Bringing Wi-Fi Security to the Next Level
WBA PKI Framework Enables RadSec Connection Security
In 2020, the COVID-19 pandemic nearly eliminated travel. Today, as restrictions are lifted, we’re seeing travel levels increase—particularly locally. Soon, we should all be able to return to the world of far-reaching travel.
Whether for trips across town or journeys around the globe, Wi-Fi accessibility is a critical necessity in the 21st century. Using various Wi-Fi roaming technologies such as Passpoint®, Wireless Broadband Alliance (WBA) WRIX and OpenRoaming™, we can enjoy the Wi-Fi connected broadband experience wherever we go. And as we move about, there are many Wi-Fi networks available to us from various operators; most are secured by some level of security, whether a shared secret, captive portal or Extensible Authentication Protocol (EAP), also known as 802.1x.
Many service providers are moving to EAP for user authentication, a tactic that not only simplifies access to their own Wi-Fi network but also enables a secure roaming experience for their users. To allow users to be authenticated and gain access to roaming Wi-Fi networks, user credentials need to be routed to the home service provider. This interconnection between the roaming partner and the home service provider has typically been over IPSec tunnels. The introduction of RadSec is changing the method of interconnection. RadSec offers a full end-to-end secure path and the ability to use dynamic interconnections.
RadSec interconnection security is based on the mutual exchange of certificates between the two operators, enabling authentication of the operators and encryption of the information exchanged. To standardize these certificates, WBA members (under the leadership of CableLabs) undertook the creation of a solid RadSec PKI framework.
The WBA team led by CableLabs are proud to have completed the PKI framework and have made it available for deployment and use by all members of the WBA, marking the closure of the WBA Roaming Evolution Working Group. The PKI framework includes the PKI Certificate Policy (CP), Trust Root Certificate Authority (CA) agreement, Policy Intermediary CA (I-CA) agreement, Issuing I-CA agreement, End-Entity agreement, Operator Deployment Guidelines and End-Entity Deployment Guidelines.
The completion of the PKI framework is ready to advance and make Wi-Fi roaming simpler. There are several roaming implementations that will benefit from the PKI framework, including specific inter-operators’ roaming deployments, the WBA Wireless Roaming intermediary eXchange (WRiX) and OpenRoaming.
The WBA PKI framework is currently available to WBA members and PKI certificates by Kyrio®, a wholly owned subsidiary of CableLabs. Moving forward, the WBA Roaming Work Group will continue to manage the PKI framework and documentation including the new project, “Profiles & RCOIs Prioritization”.
WBA OpenRoaming™ to Enable Global Wi-Fi Roaming
On May 28, 2020, the Wireless Broadband Alliance (WBA) announced the launch of OpenRoaming. OpenRoaming is a cloud federation–based framework that will open Wi-Fi roaming to a broad community of Identity Providers (IDPs) and Access Network Providers (ANPs). OpenRoaming is a cyber-secured, seamless connection and automatic RADIUS router all rolled into one global multi-provider ecosystem. The fundamental makeup of OpenRoaming spans multiple technologies: Passpoint, DNS Discovery, RadSec and components of the Wireless Roaming Intermediary eXchange (WRIX).
OpenRoaming works by using Roaming Consortium Identifiers (RCOIs) to allow Passpoint-driven ANP selection. The RCOIs are identified by two major categories, Settlement Free and Settlement, followed by two sets of subcategories. The subcategories define roaming consortium types and service levels. The roaming consortium types span from general consortiums to industry-specific consortiums. Service levels include none, silver and gold, each defining the level of network Quality of Service (QoS) and the rate of reporting QoS information.
Current roaming platforms are based on the use of specific realms, 3GPP network identities or roaming consortiums for the selection of the Wi-Fi networks with static peer-to-peer interconnections over an IPSec tunnel for RADIUS traffic. OpenRoaming, which Figure 1 shows, established ANPs to support multiple consortiums coupled with dynamic RadSec interconnections, eliminating the need for static peer-to-peer interconnections. An additional benefit is the use of RadSec, a RADIUS client/server connection using TLS for security, which not only eliminates the need for an IPSec peer-to-peer tunnel but also encrypts the RADIUS traffic from RADIUS client to RADIUS server, which secures traffic deeper into the providers’ networks.
OpenRoaming allows the cable industry to easily establish an inter-roaming partnership across the industry while reducing the overhead of a networking setup. With the defined cable industry-specific RCOI, ANPs can be targeted as part of the cable consortium.
OpenRoaming provides users a seamless Wi-Fi connection beyond the subscriber’s home service area, reducing the need to rely on a cellular data connection. Beyond the operators that provide Wi-Fi services, OpenRoaming is a tool that can be used by Mobile Virtual Network Operators (MVNOs) to assist with Wi-Fi connectivity, enabling cellular data to offload. This would broaden the data offload from a local network to a global network.
