Making
the Wi-Fi Roaming Experience as Secure and Easy to Use as With Cellular Hotspot
2.0 is focused on enabling a mobile device to automatically discover APs that
have a roaming arrangement with the user’s home network and then securely
connect. This is very much the cellular experience that we all enjoy when
getting off an airplane just about anywhere in the world. Wi-Fi roaming would
apply anytime a mobile device does not see an AP belonging to its home network
provider. A user could roam on a Wi-Fi network that is across town or on the
other side of the world. Roaming partners can include MSOs, MNOs, wireline
operators, public venues, enterprises, and basically any other entity that has
Wi-Fi assets. Roaming can be accomplished with dual mode devices (smartphones)
or Wi-Fi-only devices like tablets and laptops.
With
Hotspot 2.0, the client device is equipped by an authentication provider with
one or more credentials, such as a SIM card, username/password pair, or X.509
certificate. The device can then query Hotspot 2.0 capable APs to see if it
belongs to a visited network that supports roaming with the devices home
network.
Hotspot
2.0 is a program of the Wi-Fi Alliance, and is supported by the Passpoint(™)
certification program which ensures APs and client devices comply with the
technical specifications. Hotspot 2.0 capabilities are emerging in a series of
releases. Release 1 came out in June 2012 and was focused on automating network
discovery/selection, authentication, and over-the-air security. Other releases
will follow in the coming years that will add additional capabilities. Mobile
devices with Hotspot 2.0 support are now available in the market. While vendors
may choose to introduce new models to enable Hotspot 2.0, these capabilities
can be added via software updates in most cases.
To
enable a compelling roaming experience, groups such as the Wireless Broadband
Alliance and CableLabs are working to create frameworks and standards for the
linking of various operators’ authentication domains. And a number of companies
are interested in providing “roaming hubs’ that would provide an authentication
service for Wi-Fi network providers.
The
hassles and risks of connecting to public Wi-Fi will soon be a thing of the
past, thanks to Hotspot 2.0.
Hotspot
2.0 Release 1
Release
1 is focused squarely on over-the-air security and network discovery and
selection. The key enabling protocols are IEEE 802.11u, along with IEEE 802.1X,
selected EAP methods, and IEEE 802.11i. The latter three are part of the WPA2-
Enterprise certification program in the Wi-Fi Alliance, and are standard on all
smartphones. While the certification is called "WPA2-Enterprise", the
end result is a process that is every bit as secure and easy to use as what
exists in the cellular world.
The
IEEE 802.11u protocol enables a mobile device to have a dialog with a Wi-Fi AP
"pre-association" to determine the capabilities that the network can
support. The two protocols that 802.11u uses to make this happen are the
generic advertisement service (GAS) and the access network query protocol
(ANQP). These protocols run on top of 802.11 and enable the Hotspot 2.0
experience
Hotspot
2.0 protocol stack
The
Process of Network Discovery and Selection
When
a user with an HS2.0 capable mobile device comes within range of a Hotspot 2.0
capable AP, it will automatically open up a dialog with that AP to determine
its capabilities. This is done using ANQP packets that are carried at layer 2
by the GAS service (Note: the device has not yet attached and does not yet have
an IP address). It is the exchange of ANQP packets that allows the mobile
device to automatically learn the capabilities of an AP. A few of the more
important capabilities include:
1) The
domain name of the network operator. If the AP is part of the user's home
network then no roaming is required and the user can move straight to
authentication. If the AP is not on the user's home network, then roaming is
required.
2) If
roaming is required, then the list of roaming partners that are supported by
that AP must be passed down to the mobile device via the ANQP protocol. This
can be provided in the form of a PLMN (Public Land Mobile Network) ID, realm,
or the organizational identifier (OI):
- 3GPP PLMN ID (MCC plus MNC) would be the preferred method for a
mobile operator. MCC refers to the mobile country code and MNC to the
mobile network code.
- NAI Realm List (username@domain name) would be the preferred method
to identify most non-mobile operators like MSOs, wireline operators, and
public venues.
- IEEE Organization
Identifier (6 hexadecimal digits that many would recognize as the first 3
bytes of a MAC address). The WFA recommends that national and
international SPs have an Organization Identifier (OI). The two primary
use cases for OI are as follows:
- A small number of OIs can be put in the AP's beacon; if the mobile
device recognizes the OI, it doesn't need to use ANQP to determine if it
can successfully authenticate at that AP. This can conserve the mobile's
battery as well as reduce the time to associate.
- Some SPs may wish to sell subscription levels (e.g., gold, silver,
bronze) in which not all subscribers have access at every AP. For
example, gold users might have access privileges at all APs in an
operator's network, but bronze users might not be authorized to use an
operator's APs in premium locations.
It
is possible that service providers might advertise roaming consortiums in more
than one way. A mobile operator might advertise both a PLMN ID and a realm. The
former is used for SIM-based devices and the latter for non-SIM devices. A
wireline operator or an MSO would only advertise their realm, as they don't
have a PLMN ID.
3) Other
attributes that can be relayed to the mobile device include backhaul bandwidth
and loading on the access network. This is useful information if there is more
than one AP that can roam with the user's home network. Other details that are
passed down to the phone as part of the HS2.0 process include:
- The operator friendly name (San Jose Airport for instance). This
can be displayed on the mobile device once the connection is established
and is fairly standard when roaming on cellular networks.
