Wi-Fi OFFLOAD: AUTHENTICATION AND
SECURITY THROUGH EAP-BASED APPROACH
Abstract Data trafﬁc demand is growing rapidly as operators are struggling to overcome declining margins and rising capital costs in their mobile broadband strategies. The telecom industry is talking about ofﬂoad as a solution but it can take many forms, leaving many operators unsure of which path to take. The business case for Wi-Fi is evolving, and not just for data ofﬂoad but also voice and messaging, offering an opportunity for the deeper integration of Wi-Fi with the operator’s service portfolio. One of the many concerns of Wi-Fi deployment points to the end goal of integrating both the existing and Wi-Fi architecture with minimal changes. When mobile devices connect to networks, user and end point authentication play critical roles in preventing misuse, abuse and attack. This paper will provide a deep-dive into the ramiﬁcations of Wi-Fi authentication and security, with the study of carrier class Wi-Fi challenges faced by operators in terms of scalability and ﬂexibility of the solution, service quality, terminal readiness and the desired success in Wi-Fi deployments. It marks a reversal of attitude once held by carriers, which undermined the open design and previously chose to deliver their services through their own tightly controlled networks. By embracing Wi-Fi, they are now seeing their data ofﬂoad strategy to pragmatic use on their networks by diverting trafﬁc to this alternative route. Wi-Fi access also gives the carriers new revenue streams, and draws in consumers who are increasingly searching for local wireless hotspots.
Converging Multiple Access Technology
Challenges to Building a Carrier Class Wi-Fi Experience • Security • Authentication • Roaming Integrating the Mobile Core - Provisioning, Policy Control and Billing
Delivering the Right Wi-Fi Experience Greenpacket Wi-Fi Offloading Solutions
Smart Data Ofﬂoad Seamless Data Ofﬂoad Dynamic Data Ofﬂoad Wi-Fi Adoption Intensifies Interest in Offloading
Wi-Fi Your Network to More Bandwith!
Overview Wi-Fi has undoubtedly established itself as a genuine wireless access technology capable of delivering a cellular experience. The business model for Wi-Fi has changed from merely a home Internet gateway alternative to an essential part of the operator’s bigger network data strategy. The rise of the smartphones resulted in consumers needing connectivity and in turn driving the need for bigger bandwidth through the Wi-Fi marketplace, as Wi-Fi is recognized as the de-facto technology for the average smartphone user. According to a Gartner report, the smartphone sales are expected to surpass 1 billion units by 2015, when they will account for 50% of the total mobile device market. The smartphone behaviors are markedly different from the previous generation of handsets. It is acknowledged that as devices become more complex, so does the behavior of the trafﬁc mix. The trafﬁc mix now contains greater consumption of high bandwidth experience for videos and content, which 3G as a delivery mechanism falls short. When spectrum runs short, service degrades sharply; calls get dropped and data speeds slow down. Wi-Fi ofﬂoading is an opportunity for operators to reduce 3G trafﬁc load and at the same time, overcoming the growing pressure from OTT players like Skype and Google to avoid revenue erosion. Wi-Fi remains very much publicized on the operator’s agenda. There is clear desire to integrate the technology more closely with cellular, both in terms of ease of use through network discovery, authentication and log-on, and at the core-network level. Despite these challenges, the adoption of Wi-Fi ofﬂoading will not decelerate as the next generation connectivity in LTE will drive further the end user’s need for high performance wireless connectivity; Wi-Fi will be more relevant in the 4G era than it was for 3G. Moreover, the growth in cloud-based services will only further drive and unlock the potential of the “big data”.
Overview - 01
WHITEPAPER Several Tier 1 operators are already embracing the Wi-Fi in large scale deployments in the likes of China Mobile and KDDI in Japan to ofﬂoad peak data trafﬁc from cellular networks and support the delivery of new content and value-added services. The standardization bodies of Wireless Broadband Alliance (WBA) and Wi-Fi-Alliance is encouraging development of Wi-Fi standards that addresses the future of Wi-Fi roaming through Next Generation Hotspot (NGH) and Hotspot 2.0, including ofﬂoad architectures. With standards work improving and gaining greater acceptance through successful trials, the entire value chain of vendors, device manufacturers and developers will stand to beneﬁt from a larger marketplace.
