3G Data Network
Download
Report
Transcript 3G Data Network
WiFi Hotspot Service Control
Design & Case Study Overview
Simon Newstead
APAC Product Manager
[email protected]
Copyright © 2003 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
1
Agenda
Overview of different access models
Identifying the user location
Secure access options
Case studies (as we go)
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
2
WiFi control - access models
PPPoE
RADIUS
PPPoE
connection
MPLS
Backbone
WiFi User with
PPPoE client
(WinXP or 3rd party)
Layer 2
Backhaul
Transport
(Bridged1483,
Metro E)
Access
Controller
BRAS
LNS*
Policy
Server
AAAA
Terminate PPP session into VR/VRF or
tunnel on via L2TP
Fine grained QoS / bandwidth control
Dynamic Policy Enforcement (COPS)
Lawful Intercept etc…
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
3
PPPoE access model - discussion
Pros:
• Full per user control with inbuilt PPP mechanisms (authentication,
keepalives etc.)
• Individual policy control per user simplified
• Wholesale is simplified and possible at layer 2 and layer 3
• Leverages the broadband BRAS model used in DSL – virtually no changes
Cons:
• Requires external client software (maybe even with XP) – no “auto launch”
by default
• Only works in a bridged access environment; often not possible
• Layer 3 access network requires use of native LAC client (BRAS acts as
LNS or tunnel switch) – client support issues
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
4
PPPoE access model
Case Study – Japanese Provider
Hotspot
AP
ATM
Bridged
1483
RADIUS
ISP VR
Bridging
DSL
modem
Backbone
WiFi Users with
PPPoE client
[email protected]
WiFi VR
DSL Users with
PPPoE client
[email protected]
Bridging
DSL
modem
WiFi
operator
network
Access
Controller
BRAS
Mapping of user to VR based on
RADIUS, domain mapping
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
5
WiFi control - access models
DHCP model – Web Login
External
DHCP
Server*
DHCP
MPLS
Backbone
WiFi User with
inbuilt DHCP client.
Layer 2 or
Layer 3
Backhaul
(any)
Access
Controller
BRAS
Policy Server /
Web Login Server
DHCP Server or Relay*
Initial policy route to Web logon server
Fine grained QoS / bandwidth control
Dynamic Policies (COPS)
Accounting
Lawful Intercept etc…
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
6
DHCP Web Login model - discussion
Pros
• No external client software – inbuilt DHCP – lower barriers
• Any access network – eg L3 wholesale DSL, routed Ethernet etc
• Web Login provides extra options to operator (branding, advertising,
location based content…)
Cons:
• Wholesale options restricted
eg- address allocation – NAT introduces complications (ALG support
etc), no tunnelling with L2TP
• Greater security / DoS implications – attack DHCP server, Web
server
• No autologon by default (manual web login process)
Need to introduce mechanisms to enable per user control in DHCP
environment (mimic PPP)
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
7
DHCP / Web login Case Study –
Telstra Mobile
Mobile centric service, launched in August 2003
• Available in hotspot locations throughout Australia
• Target of 600 hotspot locations in 2004 (Qantas, McDonalds, Hilton etc)
• International roaming through the Wireless Broadband Alliance
• Time based billing; hourly rate
• Login via a password delivered by SMS to a Telstra mobile
(credit card payment option for non-Telstra post-paid mobile customers)
Lowered barriers to uptake
• No special WLAN subscription needed – casual pay-per-user
• Captive portal logon using DHCP – no client software required
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
8
How it works - Step One
•
User opens up web
browser and tries
to go to Google
•
Session directed
to captive
portal on policy
server
•
Choice to enter
mobile phone
number or
username and
password
•
Mobile phone
number entered
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
9
Step Two
•
One-time password
sent via SMS to
user’s mobile
phone
•
Received password
entered into
portal page
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
10
Step Three
•
Upon successful
authentication,
captive portal is
released
and original web
destination is
loaded.
•
Mini-logout
window to
facilitate signoff.
•
Usage billed to
user’s mobile
phone bill once finished
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
11
Dynamic Policies
•
Allow greater flexibility of services eg•
Free access to Internet for 15 mins without login… or
•
Internet access only, mail port blocked…or
•
Internet access but only at 64kbps…or
•
Walled garden content only
•
Bandwidth can be dynamically increased and restrictions
moved on user authentication and login
•
Also helps protect against abusive or Worm users (egdynamically limit users down on sliding window basis;
consumed more than x MB in past 15 mins)
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
12
Per user control in a DHCP
environment
Objective - make an IP host on single aggregated interface appear like its
own IP interface
• Treat hosts as separate logical (demultixed) IP interfaces
aka “Subscriber Interfaces”
• Individual policy control on subscriber interface (linked to policy server)
– eg filters, bandwidth control
• Ties into DHCP dynamically
User A:
192.168.1.1
User B:
192.168.1.2
Copyright © 2003 Juniper Networks, Inc.
