04 - WiFi Hotspot Service Control Design & Case - 2003

Copyright 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.
net
1
WiFi Hotspot Service Control
Design & Case Study Overview
Simon Newstead
APAC Product Manager

snewstead@juniper.net
2
Copyright 2003 Juniper Networks, Inc. CONFIDENTIAL www.juniper.net
Agenda
Overview of different access models
Identifying the user location
Secure access options
Case studies (as we go)

3
MPLS
Backbone
WiFi control - access models
PPPoE
WiFi User with
PPPoE client
(WinXP or 3
rd
party)
Access
Controller
BRAS
Layer 2
Backhaul
Transport
(Bridged1483,
Metro E)
RADIUS
LNS*
PPPoE
connection
AAAA
Terminate PPP session into VR/VRF or
tunnel on via L2TP
Fine grained QoS / bandwidth control
Dynamic Policy Enforcement (COPS)
Lawful Intercept etc
Policy
Server
4
PPPoE access model - discussion
Pros:
Full per user control with inbuilt PPP mechanisms (authentication,
keepalives etc.)
Individual policy control per user simplified
Wholesale is simplified and possible at layer 2 and layer 3
Leverages the broadband BRAS model used in DSL virtually no
changes
Cons:
Requires external client software (maybe even with XP) no auto
launch by default
Only works in a bridged access environment; often not possible
Layer 3 access network requires use of native LAC client (BRAS acts
as LNS or tunnel switch) client support issues
5
PPPoE access model
Case Study Japanese Provider
WiFi Users with
PPPoE client
joe@wifi-isp.co.jp
Access
Controller
BRAS
ATM
Bridged
1483
RADIUS
Mapping of user to VR based on
RADIUS, domain mapping
Bridging
DSL
modem
Hotspot
AP
Bridging
DSL
modem
Backbone
WiFi VR
ISP VR
DSL Users with
PPPoE client
joe@dsl-isp.co.jp
WiFi
operator
network
6
MPLS
Backbone
WiFi control - access models
DHCP model Web Login
WiFi User with
inbuilt DHCP client.
Access
Controller
BRAS
Layer 2 or
Layer 3
Backhaul
(any)
External
DHCP
Server*
DHCP
DHCP Server or Relay*
Initial policy route to Web logon server
Fine grained QoS / bandwidth control
Dynamic Policies (COPS)
Accounting
Lawful Intercept etc
Policy Server /
Web Login Server
7
DHCP Web Login model - discussion
Pros
No external client software inbuilt DHCP lower barriers
Any access network eg L3 wholesale DSL, routed Ethernet etc
Web Login provides extra options to operator (branding,
advertising, location based content)
Cons:
Wholesale options restricted
eg- address allocation NAT introduces complications (ALG
support etc), no tunnelling with L2TP
Greater security / DoS implications attack DHCP server, Web
server
No autologon by default (manual web login process)
Need to introduce mechanisms to enable per user control in
DHCP environment (mimic PPP)
8
DHCP / Web login Case Study
Telstra Mobile
Mobile centric service, launched in August 2003
Available in hotspot locations throughout Australia
Target of 600 hotspot locations in 2004 (Qantas, McDonalds,
Hilton etc)
International roaming through the Wireless Broadband Alliance
Time based billing; hourly rate
Login via a password delivered by SMS to a Telstra mobile
(credit card payment option for non-Telstra post-paid mobile
customers)
Lowered barriers to uptake
No special WLAN subscription needed casual pay-per-user
Captive portal logon using DHCP no client software required
9
User opens up web
browser and tries
to go to Google
Session directed
to captive
portal on policy
server
Choice to enter
mobile phone
number or
username and
password
Mobile phone
number entered
How it works - Step One
10
One-time password
sent via SMS to
users mobile
phone

Received password
entered into
portal page
Step Two
11
Upon successful
authentication,
captive portal is
released
and original web
destination is
loaded.
Mini-logout
window to
facilitate signoff.
Usage billed to
users mobile
phone bill once finished
Step Three
12
Allow greater flexibility of services eg-
Free access to Internet for 15 mins without login or
Internet access only, mail port blockedor
Internet access but only at 64kbpsor
Walled garden content only

Bandwidth can be dynamically increased and restrictions
moved on user authentication and login