Overview - 02
Converging Multiple Access Technology - 03
Converging Multiple Access Technology With the rise of heterogeneous networks (HetNet) becoming the preferred adoption in next generation network, the desire to increase cellular coverage via Wi-Fi and small cells (including femtocell, picocells, microcells) or any combination of these methods will continue to provide seamless coverage to approach ubiquity. In order to maintain the integrity of service assurance, operators must exercise due diligence in observing the foundation of a secure network and scrutinize all interconnections to it.
Challenges to Building a Carrier Class Wi-Fi Experience From an operatorâ€™s point of view, carrier grade Wi-Fi requires strong security; strong trust through authentication and billing credentials, quality of service, network discovery and policy control. All of these features are desirable to ensure the end-user experience is not compromised, as cases of identity theft and fraud on sensitive information can bring damage to the operators brand and credibility.
Security As the number of web-enabled device i.e. likes of smartphones and tablets continue to grow, the focus of security is equally important on the device, network as well as the data traversing both secured and unsecured Wi-Fi networks. The emerging trend of universally accessing data, independent from the device that is carried, calls for stricter control. The credibility of tunneling data through unsecured WLAN is challenging to enforce restrictions onto data streams and content when accessing Wi-Fi hotspot. The use of encryption protocols such as AES in WPA2 and IKEv2 is another way to ensure the data packets are sufďŹ ciently encrypted over 802.1x networks to give the same level of security that is expected of Wi-Fi as in cellular.
Converging Multiple Access Technology - 04
Roaming between networks is complicated such that the roamed network has no access to the encryption keys used to authenticate the user. The emulation of roaming ability through the use of Extensible Authentication Protocol (EAP), ideally SIM-based is supported in Wi-Fi devices these days. Other issues pertaining to accounting is unclear and how much operators should charge each other for access.
Authentication In the user authentication and device authentication process, it is important that the integration of SIM-based authentication is compliant to 3GPP and 3GPP2 standards. With the adoption of ﬂat-IP architecture and EPC packet core, the primary SIM authentication method suggest seamless Wi-Fi access can be achieved with minimal infrastructure and core network integration. The placement of intelligent agents on the device can help operators combine advanced policy control mechanism to execute Wi-Fi ofﬂoad in managed manner to ﬁt the business needs of the operators. EAP-SIM is used extensively in WLAN as a basis for negotiating solid authentication as most smartphones readily supports it. Which variant of the EAP authentication is used for what network is purely dependent on the operators. Implementation of a standards based approach to Wi-Fi network identiﬁcation, authentication and service provisioning is essential to accelerating and promoting the use of the Wi-Fi among consumers. Making the 3G/4G to Wi-Fi handover seamless to the end-user through EAP-based methods (the more popular and readily supported EAP-SIM and EAP-AKA) will provide a viable data-ofﬂoad solution for operators, while standardizing deployment for Wi-Fi operators and device manufacturers. It will also make integration into mobile operators’ cellular networks far easier and more cost effective.
Converging Multiple Access Technology - 05
Roaming Inter Wi-Fi roaming is one aspect that is still in the early stages of standardization towards a harmonized and seamless roaming experience. A large scale deployment of Wi-Fi can complement cellular roaming and bring roaming charges down signiﬁcantly to the end-user. The impact of Wi-Fi ofﬂoad is widening, and the way operators integrate Wi-Fi within their networks is changing. Some operators lacking their own Wi-Fi hotspot infrastructure and has plans to do so soon, can establish partnerships with Wi-Fi access aggregators like Boingo and iPass. Those that already have Wi-Fi ofﬂoad in place and sufﬁcient investments can continue to expand the locations where they offer Wi-Fi access and extend the network of partners to provide domestic and international roaming.