Subscriber Interface A
IP Demux 192.168.1.1
Rate Limit Internet to 512k
L3 Switch
VLAN
101
Access
Controller
BRAS
Subscriber Interface B
IP Demux 192.168.1.2
Rate Limit Internet to 2M
Prioritise VoIP to strict
priority queue
Add firewall policies
CONFIDENTIAL
www.juniper.net
13
Weblogin
- Policy
Server
Generic Web Login
process
DHCP relay point
Access
Controller
BRAS
Routing
Layer
AP
FE
GE
Radius
Upstream Router
Switch Layer
GE
GE
inbuilt
DHCP
WEB login sequence
server
1. IP assignments through DHCP & subscriber interface come up – Dynamic SI
2. HTTP redirected and show the portal web page
3. Input subscriber ID and password
4. Radius authentication
4. Download policies
Internet & service access
WEB logout sequence
1. (Access the portal & click on logout button) or (DHCP lease expired)
2. Radius accounting
2. (Reset policies) or (Delete subscriber interface) – Dynamic SI
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
14
Location information – why??
Generates portal pages based on hotspot location
Enables targeted advertising. eg- promotions for the owner of the hotspot
location, revenue sharing (charging models) etc…
Portal - Free access
to timetables, fares..
Hotspot –
Train Station
Access
Controller
BRAS
Portal - Free
sports news..
Copyright © 2003 Juniper Networks, Inc.
Hotspot –
Cafe
Weblogin
- Policy
Server
CONFIDENTIAL
www.juniper.net
15
Location information – how?
PPPoE model
• Easy – layer 2 circuit per hotspot to AC/BRAS
• RADIUS will contain NAS Port ID etc…map back centrally
DHCP model (rely on relay to provide)
• Gateway address (GiAddr field)
• Option 82 information, suboptions (ala RADIUS VSAs)
• Or even layer 3 GRE tunnel back if access network can’t
provide info required (also simplifies routing)
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
16
Side topic – routing back to WiFi user
in DHCP environment
Use location based info to allocate users from address
pools; one pool per
• Aggregate routes
• Static, redistributed to IGP; simplified
Central pools ok but..
• Require DHCP relay to store state - snoop address
coming back from the server in DHCP offer / ACK
• Also requires redistribution into IGP; scaling issues with
that…
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
17
Secure access
Why?
• Various access vulnerabilities in simple models
• Session hijacking / spoofing, man in the middle
Two main approaches:
• IPSEC tunneling model
• 802.1x/EAP
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
18
WiFi secured access
IPSEC option
RADIUS
L2TP/IPSEC
connection
(RFC3193)
MPLS
Backbone
Any Backhaul
Transport
WiFi User with
inbuilt IPSEC client
Eg- Win2k, WinXP
Access
Controller
BRAS
LNS*
Policy
Server
Terminate IPSEC
BRAS control of PPP session
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
19
IPSEC WiFi access
Pros
• No external client software – inbuilt into Windows
• PPP model gives full per user control
(eg- terminate IPSEC and tunnel on L2TP)
• Integrates well into a VPN environment; user sessions
terminated to MPLS VPNs at AC/BRAS (PE)
• Can use digital certificates to ensure identity (server and
maybe clients also)
Cons:
• Client issues – overhead, PDA support
(eg- WinCE today only supports MSCHAPv2?)
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
20
IPSEC WiFi access
Japan Case Study
Integration of VPN access for mobile corporate users regardless of access type
Outsource remote access management from corporates, and aggregate users in a
layer 3 VPN – common point of subscriber management
Corp HQ CE
Network diagram:
Users mapped into
corporate VPNs
PE
GE VLAN
IPSEC / L2TP
(RFC 3193)
MPLS
Backbone
WiFi User with native
Windows Client
LAC
GGSN
Native
VRFs
L2TP
Access Controller
- BRAS (PE)
3G and 2G users
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
21
WiFi secured access
802.1/EAP option
EAP
EAPoL
EAP/RADIUS
RADIUS
802.1x
MPLS
Backbone
AP Any Backhaul
Transport
Access
Controller
BRAS
WiFi User with
EAP/802.1x client
eg- WinXP, iPass,
Odyssey..
Copyright © 2003 Juniper Networks, Inc.
