static, redistributed to IGP; simplified
Central pools ok but..
Require DHCP relay to store state - snoop addresscoming back from the server in DHCP offer / ACK
Also requires redistribution into IGP; scaling issueswith that
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
18/4018Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
Secure access
Why?
Various access vulnerabilities in simple models
Session hijacking / spoofing, man in the middle
Two main approaches:
IPSEC tunneling model 802.1x/EAP
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
19/4019Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
MPLS
Backbone
WiFi secured accessIPSEC option
WiFi User with
inbuilt IPSEC client
Eg- Win2k, WinXP
Access
Controller
BRAS
Any Backhaul
Transport
RADIUS
LNS*
L2TP/IPSEC
connect ion
(RFC3193)
Terminate IPSEC
BRAS control of PPP session
Policy
Server
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
20/4020Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
IPSEC WiFi access
Pros No external client softwareinbuilt into Windows
PPP model gives full per user control(eg- terminate IPSEC and tunnel on L2TP)
Integrates well into a VPN environment; usersessions terminated to MPLS VPNs at AC/BRAS (PE)
Can use digital certificates to ensure identity (serverand maybe clients also)
Cons:
Client issuesoverhead, PDA support(eg- WinCE today only supports MSCHAPv2?)
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
21/4021Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
IPSEC WiFi accessJapan Case Study
Integration of VPN access for mobile corporate users regardless of
access type
Outsource remote access management from corporates, and aggregate
users in a layer 3 VPNcommon point of subscriber management
Network diagram:
Access Controller
- BRAS (PE)
WiFi User with native
Windows Client
IPSEC / L2TP
(RFC 3193)
3G and 2G users
MPLS
Backbone
LAC
GGSN
Native
L2TP
Users mapped into
corpo rate VPNs
VRFs
PE
Corp HQ CE
GE VLAN
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
22/4022Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
MPLSBackbone
WiFi secured access802.1/EAP option
WiFi User with
EAP/802.1x client
eg- WinXP, iPass,
Odyssey..
Access
Controller
BRAS
Any Backhaul
Transport
RADIUSEAPoL
802.1x
PolicyServer
EAP/RADIUS
EAP
AP
Note- DHCP happens after EAP authentication
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
23/4023Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
Option - Authentication using802.1X and EAP on 802.11 - overview
RADIUS
Server
EAPOW-Start
EAP-Response/Identity
Radius-Access-Challenge
EAP-Response (credentials)
Access blocked
Association
Radius-Access-Accept
EAP-Request/Identity
EAP-Request
Radius-Access-Request
Radius-Access-Request
RADIUS
EAPOW
802.11802.11 Associate-Request
EAP-Success
Access allowedEAPOW-Key (WEP..)
802.11 Associate-Response
Source:
Microsoft
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
24/4024Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
EAP/802.1x WiFi access
Pros
EAP/802.1x built into WinXP
Flexible authentication architecturemany different EAP optionseg- GSM SIM using EAP/SIM, EAP-MD5, LEAP, Smartcards etc
Can handle interAP roaming with 802.11f Adopted in the corporate market
Cons:
Doesnt address core network / VPN portion, just secures access
layer Today uses session keys vs temporal (WPA, coming in 802.11i)
Need smarts to keep per user control in the network without doublelogon
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
25/4025Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
Maintaining subscriber control when using802.1x/EAP environment
RADIUS relay concept 802.1x access points have Radius client, EAP messages encapsulated in Radius messages
Host MAC addressin the calling-station-attribute
Radius relay (BRAS) uses @domain nameto forward Radius request to an external EAP capable Radiusproxy or server
BRAS relay stores Host MAC address (and maybe user)and awaits authorization data (VR to use, IPpool/address to use, filters, etc)
DHCP request, based on thehost MAC address,creates subscriber interface in proper context allocatesIP address, assign default policies. Policy server control with no Web login
Access point creates Radius authentication and accounting (stop)
RadiusRelay
DHCP
802.1x AP
Any Backhaul
Transport
Policy
Server
RADIUS
Server
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
26/4026Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
Summary
Which access model?
