Bringing Wi-Fi Security to the Next Level
WBA PKI Framework Enables RadSec Connection Security
In 2020, the COVID-19 pandemic nearly eliminated travel. Today, as restrictions are lifted, we’re seeing travel levels increase—particularly locally. Soon, we should all be able to return to the world of far-reaching travel.
Whether for trips across town or journeys around the globe, Wi-Fi accessibility is a critical necessity in the 21st century. Using various Wi-Fi roaming technologies such as Passpoint®, Wireless Broadband Alliance (WBA) WRIX and OpenRoaming™, we can enjoy the Wi-Fi connected broadband experience wherever we go. And as we move about, there are many Wi-Fi networks available to us from various operators; most are secured by some level of security, whether a shared secret, captive portal or Extensible Authentication Protocol (EAP), also known as 802.1x.
Many service providers are moving to EAP for user authentication, a tactic that not only simplifies access to their own Wi-Fi network but also enables a secure roaming experience for their users. To allow users to be authenticated and gain access to roaming Wi-Fi networks, user credentials need to be routed to the home service provider. This interconnection between the roaming partner and the home service provider has typically been over IPSec tunnels. The introduction of RadSec is changing the method of interconnection. RadSec offers a full end-to-end secure path and the ability to use dynamic interconnections.
RadSec interconnection security is based on the mutual exchange of certificates between the two operators, enabling authentication of the operators and encryption of the information exchanged. To standardize these certificates, WBA members (under the leadership of CableLabs) undertook the creation of a solid RadSec PKI framework.
The WBA team led by CableLabs are proud to have completed the PKI framework and have made it available for deployment and use by all members of the WBA, marking the closure of the WBA Roaming Evolution Working Group. The PKI framework includes the PKI Certificate Policy (CP), Trust Root Certificate Authority (CA) agreement, Policy Intermediary CA (I-CA) agreement, Issuing I-CA agreement, End-Entity agreement, Operator Deployment Guidelines and End-Entity Deployment Guidelines.
The completion of the PKI framework is ready to advance and make Wi-Fi roaming simpler. There are several roaming implementations that will benefit from the PKI framework, including specific inter-operators’ roaming deployments, the WBA Wireless Roaming intermediary eXchange (WRiX) and OpenRoaming.
The WBA PKI framework is currently available to WBA members and PKI certificates by Kyrio®, a wholly owned subsidiary of CableLabs. Moving forward, the WBA Roaming Work Group will continue to manage the PKI framework and documentation including the new project, “Profiles & RCOIs Prioritization”.
IWiNS—An Informed Approach to Mobile Traffic Steering
It’s 3p.m. and you’re rushing, in between meetings, to pick up your kids from school. You start to pull out of your garage when your boss texts you to hop on a quick video call. But something doesn’t work. Your app seems stuck, showing a spinning wheel—and you really need to get going. You’re starting to get nervous. You shake your fist at the sky and shout, “The Wi-Fi!”
That’s right: You’re far enough away from your home Wi-Fi access point that you have very little connectivity available, but you’re still close enough that your phone won’t let go of that connection. It happens all the time—like the last time you were in that coffee shop, browsing the web just fine, but then you suddenly had issues joining a video call. Or when you were walking your dog around the neighborhood while playing your favorite game, and the session kept freezing and crashing.
So, what do you do when you’re paused in your driveway, eager to get on the road? You rush through your phone settings, turn off Wi-Fi, your cellular connection kicks in and now you can finally start the video call with your boss. Your intuition saved the day—this time!
The good news is that there’s likely nothing wrong with your home Wi-Fi or your phone and that you aren’t alone in this experience. In fact, CableLabs’ primary research shows that whenever mobile customers perceive a poor quality of experience, 64 percent of them feel the need to manually troubleshoot their network connectivity—and they believe the quickest and most effective solution is to turn off Wi-Fi and rely solely on the cellular network. Unfortunately, this behavior causes operators direct and indirect losses, and it prevents users from leveraging operator Wi-Fi networks that could serve them better and potentially give them a better mobile user experience.
We live in a constantly connected world in which users often have overlapping Wi-Fi, LTE and Citizens Broadband Radio Service (CBRS) coverage. Manually troubleshooting network connectivity frustrates users who don’t want to be concerned about where their data is coming from. How can operators improve the customer experience while maintaining control over how network resources are utilized?
A 2018 PWC Consumer Intelligence Series 5G Survey shows that “roughly one-third [of broadband customers surveyed] said that reliability was a ‘must-have’ for internet access” and that “performance drops were a stronger concern than any other factor, though security, speed and cost efficiency each came up as important.”