RadSec, Securing RADIUS Message Exchange
With the ever-increasing use of mobile devices for data-rich activities, mobile networks have felt the burden of handling larger amounts of data. To gain relief, mobile operators have turned to offloading data onto Wi-Fi networks that are locally available—not only their own networks but Wi-Fi networks owned by their roaming partners. If the roaming partner’s Wi-Fi network is secured, then the subscriber’s credentials are exchanged between the roaming partner and the home operator, typically over the Internet. These credentials need to be secured while traversing the Internet, and the most common method is to use IPSec secure tunnels. Although IPSec secures and encrypts this critical information over the Internet, IPSec is not without issues and risks.
One issue is that the information is encrypted only from firewall to firewall, leaving the data unencrypted within both operator networks. In addition, setting up IPSec can be cumbersome because of the amount of work typically involved and the number of individuals, which can include the server administrator, network administrator, firewall administrator and security individuals. There’s also the issue of performing key exchanges and testing the connections; the entire process is repeated if either end of the connection needs to be altered, resulting in downtime.
A Solution to These Issues Is RADIUS Security (RadSec)
Although RadSec is still a draft specification within the IEEE (RadSec profile for RADIUS), it’s based on TLS RFC 6614 “Transport Layer Security (TLS) Encryption for RADIUS,” which enables the securing and encrypting of RADIUS messages between the RADIUS client and server. RadSec ensures that all RADIUS messages are secured and encrypted not only when they’re sent over the Internet but also when they’re deeper within each operator’s network, starting with the client and server. Because RadSec is based on TLS, the client and server are mutually authenticated at connection time, ensuring a trusted connection by chaining the certificates to a trusted Root Certificate. By using certificates, the revocation of certificates can be used to eliminate unauthorized connections. In addition, TLS offers encryption of the RADIUS exchange. Encrypting the exchange prevents the exposure of sensitive subscriber information at all points between client and server—within the roaming partner’s network, over the Internet and within the mobile operator’s network—making the entire path secure.
RadSec is flexible and scalable. With RadSec, the client or server IP addresses can be altered without having to reconfigure the secure tunnel settings, as is the case with IPSec. The number of peering clients and servers can also be increased as needed based on operational requirements—without requiring additional work to establish new secure tunnels. This flexibility contributes to RadSec’s scalability. With traditional secure tunnels, if additional roaming partnerships formed, firewalls need to be set up to support the new tunnels. With RadSec, at the most, firewall access control lists (ACLs) would need to be updated to allow traffic from and to the new partner; the same certificate can be used for all roaming partnership connections.
Based on the benefits of RadSec, CableLabs has led the work in Wireless Broadband Alliance (WBA) to introduce RadSec to the WBA Wireless Roaming intermediary eXchange (WRiX).
For more information about RadSec, please contact Luther Smith (email@example.com).
A Better Wi-Fi Experience with Dual Channel Wi-Fi™
At least 15 percent of customer service calls are Wi-Fi related, ranging from poor connections to video playback issues, translating to more than $600 million in annual support costs for the cable industry (in North America alone). As the Wi-Fi industry looks for ways to increase speed, coverage and support for more devices in the Wi-Fi ecosystem, one critical element has been overlooked: the need to have the necessary airtime to send data to all end devices in a timely manner. Even with faster Wi-Fi connections, if there is no available airtime to send the data, the connection is useless. CableLabs realized this shortfall and addressed it with the development of Dual Channel Wi-Fi technology.
What Is Dual Channel Wi-Fi?
Dual Channel Wi-Fi delivers an efficient and more reliable wireless connection.
The wireless networking technology that we commonly refer to as Wi-Fi is based on the 802.11 standard developed by the Institute of Electrical and Electronics Engineers (IEEE). The 802.11 standard, in turn, has its origins in a 1985 ruling by the U.S. Federal Communications Commission (FCC) that made the Industrial Scientific Medical (ISM) unlicensed radio frequency bands available for public use.
Wi-Fi is often referred to as “polite” because it uses a procedure called Listen-Before-Talk (LBT). LBT is a contention-based protocol that requires data-transmitting devices to listen and wait for a given frequency band to be clear before sending data. If the device (access point [AP] or station) does not detect transmissions, it proceeds to send data. If the device does detect transmissions, it waits for a random period of time and listens again for a clear frequency or channel before commencing transmission.
Wi-Fi has become ubiquitous over the years and is the primary method by which we connect devices in the home, at work and in public places to reach the internet. Multiple Wi-Fi devices in a typical broadband home can cause contention for available frequencies. Dual Channel Wi-Fi addresses Wi-Fi congestion issues by providing one or more channels for downstream-only data in addition to the primary bi-directional channel. The primary channel is used for upstream and small downstream packets and the others channel(s) are used for large downstream and time-critical data, like video. By offering operators configurable tools to intelligently redirect Wi-Fi traffic, better air-time utilization is achieved for all traffic, resulting in fewer interruptions and a much better Wi-Fi experience for everyone.
Benefits of Dual-Channel Wi-Fi
Dual Channel Wi-Fi benefits more than just downlink-only clients:
- A better overall multi-user experience: As demonstrated in our performance testing, without Dual Channel Wi-Fi, tests using two standard Wi-Fi channels show issues with video streams, gameplay delays, download buffering and slower throughput to individual devices. By moving data off the standard Wi-Fi channel, it effectively clears traffic from the channel, allowing both the AP and other clients more opportunities to send data.