Also helps protect against abusive or Worm users (eg-
dynamically limit users down on sliding window basis;
consumed more than x MB in past 15 mins)
Dynamic Policies
13
Per user control in a DHCP
environment
Objective - make an IP host on single aggregated interface appear
like its own IP interface
Treat hosts as separate logical (demultixed) IP interfaces
aka Subscriber Interfaces
Individual policy control on subscriber interface (linked to
policy server) eg filters, bandwidth control
Ties into DHCP dynamically
VLAN
101
L3 Switch
User A:
192.168.1.1
User B:
192.168.1.2
Subscriber Interface A
IP Demux 192.168.1.1
Rate Limit Internet to 512k

Subscriber Interface B
IP Demux 192.168.1.2
Rate Limit Internet to 2M
Prioritise VoIP to strict
priority queue
Add firewall policies
Access
Controller
BRAS
14
Access
Controller
BRAS
1. IP assignments through DHCP & subscriber interface come up Dynamic SI
DHCP relay point
Upstream Router
Routing
Layer
AP
GE GE GE FE
2. HTTP redirected and show the portal web page
3. Input subscriber ID and password
Radius
Weblogin
- Policy
Server
Switch Layer
4. Radius authentication
4. Download policies
Internet & service access
inbuilt
DHCP
server
1. (Access the portal & click on logout button) or (DHCP lease expired)
WEB login sequence
WEB logout sequence
2. Radius accounting
2. (Reset policies) or (Delete subscriber interface) Dynamic SI
Generic Web Login
process
15
Location information why??
Generates portal pages based on hotspot location
Enables targeted advertising. eg- promotions for the owner of the
hotspot location, revenue sharing (charging models) etc
Hotspot
Cafe
Hotspot
Train Station
Portal - Free access
to timetables, fares..
Portal - Free
sports news..
Access
Controller
BRAS
Weblogin
- Policy
Server
16
Location information how?
PPPoE model
Easy layer 2 circuit per hotspot to AC/BRAS
RADIUS will contain NAS Port ID etcmap back
centrally

DHCP model (rely on relay to provide)
Gateway address (GiAddr field)
Option 82 information, suboptions (ala RADIUS
VSAs)
Or even layer 3 GRE tunnel back if access network
cant provide info required (also simplifies routing)
17
Side topic routing back to WiFi user
in DHCP environment
Use location based info to allocate users from address
pools; one pool per
Aggregate routes
Static, redistributed to IGP; simplified

Central pools ok but..
Require DHCP relay to store state - snoop address
coming back from the server in DHCP offer / ACK
Also requires redistribution into IGP; scaling issues
with that

18
Secure access
Why?
Various access vulnerabilities in simple models
Session hijacking / spoofing, man in the middle

Two main approaches:
IPSEC tunneling model
802.1x/EAP
19
MPLS
Backbone
WiFi secured access
IPSEC option
WiFi User with
inbuilt IPSEC client
Eg- Win2k, WinXP
Access
Controller
BRAS
Any Backhaul
Transport
RADIUS
LNS*
L2TP/IPSEC
connection
(RFC3193)
Terminate IPSEC
BRAS control of PPP session
Policy
Server
20
IPSEC WiFi access
Pros
No external client software inbuilt into Windows
PPP model gives full per user control
(eg- terminate IPSEC and tunnel on L2TP)
Integrates well into a VPN environment; user
sessions terminated to MPLS VPNs at AC/BRAS (PE)
Can use digital certificates to ensure identity (server
and maybe clients also)
Cons:
Client issues overhead, PDA support
(eg- WinCE today only supports MSCHAPv2?)
21
IPSEC WiFi access
Japan Case Study
Integration of VPN access for mobile corporate users regardless of
access type
Outsource remote access management from corporates, and aggregate
users in a layer 3 VPN common point of subscriber management
Network diagram:
Access Controller
- BRAS (PE)
WiFi User with native
Windows Client
IPSEC / L2TP
(RFC 3193)
3G and 2G users
MPLS
Backbone
LAC
GGSN
Native
L2TP
Users mapped into
corporate VPNs
VRFs
PE
Corp HQ CE
GE VLAN
22
MPLS
Backbone
WiFi secured access
802.1/EAP option
WiFi User with
EAP/802.1x client

eg- WinXP, iPass,
Odyssey..
Access
Controller
BRAS
Any Backhaul
Transport
RADIUS EAPoL