As part of our commitment to 10G, CableLabs has been working tirelessly to develop new technologies that help improve latency, security, speed and reliability for broadband customers around the globe. With the importance of reliability to the end-consumer in mind, improvements to connection reliability both in the home and in the mobile space have become one of the top objectives of the 10G platform.
In 2018, CableLabs started researching technologies to improve reliability within the mobile user experience. We analyzed several standard and proprietary solutions, and we identified gaps representing great innovation opportunities. That was the inception of the Intelligent Wireless Network Steering (IWiNS ) project, a mobile traffic steering technology created by CableLabs. IWiNS enhances the mobile user experience by adding network and application awareness to traditional mobile traffic steering without requiring any changes to the mobile device or the network infrastructure.
Previous and current mobile steering solutions are divided into two main categories: network-centric and user-centric solutions:
- Network-centric solutions such as LTE-WLAN aggregation (LWA), LTE-WLAN Radio Level Integration with IPsec Tunnel (LWIP), 5G Access Traffic Steering Switching and Splitting (ATSSS) are generally standardized by 3GPP and are centered around the cellular ecosystem. They treat a secondary external network asset (e.g., a Wi-Fi access point) as subordinated upon a cellular base station and core network. These solutions require support inside the mobile device and modifications to Wi-Fi access points.
- User-centric solutions are based on downloadable over-the-top apps that aggregate throughput across all the wireless networks that a device can connect with. Although these solutions don’t require specific support from the device operating system (or modifications to the network infrastructure), they provide little or no control for the operator to manage the configuration of the traffic steering rules.
IWiNS fills the gaps for both types of solutions by building a technology that takes advantage of an over-the-top approach and gives full control of the traffic steering configuration to operators. Operators can now optimize single-user connectivity and take advantage of a crowd-sourced approach, resulting in a more reliable, efficient and adaptive traffic steering solution. It’s like evolving from paper maps (static and unilateral information) to the wonders of online navigation, where the power of crowd-sourced information is available.
With IWiNS, operators can generate per-application policies that are optimized using real-time network performance indicators derived from all users connected to the network. Users’ experience is enhanced by freeing them from manually troubleshooting network-connectivity issues, allowing operators to take advantage of a flexible toolset to dynamically manage network resources. Mobile virtual network operators (MVNOs) can cut costs by increasing Wi-Fi offload. Mobile network operators (MNOs) can reduce the capital cost of serving dense demand areas, leveraging cheaper network infrastructure assets and turning multiple networks into one.
IWiNS is deployed by using a client-server architecture in which the client is installed on the mobile device as an over-the-top mobile app and the server is hosted anywhere that’s convenient for the operator (e.g., public cloud, on-premises cloud, private data center). IWiNS doesn’t require any modification to the mobile device operating system or to the network infrastructure. The IWiNS client can also be embedded inside the operator’s customer care app, making its deployment simpler for the operators. The server is composed of containers that handle policy management, network metrics collection and performance estimation functions—all orchestrated to ensure the scalability, efficiency and security of the deployment.
IWiNS optimizes the mobile user experience in real time and also gives operators an effective tool to shape network utilization and control their costs. With IWiNS, a new way of experiencing mobile connectivity is right around the corner.
CableLabs has created and demonstrated the IWiNS 1.0 proof of concept. More information about the IWiNS project, including a white paper, demo and executive summary, is available below.
WBA OpenRoaming™ to Enable Global Wi-Fi Roaming
On May 28, 2020, the Wireless Broadband Alliance (WBA) announced the launch of OpenRoaming. OpenRoaming is a cloud federation–based framework that will open Wi-Fi roaming to a broad community of Identity Providers (IDPs) and Access Network Providers (ANPs). OpenRoaming is a cyber-secured, seamless connection and automatic RADIUS router all rolled into one global multi-provider ecosystem. The fundamental makeup of OpenRoaming spans multiple technologies: Passpoint, DNS Discovery, RadSec and components of the Wireless Roaming Intermediary eXchange (WRIX).
OpenRoaming works by using Roaming Consortium Identifiers (RCOIs) to allow Passpoint-driven ANP selection. The RCOIs are identified by two major categories, Settlement Free and Settlement, followed by two sets of subcategories. The subcategories define roaming consortium types and service levels. The roaming consortium types span from general consortiums to industry-specific consortiums. Service levels include none, silver and gold, each defining the level of network Quality of Service (QoS) and the rate of reporting QoS information.