PPPoE is nice, but often not practical
DHCPweb login models now can provide good peruser control, and location info etc
Where am I? Location information
Key for WiFi business modelseg- generate content based on location (virtualised)
Security
IPSEC is a good end-end mechanism, integration withVPNs
EAP is flexible and useful in access, but needs to tie inwith core network and per user control
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
27/4027Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
Thank you!
Contact: [email protected]
mailto:[email protected]:[email protected]5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
28/4028Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
802.11 variants
802.11a 5.4MHz, OFDM, 54 Mbps, 10+ channels
802.11b 2.4GHz, DSSS, 11 Mbps, 3 channels
802.11d Enhancements to meet country specific regulations
802.11e Quality of Service
802.11f Inter-Access Point Protocol, handover between close APs
802.11g 2.4GHz, OFDM, 54Mbps, 3 channels
802.11h Specifically for 5GHz; power control and frequency selection
802.11i Security framework, reference to 802.1x and EAP
See PowerPoint comments page below for more details
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
29/4029Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
Wireless LAN Technologies
802.11b 802.11a HiperLAN2
2.4 GHz
Public5 GHz / Public / Private 5 GHz
Worldwide US/AP Europe
1-11 Mbps 20-54 Mbps (1-2 yrs)
100+ Mbps (future) 20-54 Mbps (1-2 yrs)
Freq.Band
Coverage
DataRate
802.11g
2.4 GHz
Public
Worldwide
1-54 Mbps
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
30/4030Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
PWLAN and Security
WEP encryption (Wireless Equivalent Protocol) much criticized inenterprise
Also it uses static keys which is not valid for PWLAN as keyswould need to be published
802.1x and EAP delivers improved security for PWLAN
Introduces dynamic keys at start of session, and PWLANsessions are short lived (unlike enterprise)
802.11i
Uses 802.1x which uses EAP and allows dynamic keys
Firmware upgrade for TKIP then hardware upgrade for improvedAES encryption
Poses transition complexity for existing user base
WPA (Wi-Fi Protected Access) is an interim step to 802.11i
Uses 802.1x and EAP and TKIP but no AES
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
31/40
31Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
802.1x Overview
Make up for deficiencies in WEP which uses static keys
IEEE 802.1x-2001: Port-Based Network Access Control
Prior to authentication traffic is restricted to the authentication server
RFC 2284 (1998): PPP Extensible Authentication Protocol (EAP)
EAP encapsulated in Radius for transport to EAP enabled AAAserver
Many variations EAP/TLS and EAP-PEAP supported by Microsoft,MD5, OTP, LEAP (Cisco), and SIM (GSM Subscriber Identity
Module) IEEE 802.11i Framework Specification
Specifies use of 802.1x and EAP for authentication and encryptionkey
New encryption in access point
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
32/40
32Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
PWLAN and Mobile
3GPP standards org defined five scenarios for PWLAN integration with 3G
From common authentication to seamless handover of voice service
Specified 802.1x based authentication
Part of 3GPP Release 6, specified in TS 23.234
But, real deployments are occurring well in advance of 3GPP R6so:
GSM Association WLAN Task Force issued guidelines for pre Release 6
Wed based login initially transitioning to 3GPP release 6 spec
A SIM located in WLAN cards will use authentication based on EAP/SIM
Eg- Use of SIM dongle
EAP to SS7 gateways will allow mobile HLR / HSSs to authenticate the WLAN card
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
33/40
33Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
Authenticating against the GSM HLR
