Hotspot 2.0: MAKING WI-FI AS EASY TO USE AND SECURE AS CELLULAR

white paper

Hotspot 2.0MAKING WI-FI AS EASY TO USE AND SECURE AS CELLULARToday’s cellular networks are being overwhelmed with data traffic, much of it being generated by the rapid proliferation of smartphones. The latest projections are for the industry to ship over 800 million such devices in 2013.

To deal with all this traffic, service providers are looking for technologies that can greatly increase the densification of their networks. Wi-Fi is an excellent option here as it has access to upwards of 600 MHz of spectrum, supports dense AP deployments, is available on all data-centric devices, and it is available in all locations where people congregate. These locations include stadiums, arenas, airports, convention centers, colleges, train stations, downtown city center and the like. Most of these venues are indoors, where Wi-Fi is an especially strong solution because of its enormous capacity and its ability to support neutral host deployments.

Capacity and ease of deployment are only the first steps in enabling a carrier-class solution. The industry is now focused on improving the Wi-Fi user experience while roaming. The goal being to allow users to connect to visited networks as easily as they can connect to their home network. And the easier it is to get connected to a network, the more likely it is to be used. This work is known as Hotspot 2.0 and is being driven by the Wi-Fi Alliance (WFA), which also certifies interoperability as part of their PasspointTM program. The Wireless Broadband Alliance is also very much involved in the process through their Next Generation Hotspot (NGH) initiative.

Hotspot 2.0 is focused on enabling a mobile device to automatically “discover” APs that have a roaming arrangement with the user’s home network and then securely connect. This is very much the cellular experience that we all enjoy when getting off an airplane just about anywhere in the world. Wi-Fi roaming would apply anytime a mobile device does not see an AP belonging to its home network provider. A user could roam on a Wi-Fi network that is across town or on the other side of the world. Roaming partners can include MSOs, MNOs, wireline operators, public venues, enterprises, and basically any other entity that has Wi-Fi assets.

Hotspot 2.0 capabilities are emerging in a series of releases, the first of which was completed in June of 2012 and certifications began shortly thereafter.

January 30, 2013

Hotspot 2.0MAKING WI-FI AS EASY TO USE AND SECURE AS CELLULAR

2) If roaming is required, then the list of roaming partners that are supported by that AP must be passed down to the mobile device via the ANQP protocol. This can be provided in the form of a PLMN (Public Land Mobile Network) ID, realm, or the organiza-tional identifier (OI):

•3GPP PLMN ID (MCC plus MNC) would be the preferred method for a mobile operator. MCC refers to the mobile country code and MNC to the mobile network code.

•NAI Realm List (username@domain name) would be the preferred method to identify most non-mobile operators like MSOs, wireline operators, and public venues.

• IEEE Organization Identifier (6 hexadecimal digits that many would recognize as the first 3 bytes of a MAC address). The WFA recommends that national and international SPs have an Organization Identifier (OI). The two primary use cases for OI are as follows:

•A small number of OIs can be put in the AP’s beacon; if the mobile device recognizes the OI, it doesn’t need to use ANQP to determine if it can successfully authenticate at that AP. This can conserve the mobile’s battery as well as reduce the time to associate.

•Some SPs may wish to sell subscription levels (e.g., gold, silver, bronze) in which not all subscribers have access at every AP. For example, gold users might have access privileges at all APs in an operator’s network, but bronze users might not be authorized to use an operator’s APs in premium locations. OIs enable this use case.

Hotspot 2.0 Release 1Release 1 is focused squarely on over-the-air security and network discovery and selection. The key enabling protocols are IEEE 802.11u, along with IEEE 802.1X, selected EAP methods, and IEEE 802.11i. The latter three are part of the WPA2- Enterprise certification program in the Wi-Fi Alliance, and are standard on all smartphones. While the certification is called “WPA2-Enterprise”, the end result is a process that is every bit as secure and easy to use as what exists in the cellular world.

The IEEE 802.11u protocol enables a mobile device to have a dialog with a Wi-Fi AP “pre-association” to determine the capabilities that the network can support. The two protocols that 802.11u uses to make this happen are the generic advertisement service (GAS) and the access network query protocol (ANQP). These protocols run on top of 802.11 and enable the Hotspot 2.0 experience (see Figure 1).

The Process of Network Discovery and SelectionWhen a user with an HS2.0 capable mobile device comes within range of a Hotspot 2.0 capable AP, it will automatically open up a dialog with that AP to determine its capabilities. This is done using ANQP packets that are carried at layer 2 by the GAS service (Note: the device has not yet attached and does not yet have an IP address). It is the exchange of ANQP packets that allows the mobile device to automatically learn the capabilities of an AP. A few of the more important capabilities include:

1) The domain name of the network operator. If the AP is part of the user’s home network then no roaming is required and the user can move straight to authentication. If the AP is not on the user’s home network, then roaming is required.