Current roaming platforms are based on the use of specific realms, 3GPP network identities or roaming consortiums for the selection of the Wi-Fi networks with static peer-to-peer interconnections over an IPSec tunnel for RADIUS traffic. OpenRoaming, which Figure 1 shows, established ANPs to support multiple consortiums coupled with dynamic RadSec interconnections, eliminating the need for static peer-to-peer interconnections. An additional benefit is the use of RadSec, a RADIUS client/server connection using TLS for security, which not only eliminates the need for an IPSec peer-to-peer tunnel but also encrypts the RADIUS traffic from RADIUS client to RADIUS server, which secures traffic deeper into the providers’ networks.
OpenRoaming allows the cable industry to easily establish an inter-roaming partnership across the industry while reducing the overhead of a networking setup. With the defined cable industry-specific RCOI, ANPs can be targeted as part of the cable consortium.
OpenRoaming provides users a seamless Wi-Fi connection beyond the subscriber’s home service area, reducing the need to rely on a cellular data connection. Beyond the operators that provide Wi-Fi services, OpenRoaming is a tool that can be used by Mobile Virtual Network Operators (MVNOs) to assist with Wi-Fi connectivity, enabling cellular data to offload. This would broaden the data offload from a local network to a global network.
New Release of Wi-Fi Certified Vantage™ Continues to Improve the Wi-Fi User Experience
Wi-Fi CERTIFIED Vantage™ is a certification program created within the Wi-Fi Alliance® that makes it easy to select devices that provide an enhanced Wi-Fi experience in managed Wi-Fi networks. The latest release is now available (as of September 2020). This is the culmination of over a year’s worth of collaboration within the Wi-Fi ecosystem under CableLabs’ leadership that delivers feature-rich devices to improve Wi-Fi user experience.
The primary goal of the Wi-Fi Vantage certification program is to provide a more reliable and higher-performance user experience than unmanaged best-effort Wi-Fi networks can provide. The Wi-Fi Vantage certification program designates a highly developed set of Wi-Fi technologies optimized for managed Wi-Fi networks that directly address Wi-Fi managed network operator needs.
Wi-Fi Vantage bundles pertinent Wi-Fi Alliance certifications that improve overall network performance, deliver the latest in Wi-Fi security and encryption standards, and alleviate congestion on mobile data networks. Wi-Fi Vantage delivers a more reliable and consistent connectivity experience for users when they’re establishing network access, onboarding devices, accessing services and traversing Wi-Fi networks.
Wi-Fi Vantage will continue to be available for Wi-Fi 5 generation devices, and Wi-Fi Vantage certification for Wi-Fi 6 will now include advanced features:
- Wi-Fi 6 and Wi-Fi 5
- Wi-Fi CERTIFIED WPA3™
- Wi-Fi CERTIFIED Passpoint®
- Wi-Fi CERTIFIED Enhanced Open™
- Wi-Fi CERTIFIED Agile Multiband™
- Wi-Fi CERTIFIED Optimized Connectivity™
The newest generation of Wi-Fi Vantage Release 3 includes newly developed IEEE 802.11 features and state-of-the-art Wi-Fi technology that can be used in a broader base of operator-managed environments, including public, residential and enterprise. Vantage Release 3 adds Wi-Fi 6, Wi-Fi and WPA 3, and Enhanced Open certifications that deliver higher data rates, less congestion, more user capacity and superior security.
Wi-Fi Vantage will continue to evolve incorporating the latest technologies, giving users the most enhanced Wi-Fi experience available. Each new generation of Wi-Fi Vantage devices will provide improved device performance and reduced network connection times when customers access managed Wi-Fi networks.
As Wi-Fi data usage and user applications continue to grow, those factors introduce strain on the Wi-Fi network that impacts user experience and Wi-Fi network operation. Strains such as maintaining connection, reliable service delivery and spectrum interference/management are some of the common challenges Wi-Fi operators are trying to overcome.
The collective feature set of Wi-Fi Vantage was built to address these strains. For example, the Wi-Fi Vantage features of enhanced network discovery and advanced roaming have been trialed and demonstrated to improve performance in network connection by decreasing setup times by 76 percent and reducing management frame and beacon congestion an average of 70 percent compared with the performance of non-certified Wi-Fi Vantage devices. This is just one example of how Wi-Fi Vantage devices use unique features to overcome Wi-Fi network strains on managed networks.