Existing database with all mobile subscriber information
Existing provisioning and customer care systems are used
EAP/SIM can offer GSM equivalent authentication andencryption
Gateway between RADIUS/IP and MAP/SS7 is required
Eg Funk Software Steel Belted Radius/SS7 Gateway
Ulticom Signalware SS7 software
Sun server E1/T1 interface card An overview of the product is in this attachment:
Major vendors Ericsson, Siemens, Nokia all have or aredeveloping their own offer
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
34/40
34Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
802.1x EAP/SIM authentication from HLRTransparent RADIUS relay
BRAS AC,
(RADIUS Relay)AuthenticatorRADIUS/SS-7
GW HLR
EAPoL
RADIUS
RADIUSGr Interface
DHCP Discover
Client
DHCP Request
DHCP Offer
DHCP Ack {address = End
User address from GGSN}
Client -
Authentication
Client
IP Address
Assignment
GW HLRMAPSS7
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
35/40
35Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
Tight integration proposed by 3GPP
GGSNAccess Controller,
RADIUS RelayAuthenticatorRADIUS/SS-7
GW HLR
EAPoLRADIUS
RADIUSGr Interface
Create PDP Context {IP, transparent mode APN,
IMSI/NSAPI, MSISDN, dynamic address requested}
Create PDP Context Response {End User Address}
DHCP Discover
Client
DHCP Request
DHCP Offer
DHCP Ack {address = End User
address from GGSN} Lease
expiration
Delete PDP Context Request
Client -
Authentication
Client
IP Address
Assignment
GGSN
HLR
GPRS Tunneling Protocol
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
36/40
36Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
Real time handover
Many access typesWLAN, 3G, GPRS
Mobile IP could provide reasonable real-time macro roamingbetween cellular and WLAN access types (also alternates such as802.16/WiMax)
Supported for dual mode CPE/handsets
Eg- Dual Mode NEC cellphone with WLAN as trialed in DoCoMo
PDAs with WLAN and CDMA 1x/EVDO or GPRS/WCDMA
Notebooks with cellular data or dual mode cards
Off the shelf client software available todayIPUnplugged, Birdstep
Challenges- VoIP, WLAN automated logon (eg- 802.1x could solvethis), applications/OS can handle address changes
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
37/40
37Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
Overview of Mobile IPv4 (RFC2002)
1. MN discovers Foreign Agent (FA)
2. MN obtains COA (FA - Care Of Address)
3. MN registers with FA which relays registration to HA
4. HA tunnels packets from CN to MN through FA
5. FA forwards packets from MN to CN or reverse tunnels through HA(RFC3024)
HAFA
1. and 2. 3.
MN
CN
5. 4.
Internet
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
38/40
38Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
Mobile IP Interworking with UMTS/GPRS
Recommends use of FA Care Of Addresses (CoA), not collocated, to conserve IPv4addresses
Source:
3GPP
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
39/40
39Co ri ht 2003 Juni er Networks Inc. CONFIDENTIAL www.uni er.net
Registration Process to GGSN FA
5. Activate PDP
Context Accept
(no PDP address)
4. Create PDP
Context Response
(no PDP address)
2. Activate PDP
Context Request
( APN=MIPv4FA )
IPv4 - Registration UMTS/GPRS + MIP , FA care-of address
TE MTHome
NetworkSGSN GGSN/FA
3. Create PDPContext Request
( APN=MIPv4FA )
6. Agent Advertisement
7. MIP Registration Request
9. MIP Registration Reply
10. MIP Registration Reply
1. AT Command (APN)
8. MIP Registration Request
A. Select suitable GGSN
5/21/2018 04_WiFi Hotspot Service Control Design & Case_2003
40/40
Overview of Mobile IPv6Removes need for external FA in future 3GPP systems
1. MN obtains IP address using stateless or stateful autoconfiguration
2. MN registers with HA
3. HA tunnels packets from CN to MN
4. MN sends packets directly to CN or via tunnel to HA
Binding Update from MN to CN removes HA from path.
HA
1. 2.
MN
CN
4. 3.
Internet