802.1x
Policy
Server
EAP/RADIUS
EAP
AP
Note- DHCP happens after EAP authentication
23
Option - Authentication using
802.1X and EAP on 802.11 - overview
RADIUS
Server
EAPOW-Start
EAP-Response/Identity
Radius-Access-Challenge
EAP-Response (credentials)
Access blocked
Association
Radius-Access-Accept
EAP-Request/Identity
EAP-Request
Radius-Access-Request
Radius-Access-Request
RADIUS
EAPOW
802.11
802.11 Associate-Request
EAP-Success
Access allowed
EAPOW-Key (WEP..)
802.11 Associate-Response
Source:
Microsoft
24
EAP/802.1x WiFi access
Pros
EAP/802.1x built into WinXP
Flexible authentication architecture many different EAP options
eg- GSM SIM using EAP/SIM, EAP-MD5, LEAP, Smartcards etc
Can handle interAP roaming with 802.11f
Adopted in the corporate market
Cons:
Doesnt address core network / VPN portion, just secures access
layer
Today uses session keys vs temporal (WPA, coming in 802.11i)
Need smarts to keep per user control in the network without double
logon
25
Maintaining subscriber control when using
802.1x/EAP environment
RADIUS relay concept
802.1x access points have Radius client, EAP messages encapsulated in Radius messages
Host MAC address in the calling-station-attribute
Radius relay (BRAS) uses @domain name to forward Radius request to an external EAP capable Radius
proxy or server
BRAS relay stores Host MAC address (and maybe user) and awaits authorization data (VR to use, IP
pool/address to use, filters, etc)
DHCP request, based on the host MAC address, creates subscriber interface in proper context allocates
IP address, assign default policies. Policy server control with no Web login
Access point creates Radius authentication and accounting (stop)

Radius
Relay
DHCP
802.1x AP
Any Backhaul
Transport
Policy
Server
RADIUS
Server
26
Summary
Which access model?
PPPoE is nice, but often not practical
DHCP web login models now can provide good per
user control, and location info etc
Where am I? Location information
Key for WiFi business models
eg- generate content based on location (virtualised)
Security
IPSEC is a good end-end mechanism, integration with
VPNs
EAP is flexible and useful in access, but needs to tie in
with core network and per user control
27
Thank you!
Contact: snewstead@juniper.net

28
802.11 variants
802.11a 5.4MHz, OFDM, 54 Mbps, 10+ channels
802.11b 2.4GHz, DSSS, 11 Mbps, 3 channels
802.11d Enhancements to meet country specific regulations
802.11e Quality of Service
802.11f Inter-Access Point Protocol, handover between close APs
802.11g 2.4GHz, OFDM, 54Mbps, 3 channels
802.11h Specifically for 5GHz; power control and frequency selection
802.11i Security framework, reference to 802.1x and EAP