Integrating the Mobile Core - 06
Integrating the Mobile Core Provisioning, Policy Control and Billing Operators are expected to ramp-up Wi-Fi and deployments despite the fact that the majority of operators still see support for heterogeneous networks as a challenge – and thus, they need to spend some time testing and ﬁguring out. Wi-Fi won’t be a rescue for every situation, but they are a critical tool that operators are turning to and will continue to increase in numbers. As a result, support for standards SIM-based authentication is already readily available in smartphones like iPhone, Blackberry and Android to some extent. A uniﬁed authentication and alignment as closely as possible to the user experience in terms of connectivity, sign-on, charging and billing and most importantly security and privacy will be the strong focus towards Wi-Fi networks.
Delivering the Right Wi-Fi Experience The end-user experience demands for a QoE, while the operators demands for a reasonable level of QoS. In the QoE terms, the end-user would expect the collective experience would be seamless, and always on, regardless of the device which it uses to access the network and suffers no deterioration of service. On the other end, operators must diligently ensure the QoS is adhered to within the optimized network performance in terms of service speeds and SLAs promised. Wi-Fi networks are not devoid of shortfalls. However, it can be strategically positioned to address and resolve interworking, security, authentication methods between networks and create additional value wherever the business model ﬁts.
Integrating the Mobile Core - 07
Convergence Simplify the Wi-Fi ofﬂoading experience by ensuring that they can provide an enriched experience regardless of the network, device and environment. The end goal of marrying Wi-Fi ofﬂoad together with 3G/4G technology can bring new growth and injecting value to the operators’ business proposition, be it new Wi-Fi access revenues or richer content delivery.
Integration Automatic and network agnostic approach (3G-Wi-Fi) to synchronize user credentials in the process to integrate multiple elements of subscriber provisioning, device and subscriber authentication that is integrated to the operator’s core network (authenticated through 3GPP compliant AAA) and coupled to the policy infrastructure; push proﬁle, updates over the air, policy control management to add intelligence on ofﬂoad decisions.
Regulatory Compliance Operators look for a standardized long term solution that handles data mobility and growth regardless of application and network type. In an environment of rising cyber crime, operators need to enforce vigilance over cellular and WLAN networks; assess the aspects of subscriber data conﬁdentiality & integrity, authentication, access control and attacks while implementing integrated Wi-Fi access. The vulnerability of Wi-Fi ofﬂoad is apparent in the case of direct Internet Wi-Fi that is provided over free hotspots (i.e. shopping malls, cafes) as a value-add to the subscriber. In such circumstance, operators need to notify the subscriber before ofﬂoading automatically giving the user a choice. Operator can maintain visibility and control over Wi-Fi through EAP-based authentication.
Greenpacket Wi-Fi Offloading Solutions - 08
Greenpacket Wi-Fi Offloading Solutions The Intouch solution suite is a standards-based approach to deal with Wi-Fi ofﬂoading securely. It gives the assurance of secured and managed ofﬂoad mechanism and also the option for a dynamic ofﬂoad mechanism through policy control. These solutions fully support secured EAP-based authentication and advanced Wi-Fi security measures.
Smart Data Ofﬂoad The Smart Data Ofﬂoad client is designed to run on top of native device connection utility for operators looking for a basic ofﬂoad mechanism without major investment and modiﬁcation to the existing network infrastructure or ﬁrmware replacement. The objective of the smart client is to make Wi-Fi connections more transparent and increase the attachment rate to Wi-Fi by turning on/off Wi-Fi radio. The ability to support access – aware and policy preferences of operators’ centralized proﬁling server allows subscribers to seamlessly move between cellular and Wi-Fi based on device, end-user behavior and environmental information. The smart client does not permanently override the preset network connectivity settings, but only takes precedence by modifying the policy during policy administration. The policy activation can be triggered over several criteria such as device status active, battery levels and signal strength, mobility detection as well as location detection and time. The smart data ofﬂoad provides optimized service levels to customers as well as ensure efﬁcient ways for operators to manage their network options.