802.11

Generic AdvertisementService (GAS)

ANQP

HS2.0

802.1X

EAP

CREDENTIAL

AuthenticationNetwork Discovery

and Selection

Figure 1: Hotspot 2.0 protocol stack

page 2


It is possible that service providers might advertise roaming consortiums in more than one way. A mobile operator might advertise both a PLMN ID and a realm. The former is used for SIM-based devices and the latter for non-SIM devices (this is covered in HS2.0 Release 2). A wireline operator or an MSO would only advertise their realm, as they don’t have a PLMN ID.

3) Other attributes that can be relayed to the mobile device include backhaul bandwidth and loading on the access network. This is useful information if there is more than one AP that can roam with the user’s home network. Other details that are passed down to the phone as part of the HS2.0 process include:

•The operator friendly name (San Jose Airport for instance). This can be displayed on the mobile device once the connection is established and is fairly standard when roaming on cellular networks.

•Venue type (stadium or hospital)

• IP Address Type (v4/v6)

• Internet access or walled garden

•And more

Once the mobile device learns the roaming partners and the identity of the AP operator, it invokes some basic, built-in network selection policies to determine which AP to join. The basic policy provided by Passpoint Release 1 capable mobile devices is, in the absence of [overriding] user-configured preferences, to prefer Hotspot 2.0 compliant APs over legacy APs (i.e., non-Hotspot 2.0 APs) and to prefer an AP operated by the user’s home operator over one operated by a visited operator. Users are allowed to specify that certain Wi-Fi networks should always have priority and these would typically include the user’s home network and their work network.

The ability of the mobile device to “learn” about Wi-Fi network capabilities pre-association will completely transform the Wi-Fi user experience. It will also completely change the nature of an SSID (Service Set IDentifier). In the past, users and devices had to “remember” SSIDs that have provided connectivity in the past, so that they can be accessed again in the future. These are typically SSIDs for which they have credentials or which provide open access. With HS2.0 the importance of SSIDs will be reduced, and what really matters is does the visited AP have a roaming arrangement with my home network provider. In fact the notion of having an AP advertise many different SSIDs for different purposes will also be greatly reduced in favor of Hotspot 2.0 based advertisements. This should also enhance the

performance of mobile networks, as it reduces the airlink traffic associated with the beacons generated by these additional SSIDs.

Secure AuthenticationHotspot 2.0 also requires the use of 801.1X authentication. Captive portal based authentication is not supported in HS2.0.1 As part of the 802.1X authentication process, the following EAP methods must be supported:

• If a mobile device has a Subscriber Identity Module (SIM), then EAP-SIM as defined in RFC-4186

• If a mobile device has a UMTS Subscriber Identity Module (USIM), then EAP-Authentication and Key Agreement (AKA) as defined in RFC-4187. EAP-AKA’ (RFC-5448) will be required in HS2.0 Release 2

•All mobile devices must support EAP-Transport Layer Security (TLS) as defined in RFC-5216 and which uses an X.509 digital certificate

•All mobile devices must support EAP-Tunneled Transport Layer Security (TTLS) as defined in RFC-5281) along with MS-CHAPv2 which uses username and password, with a server side certificate

WPA2-Enterprise also requires that the airlink be encrypted using 802.11i. This addresses a security vulnerability with open access or portal based hotspots that don’t provide airlink encryption. Hotspot 2.0 plugs this vulnerability with 802.11i, which uses AES (advanced encryption standard) technology. This combination of protocols is what enables Wi-Fi to be every bit as secure and easy to use as a cellular service. In addition, Hotspot 2.0 Release 1 improves upon WPA2-Enterprise security by eliminating the so-called “Hole-196” attack. In these attacks, a device can forge broadcast or multicast frames (as if coming from a legitimate AP) to initiate its attack.

1 Hotspots using Captive Portal authentication are expected to be used in parallel with Hotspot 2.0-compliant hotspots due to the need to service users’ legacy mobile devices.

page 3

TABLE 1

CREDENTIALS AND EAP METHODS IN HOTSPOT 2.0

Credential EAP Method

Username / Password EAP-TTLS + MS-CHAPv2

Certificate EAP-TLS

(U)SIM (if mobile has this credential) EAP-SIM, AKA, AKA’(Rel2)


Figure 2 shows the process by which a user in a visited network can have their authentication request proxied back to the home network. In this example the visited network could be an MNO, MSO, a private enterprise, a public venue (such as a hotel, convention center, airport, etc.), or wireline provider. Wi-Fi greatly expands the universe of possible roaming partners, and thus the utility of a Wi-Fi network.