Policy
Server
Note- DHCP happens after EAP authentication
CONFIDENTIAL
www.juniper.net
22
Option - Authentication using
802.1X and EAP on 802.11 - overview
RADIUS
Server
Association
Access blocked
802.11 Associate-Request
802.11
RADIUS
802.11 Associate-Response
EAPOW-Start
EAPOW
EAP-Request/Identity
EAP-Response/Identity
EAP-Request
EAP-Response (credentials)
EAP-Success
Source:
Microsoft
Copyright © 2003 Juniper Networks, Inc.
EAPOW-Key (WEP..)
Radius-Access-Request
Radius-Access-Challenge
Radius-Access-Request
Radius-Access-Accept
Access allowed
CONFIDENTIAL
www.juniper.net
23
EAP/802.1x WiFi access
Pros
• EAP/802.1x built into WinXP
• Flexible authentication architecture – many different EAP options egGSM SIM using EAP/SIM, EAP-MD5, LEAP, Smartcards etc…
• Can handle interAP roaming with 802.11f
• Adopted in the corporate market
Cons:
• Doesn’t address core network / VPN portion, just secures access layer
• Today uses session keys vs temporal (WPA, coming in 802.11i)
• Need smarts to keep per user control in the network without double
logon
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
24
Maintaining subscriber control when using
802.1x/EAP environment
“RADIUS relay” concept
802.1x access points have Radius client, EAP messages encapsulated in Radius messages
Host MAC address in the calling-station-attribute
Radius relay (BRAS) uses @domain name to forward Radius request to an external EAP capable Radius proxy or
server
BRAS relay stores Host MAC address (and maybe user) and awaits authorization data (VR to use, IP
pool/address to use, filters, etc)
DHCP request, based on the host MAC address, creates subscriber interface in proper context allocates IP
address, assign default policies. Policy server control with no Web login
Access point creates Radius authentication and accounting (stop)
Policy
Server
DHCP
Radius
Relay
Any Backhaul
802.1x AP Transport
Copyright © 2003 Juniper Networks, Inc.
RADIUS
Server
CONFIDENTIAL
www.juniper.net
25
Summary
Which access model?
• PPPoE is nice, but often not practical
• DHCP – web login models now can provide good per user
control, and location info etc
Where am I? Location information
• Key for WiFi business models
eg- generate content based on location (virtualised)
Security
• IPSEC is a good end-end mechanism, integration with VPNs
• EAP is flexible and useful in access, but needs to tie in with
core network and per user control
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
26
Thank you…!
Contact: [email protected]
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
27
802.11 variants
802.11a
5.4MHz, OFDM, 54 Mbps, 10+ channels
802.11b
2.4GHz, DSSS, 11 Mbps, 3 channels
802.11d
Enhancements to meet country specific regulations
802.11e
Quality of Service
802.11f
Inter-Access Point Protocol, handover between close APs
802.11g
2.4GHz, OFDM, 54Mbps, 3 channels
802.11h
Specifically for 5GHz; power control and frequency selection
802.11i
Security framework, reference to 802.1x and EAP
See PowerPoint comments page below for more details
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
28
Wireless LAN Technologies
802.11b
802.11g
2.4 GHz
Public
2.4 GHz
Public
Coverage Worldwide
Worldwide
Freq.
Band
Data
Rate
1-11 Mbps
Copyright © 2003 Juniper Networks, Inc.
1-54 Mbps
802.11a
5 GHz / Public / Private
US/AP
20-54 Mbps (1-2 yrs)
100+ Mbps (future)
HiperLAN2
5 GHz
Europe
20-54 Mbps (1-2 yrs)
CONFIDENTIAL
www.juniper.net
29
PWLAN and Security
WEP encryption (Wireless Equivalent Protocol) much criticized in enterprise
• Also it uses static keys which is not valid for PWLAN as keys would need to
be published
802.1x and EAP delivers improved security for PWLAN
• Introduces dynamic keys at start of session, and PWLAN sessions are
short lived (unlike enterprise)
802.11i
• Uses 802.1x which uses EAP and allows dynamic keys
• Firmware upgrade for TKIP then hardware upgrade for improved AES
encryption
• Poses transition complexity for existing user base
WPA (Wi-Fi Protected Access) is an interim step to 802.11i
• Uses 802.1x and EAP and TKIP but no AES
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
30
802.1x Overview
Make up for deficiencies in WEP which uses static keys
IEEE 802.1x-2001: Port-Based Network Access Control
• Prior to authentication traffic is restricted to the authentication server
RFC 2284 (1998): PPP Extensible Authentication Protocol (EAP)
• EAP encapsulated in Radius for transport to EAP enabled AAA server
• Many variations EAP/TLS and EAP-PEAP supported by Microsoft, MD5,
OTP, LEAP (Cisco), and SIM (GSM Subscriber Identity Module)