Greenpacket Wi-Fi Offloading Solutions - 09
Seamless Data Ofﬂoad Greenpacket’s Seamless Data Ofﬂoad is a client-based solution that aims to deliver a simpliﬁed and cost-effective ofﬂoad method across multiple access networks. It is based on the Data Ofﬂoad Platform. The Seamless Data Ofﬂoad client can transparently ofﬂoad 3G - Wi-Fi and continue to push operator services and manage data trafﬁc effectively. Seamless Data Ofﬂoad, through Inter-working WLAN (iWLAN) takes trafﬁc from the mobile operator’s radio access over Wi-Fi by tunneling through the PDG at the operator’s core network. This ﬁts with mobile operators’ need to monetize services through the personalization of services and the application of policy management; something which can’t be said of other Wi-Fi ofﬂoad approaches in the market today.
Figure 1 : Seamless Data Ofﬂoad
Greenpacket Wi-Fi Offloading Solutions - 10
Dynamic Data Ofﬂoad Operators are increasingly looking at using Wi-Fi for ofﬂoad as part of their mobile broadband strategies. However, it risks losing visibility over trafﬁc policies that were conﬁgured for the user once it routes through Wi-Fi. What is lacking is a way for the network to communicate to users (applications and/or websites they are using) a real-time or predicted measure of the network’s congestion levels. Greenpacket’s Dynamic Data Ofﬂoad client is compliant to the deﬁned 3GPP Access Network Discovery and Selection Function (ANDSF), to enable dynamic network selection and switching based on various contextual ability such as cell location, device, peak hours and subscription plan. Operators can also opt to customize these policies based on application aware policy, device policy, subscriber policy and time-based policy to trigger data ofﬂoad.
Figure 2 : Dynamic Data Ofﬂoad
Wi-Fi Adoption Intensifies Interest in Offloading - 11
Wi-Fi Adoption Intensifies Interest in Offloading Wi-Fi deployed in urban or other high trafﬁc locations as an underlay to increase cellular capacity density is a market differentiator. Ironically, Wi-Fi is rated as a source of disruption in the wake of the smartphone surge and driving data usage wild. The emergence of smartphones was borne out of the popularity of Wi-Fi. On the other hand, it is also Wi-Fi that is helping operators address the limited bandwidth issues by leveraging on unlicensed spectrum. There still exist obstacles to be overcome before Wi-Fi deployments are widespread. Many operator view Wi-Fi or the likes of small cell topologies such as femtocells, picocells as a complementary solution to capacity pressure points, rather than a radical new type of network. One observation and consistent theme presented by operators’ collective feedback points to the challenge of predicting subscribers’ behavior and managing them effectively, in the process of improving the user experience and shaping services. Operators are also aware and implementing technologies that would allow them to actively manage trafﬁc, from the device through to the core – streaming video optimization, policy management and service enablement in the core through advanced, high-speed platform capabilities. With GSMA recently announcing in Feb 2012, a joint collaboration with the Wireless Broadband Alliance aimed at simplifying the process of mobile devices connecting to Wi-Fi networks; the ease of cross network roaming receives a boost. The basis of the initiative is primarily focused on SIM adoption to manage and uniquely identify Wi-Fi networks to mobile devices for the ultimate cross network roaming experience. It is anticipated, commercial deployments may be as early as 12-18 months.
Wi-Fi Adoption Intensifies Interest in Offloading - 12
The beneﬁts to consumers would be signiﬁcant, as consumers get Wi-Fi service mix with their cellular plan. It gives a high level of conﬁdence of attached Wi-Fi connectivity without searching SSID, input username and password at all times. The EAP authentication ensures seamless and secure credential validation and happens automatically. All of that authentication and connectivity is conﬁgured onto the device without user intervention. The initiative also opens the door for operators to extend the offering of any SIM-based services into an ofﬂoad environment. Mobile operators are keen to make the SIM the secure element of mobile payment services, for example, and this project would allow transactions to be carried out without the need for cellular access. The evolution of legacy voice away from circuit switched towards ﬂat IP in LTE means it could extend voice implementation similar over Wi-Fi as well; allowing operators to offer carrier class voice service as well.