Settlements and the Business of RoamingHotspot 2.0 will greatly enhance the opportunities for Wi-Fi operators to monetize their networks through roaming arrangements with other providers. These providers can include MNOs, MSOs, wireline providers, and a wide variety of enterprises including hotels, convention centers, hospitals, airports, etc. This also queues up the very important subject of settlements, which are used to make sure all operators (mobile or wireline) get paid for services rendered, if appropriate. In 2012, WBA updated their WRIX service specifications, which governs settlements and billing. Key elements include WRIZ-i (interconnect), WRIX-d (data clearing), and WRIX-f (financial settlements). These services can be deployed by the home and visited network providers, either directly of through a 3rd party WRIX service provider.

Hotspot 2.0 Release 2 – Credential and policy provisioningIn release 2 of Hotspot 2.0, the WFA is focusing on how to provision security credentials and network selection policies on a user’s device. The credential provisioning process can be initiated by the mobile device when it is not in possession of a

credential that can be use to authenticate to an AP. Typically, there would be an indication on the mobile device’s UI that signing up for a subscription (and subsequent credential provisioning) with a particular SP is available at that AP. If the user is interested in acquiring a subscription (either paid or free), the user clicks on the SP’s icon or name and the credential provisioning sequence is launched. Hotspot 2.0 employs public key cryptography so the mobile device has proof that it’s connecting to a provisioning server (aka the Online Signup server) operated by the user’s choice of SP and not a rogue server operated by an attacker or some other SP. The type of credential to be provisioned is chosen by the SP from the following list:

•User-provided username and password

•SP-provided username and password. In this case, the password can be quite long thereby minimizing the likelihood of a successful dictionary attack. This is not a problem for the user since it is loaded directly into the mobile device’s connection manager.

•SP-provided x.509v3 client certificate issued at the AP using the EST (Enrollment over Secure Transport) protocol under development in the IETF.

•SP pre-provisioned client certificate. This certificate can be provisioned by any out-of-band method the SP wants to use and typically would be done before the user obtains their mobile device.

•Mobile-device provided manufacturing certificate.

MNO Home Network

SmartCell Gateway

MNO AAA Server HLR/HSS

Visited Network (wireline, cable, MNO, hotel, etc.)

AAA Proxy

STa

SWd SWx

Local Breakout Internet

Figure 2: Authenticating a roaming user to their home network

page 4


process is that these credentials end up stuck in the browser cache instead of the connection manager. This prevents the connection manager from automatically using them the next time they’re needed for Wi-Fi network access.

In Figure 4 on the following page, we show the series of steps that the user must go through to acquire credentials as well as the process to get connected each time. This involves several manual steps, which must be carried out by the user. Non-technical users typically don’t understand these steps, which can lead to unsuc-cessful provisioning. In pre-Hotspot 2.0 deployments where the mobile device is spoofed into joining an attacker’s Wi-Fi network (e.g., the so-called Evil Twin attack), the user can end up installing rogue credentials or trust roots on their mobile, wreaking havoc (in the future) for the user. This entire process needs to be simplified for both the user and the service provider.

With Hotspot 2.0 credential provisioning as shown in Figure 5, the user is directed to a portal where they signup for a service and provide credit card info or some suitable payment method. After that, an OMA-DM (Open Mobile Alliance – Device Management) MO (Management Object) containing the provi-sioning data is sent to the mobile device’s connection manager without any further user actions. This ensures the connection manager can automatically use the newly provisioned credential the next time it’s needed for Wi-Fi network access.

Credential provisioning can be used with smartphones, tablets, laptops, and almost anything else that uses Wi-Fi connectiv-ity. What is compelling about this approach versus legacy approaches that use the MAC address or a cookie to identify the, is that it supports roaming and a secure airlink. Not only can the user automatically connect to APs belonging to the operator for whom they signed up for the service, but also with any roaming partners of that operator (if that feature is enabled in the service package). The ability to automatically connect to the Internet from a wide variety of access points, using a wide variety of devices, will greatly increases the utility of a Wi-Fi service, and the more transparent the connection process the more likely the service is to be used.

Credential provisioning (aka online signup) opens up new revenue opportunities for service providers, as there are hundreds of millions of Wi-Fi enabled devices that do not have SIM-cards (see Figure 3). This list includes tablets, digital cameras, and laptops to name a few. They will need the same secure and transparent connection experience while roaming that already exists in the cellular world.