- Venue type (stadium or hospital)
- IP Address Type (v4/v6)
- Internet access or walled garden
- And more
Once
the mobile device learns the roaming partners and the identity of the AP
operator, it invokes some basic, built-in network selection policies to
determine which AP to join. The basic policy provided by Passpoint Release 1
capable mobile devices is, in the absence of [overriding] user-configured
preferences, to prefer Hotspot 2.0 compliant APs over legacy APs (i.e.,
non-Hotspot 2.0 APs) and to prefer an AP operated by the user's home operator
over one operated by a visited operator. Users are allowed to specify that
certain Wi-Fi networks should always have priority and these would typically
include the user's home network and their work network.
The
ability of the mobile device to "learn" about Wi-Fi network
capabilities pre-association will completely transform the Wi-Fi user
experience. It will also completely change the nature of an SSID (Service Set
IDentifier). In the past, users and devices had to "remember" SSIDs
that have provided connectivity in the past, so that they can be accessed again
in the future. These are typically SSIDs for which they have credentials or
which provide open access. With HS2.0 the importance of SSIDs will be reduced,
and what really matters is does the visited AP have a roaming arrangement with
my home network provider. In fact the notion of having an AP advertise many
different SSIDs for different purposes will also be greatly reduced in favor of
Hotspot 2.0 based advertisements. This should also enhance the performance of
mobile networks, as it reduces the airlink traffic associated with the beacons
generated by these additional SSIDs.
Secure
Authentication
Hotspot
2.0 also requires the use of 801.1X authentication. Captive portal based
authentication is not supported in HS2.0.1 As part of the 802.1X authentication
process, the following EAP methods must be supported:
- If a mobile device has a Subscriber Identity Module (SIM), then
EAP-SIM as defined in RFC-4186
- If a mobile device has a UMTS Subscriber Identity Module (USIM),
then EAP-Authentication and Key Agreement (AKA) as defined in RFC-4187.
- All mobile devices must support EAP-Transport Layer Security (TLS)
as defined in RFC-5216 and which uses an X.509 digital certificate
- All mobile devices must support EAP-Tunneled Transport Layer
Security (TTLS) as defined in RFC-5281) along with MS-CHAPv2 which uses
username and password, with a server side certificate
WPA2-Enterprise
also requires that the airlink be encrypted using 802.11i. This addresses a
security vulnerability with open access or portal based hotspots that don't
provide airlink encryption. Hotspot 2.0 plugs this vulnerability with 802.11i,
which uses AES (advanced encryption standard) technology. This combination of
protocols is what enables Wi-Fi to be every bit as secure and easy to use as a
cellular service. In addition, Hotspot 2.0 Release 1 improves upon
WPA2-Enterprise security by eliminating the so-called "Hole-196"
attack. In these attacks, a device can forge broadcast or multicast frames (as
if coming from a legitimate AP) to initiate its attack.
Figure
2: Authenticating a roaming user to their home network
Figure
2 shows the process by which a user in a visited network can have their authentication
request proxied back to the home network. In this example the visited network
could be an MNO, MSO, a private enterprise, a public venue (such as a hotel,
convention center, airport, etc.), or wireline provider. Wi-Fi greatly expands
the universe of possible roaming partners, and thus the utility of a Wi-Fi
network.
Settlements
and the Business of Roaming
Hotspot
2.0 will greatly enhance the opportunities for Wi-Fi operators to monetize
their networks through roaming arrangements with other providers. These
providers can include MNOs, MSOs, wireline providers, and a wide variety of
enterprises including hotels, convention centers, hospitals, airports, etc.
This also queues up the very important subject of settlements, which are used
to make sure all operators (mobile or wireline) get paid for services rendered,
if appropriate. In 2012, WBA updated their WRIX service specifications, which
governs settlements and billing. Key elements include WRIZ-i (interconnect),
WRIX-d (data clearing), and WRIX-f (financial settlements). These services can
be deployed by the home and visited network providers, either directly of
through a 3rd party WRIX service provider.
The
Impact of Hotspot 2.0
Hotspot
2.0's impact on the industry will be enormous. Mobile operators are already
seeing their networks overloaded by data traffic and are looking at all
available options to increase densification. At the top of their list are
technologies like Wi-Fi and LTE small cells. Cable and wireline operators are
taking advantage of their backhaul capabilities to rapidly build-out an
extensive Wi-Fi footprint. This technology has also been extensively deployed
in public venues like hotels, airports, convention centers, stadiums,
hospitals, etc. With Hotspot 2.0, it will now be possible to link together this
huge footprint of Wi-Fi APs through a web of roaming arrangements. Users will
be able to seamlessly roam onto Wi-Fi networks from almost any location.
The
net result for the MNO is much greater network densification then could be
achieved by building out a network of APs on their own and a much better
experience for the subscriber. Users no longer need to know or care about SSIDs
and authentication protocols. Instead, they get an always bestconnected
experience.
Venue
owners and operators can begin to better monetize their Wi-Fi network
investments through these roaming arrangements and the settlements that they
entail. A mobile operator that deploys a Wi-Fi network in a stadium can now
monetize that asset by allowing subscribers of other operators to roam onto
that network. Hotels can likewise allow subscribers of all the different mobile
operators to roam onto their in-building Wi-Fi networks.
Hotspot
2.0 technology will radically transform the wireless industry, and it is set to
emerge in 2013 in a very big way.
Credit
: RuckusWorks