Conclusion The concept of Wi-Fi is not just based on the premise of ofﬂoad. Other opportunities arise from the building of a well-planned Wi-Fi access to generate new revenue streams. Mobile operators must catch-up or risk losing their mark on subscribers demand. In recent years, the rise of OTT providers like Google, Amazon and Netﬂix has eclipsed market dominance by delivering a new and exciting user experience to engage the consumers. Operators are now aware of the importance of achieving efﬁciency in intelligent solutions to create closer relationships with their customers. There are opportunities to use Wi-Fi as a customer acquisition tool as well as a churn reduction tool. Operators’ perceptions of Wi-Fi have changed from seeing the technology as a threat that was stealing trafﬁc and revenue to a signiﬁcant opportunity for growing data services usage. The full integration of Wi-Fi with mobile networks is critical to an operator’s success. Not just for authentication and data but for all the services the end users currently receive on cellular networks as well as those they are likely to in the future, including billing, voice, messaging and roaming. A major milestone in the efforts to standardize global data roaming over Wi-Fi was announced by the Wireless Broadband Alliance (WBA) on the successful trial of NGH that included AT&T, BT, China Mobile, NTT DoCoMo and so forth in the week leading up to Mobile World Congress 2012 in Barcelona. The initiative was adopted on SIM-based environment as the secure element to deliver connectivity across networks. One of the key highlights central to operators is the strict requirements on making both device and user authentication to ensure integrity and security of the network is not compromised, when incorporating Wi-Fi as part of the mobile services strategy. Wi-Fi has transitioned from a useful unlicensed wireless option for ofﬂoading excess mobile video trafﬁc to an intelligent, managed network where subscribers can roam securely. According to a report by Strategy Analytics, the marketplace will expect to see increasing number of operators embrace Wi-Fi as part of their LTE network deployment strategy; and to incorporate it fully into their 3G and 4G trafﬁc calculations and become a fully integrated part of small cell networking and HetNet design by 2015.
Conclusion - 13
Wi-Fi Your Network to More Bandwith - 14
Wi-Fi Your Network to More Bandwith! Simplicity and standards compliant approach is the key to strengthen the security of Wi-Fi ofﬂoading deployment and the fact that most smartphones are readily equipped with automatic log-in capabilities nowadays with Wi-Fi access already conﬁgured. Embark on a journey with Greenpacket to discover how to protect your network through better Wi-Fi management. With Greenpacket, limitless Wi-Fi solutions abound!
Free Consultation If you would like a free consultation on how you can leverage Wi-Fi ofﬂoading for an improved network performance and experience, feel free to contact us at firstname.lastname@example.org. Kindly quote the reference code, SWP1211-E when you contact us.
References 1. Wi-Fi Hotspots will be Small Cells in Mobile Broadband Networks by 2015 by Sue Rudd and Phil Kendall, Strategy Analytics 2. Analysis Mason “The Case for Wi-Fi Ofﬂoad” by Terry Norman 3. Wireless Broadband Alliance (WBA) Industry Report 2011, Global Developments in Public Wi-Fi
References - 15
For more information on Greenpacket’s products and solutions, please contact us at email@example.com San Francisco ©
Copyright 2001-2012 Green Packet Berhad. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language, in any form by any means, without the written permission of Green Packet Berhad. Green Packet Berhad reserves the right to modify or discontinue any product or piece of literature at anytime without prior notice.
Published on Jun 4, 2012
This paper will provide a deep dive into the ramifications of Wi-Fi authentication and security, with the study of carrier class Wi-Fi.