See PowerPoint comments page below for more details
29
Wireless LAN Technologies
802.11b 802.11a
HiperLAN2
2.4 GHz
Public
5 GHz / Public / Private 5 GHz
Worldwide
US/AP Europe
1-11 Mbps
20-54 Mbps (1-2 yrs)
100+ Mbps (future)
20-54 Mbps (1-2 yrs)
Freq.
Band
Coverage
Data
Rate
802.11g
2.4 GHz
Public
Worldwide
1-54 Mbps
30
PWLAN and Security
WEP encryption (Wireless Equivalent Protocol) much criticized in
enterprise
Also it uses static keys which is not valid for PWLAN as keys
would need to be published
802.1x and EAP delivers improved security for PWLAN
Introduces dynamic keys at start of session, and PWLAN
sessions are short lived (unlike enterprise)
802.11i
Uses 802.1x which uses EAP and allows dynamic keys
Firmware upgrade for TKIP then hardware upgrade for improved
AES encryption
Poses transition complexity for existing user base
WPA (Wi-Fi Protected Access) is an interim step to 802.11i
Uses 802.1x and EAP and TKIP but no AES
31
802.1x Overview
Make up for deficiencies in WEP which uses static keys
IEEE 802.1x-2001: Port-Based Network Access Control
Prior to authentication traffic is restricted to the authentication server
RFC 2284 (1998): PPP Extensible Authentication Protocol (EAP)
EAP encapsulated in Radius for transport to EAP enabled AAA
server
Many variations EAP/TLS and EAP-PEAP supported by Microsoft,
MD5, OTP, LEAP (Cisco), and SIM (GSM Subscriber Identity
Module)
IEEE 802.11i Framework Specification
Specifies use of 802.1x and EAP for authentication and encryption
key
New encryption in access point
Access Points need firmware upgrade to TKIP then new hardware for
AES
32
PWLAN and Mobile
3GPP standards org defined five scenarios for PWLAN integration with 3G
From common authentication to seamless handover of voice service
Specified 802.1x based authentication
Part of 3GPP Release 6, specified in TS 23.234
But, real deployments are occurring well in advance of 3GPP R6so:
GSM Association WLAN Task Force issued guidelines for pre Release 6
Wed based login initially transitioning to 3GPP release 6 spec
A SIM located in WLAN cards will use authentication based on EAP/SIM
Eg- Use of SIM dongle
EAP to SS7 gateways will allow mobile HLR / HSSs to authenticate the WLAN card
33
Authenticating against the GSM HLR
Existing database with all mobile subscriber information
Existing provisioning and customer care systems are used
EAP/SIM can offer GSM equivalent authentication and
encryption
Gateway between RADIUS/IP and MAP/SS7 is required
Eg Funk Software Steel Belted Radius/SS7 Gateway
Ulticom Signalware SS7 software
Sun server E1/T1 interface card
An overview of the product is in this attachment:
Major vendors Ericsson, Siemens, Nokia all have or are
developing their own offer
34
802.1x EAP/SIM authentication from HLR
Transparent RADIUS relay
BRAS AC,
(RADIUS Relay)
Authenticator
RADIUS/SS-7
GW
HLR
EAPoL
RADIUS
RADIUS
Gr Interface
DHCP Discover
Client
DHCP Request
DHCP Offer
DHCP Ack {address = End
User address from GGSN}
Client -
Authentication
Client
IP Address
Assignment
GW
HLR MAP
SS7
35
Tight integration proposed by 3GPP
GGSN
Access Controller,
RADIUS Relay
Authenticator
RADIUS/SS-7
GW
HLR
EAPoL
RADIUS
RADIUS
Gr Interface
Create PDP Context {IP, transparent mode APN,
IMSI/NSAPI, MSISDN, dynamic address requested}
Create PDP Context Response {End User Address}
DHCP Discover
Client
DHCP Request
DHCP Offer
DHCP Ack {address = End User
address from GGSN}
Lease
expiration
Delete PDP Context Request
Client -
Authentication
Client
IP Address
Assignment
GGSN
HLR
GPRS Tunneling Protocol
36
Real time handover
Many access types WLAN, 3G, GPRS
Mobile IP could provide reasonable real-time macro roaming
between cellular and WLAN access types (also alternates such as
802.16/WiMax)
Supported for dual mode CPE/handsets
Eg- Dual Mode NEC cellphone with WLAN as trialed in DoCoMo
PDAs with WLAN and CDMA 1x/EVDO or GPRS/WCDMA
Notebooks with cellular data or dual mode cards
Off the shelf client software available today IPUnplugged, Birdstep
Challenges- VoIP, WLAN automated logon (eg- 802.1x could solve
this), applications/OS can handle address changes
37
Overview of Mobile IPv4 (RFC2002)
1. MN discovers Foreign Agent (FA)
2. MN obtains COA (FA - Care Of Address)
3. MN registers with FA which relays registration to HA
4. HA tunnels packets from CN to MN through FA
5. FA forwards packets from MN to CN or reverse tunnels through HA
(RFC3024)
HA
FA
1. and 2. 3.
MN
CN
5.
4.
Internet
38
Mobile IP Interworking with UMTS/GPRS
Recommends use of FA Care Of Addresses (CoA), not collocated, to conserve IPv4
addresses
Source:
3GPP
39
Registration Process to GGSN FA
5. Activate PDP
Context Accept
(no PDP address)
4. Create PDP
Context Response
(no PDP address)
2. Activate PDP
Context Request
( APN=MIPv4FA )
IPv4 - Registration UMTS/GPRS + MIP , FA care-of address
TE
MT
Home
Network
SGSN GGSN/FA
3. Create PDP
Context Request
( APN=MIPv4FA )
6. Agent Advertisement
7. MIP Registration Request
9. MIP Registration Reply
10. MIP Registration Reply
1. AT Command (APN)
8. MIP Registration Request
A. Select suitable GGSN
40
Overview of Mobile IPv6
Removes need for external FA in future 3GPP systems
1. MN obtains IP address using stateless or stateful autoconfiguration
2. MN registers with HA
3. HA tunnels packets from CN to MN
4. MN sends packets directly to CN or via tunnel to HA
Binding Update from MN to CN removes HA from path.
HA
1. 2.
MN
CN
4.
3.
Internet

04 - WiFi Hotspot Service Control Design & Case - 2003

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

04 - WiFi Hotspot Service Control Design & Case - 2003

Hochgeladen von

Copyright:

Verfügbare Formate

Copyright 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.

Das könnte Ihnen auch gefallen