A Closer Look at Credential ProvisioningToday’s credential provisioning process (for non-SIM devices) involves quite a bit of user interaction to set up the service, acquire a credential, and get connected to the network. Another problem with today’s username and password provisioning

0

1,000

2,000

3,000

4,000

5,000

2001 2003 2005 2007 2009 2011 2013 2015

Smartphones Tablets Laptops Desktops

Millions of devices in use, worldwide

Figure 3: The untapped market for non-SIM devices

page 5


1) Connect to “Secure-Internet”, pop-up prompt

2) Set mode to TLS, select certi�cate under “Identity”

3) Automatic secure connection until certi�cate expires / revoked

1) Connect to “register” SSID (open)

3) Enrollment triggers a certi�cate download

4) Click “Install” downloads a certi�cate

First Time Registration

* Using iOS 4.x

2) HTTP redirect to enroll Portal page

First Connection

Figure 4: Credential provisioning without HS2.0 support

First Time Registration

1) noitpircsbus on + PA-0.2SHmeans automatic offering

2) Subscriber enrolls using Portal

Subscribe

Figure 5: Credential provisioning with HS2.0 support

page 6

Ruckus Wireless, Inc. 350 West Java Drive Sunnyvale, CA 94089 USA (650) 265-4200 Ph \ (408) 738-2065 Fx

www.ruckuswireless.comCopyright © 2013, Ruckus Wireless, Inc. All rights reserved. Ruckus Wireless and Ruckus Wireless design are registered in the U.S. Patent and Trademark Office. Ruckus Wireless, the Ruckus Wireless logo, BeamFlex, ZoneFlex, MediaFlex, FlexMaster, ZoneDirector, SpeedFlex, SmartCast, SmartCell, ChannelFly and Dynamic PSK are trademarks of Ruckus Wireless, Inc. in the United States and other countries. All other trademarks mentioned in this document or website are the property of their respective owners. Revised February 2013.


The Impact of Hotspot 2.0Hotspot 2.0’s impact on the industry will be enormous. Mobile operators are already seeing their networks overloaded by data traffic and are looking at all available options to increase densifi-cation. At the top of their list are technologies like Wi-Fi and LTE small cells. Cable and wireline operators are taking advantage of their backhaul capabilities to rapidly build-out an extensive Wi-Fi footprint. This technology has also been extensively deployed in public venues like hotels, airports, convention centers, stadiums, hospitals, etc. With Hotspot 2.0, it will now be possible to link together this huge footprint of Wi-Fi APs through a web of roaming arrangements. Users will be able to seamlessly roam onto Wi-Fi networks from almost any location.

The net result for the MNO is much greater network densification then could be achieved by building out a network of APs on their own and a much better experience for the subscriber. Users no longer need to know or care about SSIDs and authentication protocols. Instead, they get an always best- connected experience.

Venue owners and operators can begin to better monetize their Wi-Fi network investments through these roaming arrange-ments and the settlements that they entail. A mobile operator that deploys a Wi-Fi network in a stadium can now monetize that asset by allowing subscribers of other operators to roam onto that network. Hotels can likewise allow subscribers of all the different mobile operators to roam onto their in-building Wi-Fi networks.

Hotspot 2.0 technology will radically transform the wireless industry, and it is set to emerge in 2013 in a very big way.

Hotspot 2.0 Release 2 – Provisioning of network selection policiesNetwork selection policy influences how a mobile device selects which Wi-Fi network to roam with when it is faced with several options. The list of potential APs that can support roaming will be generated as a result of the network discovery and selection process. In Release 2, it will be possible for an operator to download a network selection policy that can help the mobile device’s connection manager choose the most optimum roaming partner based on the situation. Factors that the SP can use when prioritizing roaming partners can include network performance and wholesale roaming costs.

A separate effort is underway within 3GPP called ANDSF (access network discovery and selection function) that looks at not just which Wi-Fi roaming partner to select, but also when to select cellular and when to select Wi-Fi. This involves the download of a policy from an ANDSF server in the home operator’s network. It is expected that mobile operators will use ANDSF to download a policy to the phone and non-mobile operators will use HS2.0 Release 2 Specification. A focus in both camps is to coordinate this work, which will occur in 3GPP Release 12.

Note that there is already some synergy between Hotspot 2.0 network selection policy and ANDSF technology. Both employ the OMA-DM standard for transferring MOs between mobiles and servers. Furthermore, both employ OMA-DM compliant management objects for communicating policy and other information.

In addition to OMA-DM protocol for transferring MOs, Hotspot 2.0 provides a SOAP-XML based protocol to accomplish the same function. This was added because some operators in the Wi-Fi A wanted a lighter-weight protocol than OMA-DM, and had already deployed SOAP-XML servers for other purposes (e.g., MSOs, WISPs).

Technology

Hotspot 2.0: MAKING WI-FI AS EASY TO USE AND SECURE AS CELLULAR