Transcript FreeSurf Access Control

FreeSurf: Application-centric
Wireless Access*
IRTF GAIA, July 2016
Berlin
Zhen Cao@Huawei
Jürgen Fitschen
Panagiotis Papadimitriou
@Leibniz Universität Hannover
* Sigcomm 2015 Poster, and IEEE HPSR 2016
Costly WiFi and Free Apps
2
Public Wi-Fi with a Traditional setup
Network highly underutilized
Only ONE connection per user per month*
10% active customers
No way to provide ubiquitous
connectivity for customers
Operator
Service
Providers
Poor user satisfaction
Always reluctant to pay, and impatient
12 clicks are required for a captive portal authentication
25% of users abandon access after 4 seconds #
50% of users abandon access after 10 seconds
3
Application-centric Wireless Access
Authentication
AuthFlow
DataFlow
Access
Authentication
Operator
Access control
FreeSurf
Controller
FreeSurf
SPs
 Authentication: users authenticate to the


network using their SP accounts, e.g., Amazon
Access: users are allowed to access the SP
domain after a successful authentication
Billing: SP is accountable for their customers’
access, and users are left to FreeSurf
4
FreeSurf Authentication
FreeSurf
Controller
1.EAP Identity Request
2. EAP Identity Response
[email protected]
EAP-TTLS Start
AuthFlow
Authentication
forwarding table
ID
@amazon.com
@ebay.com
*
Amazon
AAA
FreeSurf SP
Amazon AAA IP
ebay AAA
Operator AAA
Radius EAP-TTLS Start
Server authentication and TLS tunnel setup
EAP-TTLS Phase 2 (e.g., MSCHAP ), user
authenticates using the SP account ([email protected])
5
FreeSurf Access Control
FreeSurf
Controller
Amazon
Authentication
Openflow
tablle
Flows towards SP domain
Flows towards outside of
SP domain
CDN, Multihoming, Cloudified
✔
✖
6
Understanding SP’s Networks
100%
90%
CDF of the number of TCP
connections per web page;
~30% of them need more
than 40 TCP connections
80%
70%
60%
50%
40%
30%
20%
10%
0%
0
20
40
60
80
100
120
140
160
180
200
Number of TCP connec ons to load a web page
Tablesize
Lookup efficiency
Lookup
efficiency
Consequences with the increase of number of SPs and users
BF assisted
Tablesize
7
FreeSurf Architecture (recap)
AuthFlow CTRL
DataFlow CTRL
FreeSurf
Controller
Service Providers
Authentication delegation

&
Policy based Access Control
Support both direct mode and broke mode
8
FreeSurf Prototype
Flow 1: FreeSurf authflow
1
2
DataFlo
w
Client: an IOS device
AuthFlow
FreeSurf Controller
(POX)
Authenticator
(hostapd)
Data Plane
(ovs)
Linux
FreeSurf SP
AAA Server
1
2
Operator
AAA Server
Flow 2: non-FreeSurf authflow
In AWS
Within
same
LAN
Internet
FreeSurf AP: Linux Laptop +
USB Wireless Dongle +
Hostapd
9
FreeSurf Evaluation

BF promotes lookup efficiency
Minimal increase in authentication delay
with FreeSurf
 1.7% additional delay with EAP-TTLS
 2.4% additional delay with EAP-PEAP
The larger the flow table is , the more BF helps
Lookup with the BF is constant irrespective of flow table
size
9.5
9
800
EAP-PEAP
8.5
EAP-TTLS
8
600
400
929
906
626
615
BF
non BF
7.5
7
6.5
6
200
80
75
0
FreeSurf (remote AAA) non-FS (remote AAA)
Delay in ms
Full authentication delay in ms
1000
non-FS (local AAA)
5.5
5
1000
3000
5000
7000
9000
10
Related Work
Target users
Authentication
Approach
Third-party
Friendly?
FON
Fon members
Web portal with user
intervention
Member participation
NO
Facebook WiFi
Facebook users
Web portal with user
intervention
Facebook initiated
participatory program
NO
Facebook Zero
Cellular users
Need operator SIM
Special URL and offline
negotiation
NO
OpenWiFi
Guest WiFi
Portal based with user
intervention
SDN
YES
Eduroam
Academic
EAP compatible /Radius
Routing
Agreement pre-setup
NO
FreeSurf
Public WiFi and SP
customers
EAP compatible and
automatic
SDN
YES
11
Takeaway

FreeSurf supports SP sponsored data access :
 Authentication delegation via AuthFlow
 Policy based access control

More challenges ahead:


Authentication resumption in case of mobility and roaming
Access control policy update
12
THANK YOU
For more information, checkout our paper and codes here
https://github.com/freesurf
13