- A radically improved multi-user experience: By virtually eliminating hesitation and pixilation of video delivery, Dual Channel Wi-Fi enables smooth gameplay without delays and faster overall delivery of data to both Dual Channel Wi-Fi and non-Dual Channel Wi-Fi devices. In our tests, depending on the application download speeds, data transfer speeds increased up to 12 times while airtime efficiency (by reducing the need for retransmissions) increased by 50 percent.
- Reduction of downlink data packet errors and packet retries: The AP’s ability to send data to clients without contention interference has reduced downlink data packet errors and packet retries, resulting in a reduction in uplink retry messages. This, in turn, allows the AP to send more TCP segments at a time, further reducing the amount of uplink traffic.
These improvements in data delivery over the Wi-Fi network as a whole are an example of user experience improvements that can be achieved by technologies that complement the cable industry’s 10G initiative. As the cable industry drives towards faster speeds, lower latency and increased reliability, Dual Channel Wi-Fi helps ensure that those benefits are experienced all the way to end user devices.
Because Dual Channel Wi-Fi is not limited to one downlink-only data channel, deployments in venues such as stadiums, airports or outdoor arenas can also benefit. Dual Channel Wi-Fi’s configurable filters can selectively assign, move or remove devices from individual downlink-only data channels. The mechanism to determine which downlink-only channels that different devices should be assigned is open to vendor development. This ability will allow operators and vendors to perform load balancing across the downlink-only data channels. The result is the management of the network to ensure the best user experience.
Dual Channel Wi-Fi is compatible with all Wi-Fi releases, including Wi-Fi 6. Dual Channel Wi-Fi has been developed and tested on various AP and client platforms. These include RDK-B, RDK-V, Ubuntu, Windows, MacOS and OpenWrt, which was co-implemented by Edgewater Wireless. Both CableLabs and Edgewater Wireless are excited about the opportunity to improve Wi-Fi for users around the world and look forward to working with standards bodies, internet service providers and device manufacturers of video set-tops, streaming devices, laptops, tablets and gaming consoles.
For more information about Dual Channel Wi-Fi, test results and implementation guides, click below.
Successful OnGo Interoperability Test Event Held at CableLabs
During the week of August 27th CBRS-Alliance members and government representatives gathered in Louisville Colorado at the CableLabs facility for the first CBRS OnGo™ Interoperability Test Event. The attendees consisted of a Spectrum Access System (SAS) Administrator, Citizen Band Service Device (CBSD) vendors, Domain Proxy (DP) vendors, End Unit Device (EUD) vendors and operators and representatives of various government agencies.
CBRS-Alliance is an industry organization focused on driving the development, commercialization and adoption of OnGo™ shared spectrum solutions. The CBRS Alliance enables a robust ecosystem through the management of the OnGo brand, and the OnGo Certification Program. OnGo provides an in-door and out-door LTE network that is cost-effective and can be used for either data offload or private LTE and IOT applications.
The testing covered critical functions of the CBRS ecosystem, “end-to-end” test cases, and operational flexibility. The success of the event shows the maturity of the WinnForum specification and the overall readiness of all parts of the ecosystem for Initial Commercial Deployment (ICD). This event demonstrated the ease that CBSD vendors were able to register on a SAS and become operational. One such example was a CBSD vendor and SAS administrator that had not previously interacted were able to exchange information, register the CBSD and became fully operational all in less than 30 minutes.
While certification testing focuses on protocol testing with test harnesses, this event was conducted as a real-world deployed system. With over 850 scheduled test interactions, as well as several additional unscheduled test scenarios being executed, we observed no equipment failures or unexplained results. The test cases included “end-to-end” scenarios in which EUD attached to operational CBSDs and were able to successfully access and surf the Internet.
“Last week’s Interoperability Test Event was an incredible illustration of the power of collaboration and as a result of this cooperation – across member organizations, industry liaisons and the CBRS Alliance Working Groups – we proved that the OnGo ecosystem will offer tremendous benefits to end users across market verticals,” said Alan Ewing, CBRS Alliance Executive Director. “Notably, this event provided the first ever connection attempt between certain devices and SAS'. The connections were quickly made in each case and underscored the quality of the OnGo specifications and the maturity of vendor implementations.”
In addition to hosting this event, CableLabs through Kyrio (a wholly owned subsidiary of CableLabs) supplied the PKI certificates used during the event which allowed the CBSDs and DPs to quickly switch between the SASs without having to reload new certificates. This greatly reduced the testing time and eliminated issues related to incorrect certificates being used.
As an active member of the CBRS-Alliance, CableLabs continues to contribute to the specification work that the CBRS-Alliance is developing. CableLabs also holds a position of co-lead in the Test and Certification working group which was fundamental input on this Interoperability Test Event.
For more information how to get involved in the OnGo movement please contact the CBRS-Alliance. To learn how the cable industry can benefit from OnGo please contact Luther Smith by clicking below.