IEEE 802.11i Framework Specification
• Specifies use of 802.1x and EAP for authentication and encryption key
• New encryption in access point
• Access Points need firmware upgrade to TKIP then new hardware for AES
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
31
PWLAN and Mobile
3GPP standards org defined five scenarios for PWLAN integration with 3G
• From common authentication to seamless handover of voice service
• Specified 802.1x based authentication
• Part of 3GPP Release 6, specified in TS 23.234
But, real deployments are occurring well in advance of 3GPP R6……so:
GSM Association WLAN Task Force issued guidelines for pre Release 6
• Wed based login initially transitioning to 3GPP release 6 spec
A SIM located in WLAN cards will use authentication based on EAP/SIM
• Eg- Use of SIM dongle
EAP to SS7 gateways will allow mobile HLR / HSSs to authenticate the WLAN card
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
32
Authenticating against the GSM HLR
Existing database with all mobile subscriber information
Existing provisioning and customer care systems are used
EAP/SIM can offer GSM equivalent authentication and
encryption
Gateway between RADIUS/IP and MAP/SS7 is required
• Eg Funk Software Steel Belted Radius/SS7 Gateway
• Ulticom Signalware SS7 software
• Sun server E1/T1 interface card
• An overview of the product is in this attachment:
• Major vendors Ericsson, Siemens, Nokia all have or are
developing their own offer
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
33
802.1x EAP/SIM authentication from HLR
Transparent RADIUS relay
MAP
SS7
GW
Authenticator
Client
EAPoL
BRAS AC,
RADIUS/SS-7
(RADIUS Relay)
GW
HLR
HLR
RADIUS
RADIUS
Client Authentication
Gr Interface
DHCP Discover
Client –
IP Address
Assignment
DHCP Offer
DHCP Request
DHCP Ack {address = End
User address from GGSN}
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
34
Tight integration proposed by 3GPP
HLR
GPRS Tunneling Protocol
Client
Authenticator
EAPoL
Access Controller, RADIUS/SS-7
RADIUS Relay
GW
HLR
GGSN
GGSN
RADIUS
RADIUS
Client Authentication
Gr Interface
Create PDP Context {IP, transparent mode APN,
IMSI/NSAPI, MSISDN, dynamic address requested}
Create PDP Context Response {End User Address}
DHCP Discover
Client –
IP Address
Assignment
DHCP Offer
DHCP Request
DHCP Ack {address = End User
address from GGSN}
Lease
expiration
Delete PDP Context Request
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
35
Real time handover…
Many access types – WLAN, 3G, GPRS…
Mobile IP could provide reasonable real-time macro roaming between
cellular and WLAN access types (also alternates such as
802.16/WiMax)
Supported for dual mode CPE/handsets
• Eg- Dual Mode NEC cellphone with WLAN as trialed in DoCoMo
• PDAs with WLAN and CDMA 1x/EVDO or GPRS/WCDMA
• Notebooks with cellular data or dual mode cards
Off the shelf client software available today – IPUnplugged, Birdstep
Challenges- VoIP, WLAN automated logon (eg- 802.1x could solve this),
applications/OS can handle address changes
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
36
Overview of Mobile IPv4 (RFC2002)
CN
5.
4.
FA
1. and 2.
HA
3.
Internet
MN
1. MN discovers Foreign Agent (FA)
2. MN obtains COA (FA - Care Of Address)
3. MN registers with FA which relays registration to HA
4. HA tunnels packets from CN to MN through FA
5. FA forwards packets from MN to CN or reverse tunnels through HA (RFC3024)
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
37
Mobile IP Interworking with UMTS/GPRS
Recommends use of FA Care Of Addresses (CoA), not collocated, to conserve IPv4 addresses
Source:
3GPP
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
38
Registration Process to GGSN FA
IPv4 - Registration UMTS/GPRS + MIP , FA care-of address
TE
SGSN
MT
1. AT Command (APN)
2. Activate PDP
Context Request
( APN=MIPv4FA )
A. Select suitable GGSN
5. Activate PDP
Context Accept
(no PDP address)
GGSN/FA
Home
Network
3. Create PDP
Context Request
( APN=MIPv4FA )
4. Create PDP
Context Response
(no PDP address)
6. Agent Advertisement
7. MIP Registration Request
8. MIP Registration Request
9. MIP Registration Reply
10. MIP Registration Reply
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
39
Overview of Mobile IPv6
Removes need for external FA in future 3GPP systems
CN
4.
3.
HA
1.
MN
2.
Internet
1. MN obtains IP address using stateless or stateful autoconfiguration
2. MN registers with HA
3. HA tunnels packets from CN to MN
4. MN sends packets directly to CN or via tunnel to HA
• Binding Update from MN to CN removes HA from path.
Copyright © 2003 Juniper Networks, Inc.
CONFIDENTIAL
www.juniper.net
40