Wi-Fi CERTIFIED Vantage™ Benefits to Network Operators
- Streamlined product procurement decisions
- Improved network performance and resource management
- Consistent coverage across network
- Ability to influence client roaming behavior
- AP load balancing
- Latest Wi-Fi security and encryption standards
- Quality user experiences
- Data offload
Wi-Fi CERTIFIED Vantage™ Benefits to Users
- Simpler, light or no-touch access
- Secure onboarding
- Faster speeds
- Consistent, reliable coverage
- Seamless transitions from Wi-Fi to cellular
The Wi-Fi Vantage feature set definition is driven by the operator community within the Wi-Fi Alliance that consists of Wi-Fi industry experts who have a pragmatic understanding of operator needs. A dedicated task group, led by CableLabs, was created in the Wi-Fi Alliance to address and develop certifications to meet these needs. CableLabs will continue to work with the Wi-Fi ecosystem to identify common Wi-Fi operator network strains and develop collaborative solutions in the form of standards certification.
Read more about Wi-Fi Vantage, including an animation and WFA overview papers: Wi-Fi CERTIFIED Vantage Enhancing the managed Wi-Fi network experience and Wi-Fi CERTIFIED Vantage™ Technology Overview.
Wi-Fi CERTIFIED EasyMesh™ Update: Added Features for Operator-Managed Home Wi-Fi® Networks
It’s been about a year since Wi-Fi Alliance released the Wi-Fi EasyMesh™ program and started certifying devices. Since then, the industry has been hard at work creating Wi-Fi EasyMesh products and working on what comes next. CableLabs is continuing its leadership work on the updated Wi-Fi EasyMesh certification program, and now we can all see the fruits of that labor.
The updated Wi-Fi EasyMesh protocol adds a number of essential features that operators and end-users need:
- Wi-Fi EasyMesh Controller-centric collection of Wi-Fi CERTIFIED Data Elements™ diagnostic data from all connected access points (APs)
- Enhanced backhaul security with SAE
- Optimized use of available channels with coordinated channel scanning (including DFS channels)
- Network traffic separation with virtual local area networks (VLANs), such as private and guest networks
- Wi-Fi CERTIFIED Agile Multiband™ support for improved client connections
What’s the Big Deal?
Since our last blog post about Wi-Fi EasyMesh, mesh APs have become almost as well known as antibacterial soap or friendship bracelets, albeit not yet as universally deployed. Many of these products work very well, especially those that have dedicated interconnection (backhaul) radios, as Wi-Fi® remains the easiest and most cost-effective way to connect these multi-AP systems.
So, what’s the problem we’re solving with this Wi-Fi EasyMesh update? Nearly all of the products not certified for Wi-Fi EasyMesh are opaque to an operator. When problems arise, the operator has little to no information available about what’s going on behind the cable modem gateway, and the customer is left without assistance. The first version of the Wi-Fi EasyMesh protocol created the groundwork for this, whereby the Wi-Fi EasyMesh Controller (usually in the cable modem gateway) can set up and configure the other Wi-Fi EasyMesh APs. Now, the updated Wi-Fi EasyMesh protocol includes all the diagnostics information (aka, Wi-Fi Data Elements™) that an operator might need to get down to the nitty gritty and fix an issue.
Wi-Fi Data Elements, You Say…
In the blog post, “Data Elements and TR-181 – Connect to the PNM Data You Need,” my colleague Josh Redmore explained what Wi-Fi Data Elements are and exactly why operators need them:
“The ultimate iteration of [remote Wi-Fi troubleshooting] is a fully automated proactive network maintenance system, where Wi-Fi issues are resolved before they impact your customer. When Wi-Fi becomes self-healing, customers enjoy seamless access to your services.”
We can safely say that this is the Holy Grail of any operator-deployed Wi-Fi system, and the updated Wi-Fi EasyMesh protocol with Wi-Fi Data Elements support makes that possible in a standardized way.
Figure 1: Example Wi-Fi EasyMesh and Wi-Fi Data Elements Network Topology
But Wait, There’s More…
Remember all the major enhancements listed above in the Wi-Fi EasyMesh protocol update? What benefits do those bring?
- SAE support in the backhaul brings more robust authentication mechanisms, increases cryptographic strength, disallows outdated legacy protocols, and requires the use of Protected Management Frames (PMF). It adds support for Simultaneous Authentication of Equals (SAE), which is resistant to offline dictionary attacks.
- Coordinated channel scanning is a combination of two features that essentially allow the Wi-Fi EasyMesh Controller to get a complete picture of which Wi-Fi channels are overcrowded and which are free for use. It includes the ability to ask APs to scan specific channels, including DFS channels. The result is that the Wi-Fi EasyMesh network will be able to use the best channels available for each deployment—not only as first installed, but continually.
- Network traffic separation continues Wi-Fi EasyMesh’s support for multiple service set identifiers (SSIDs) per AP and even per radio. However, until now, all traffic for those SSIDs was intermingled. Now each SSID’s traffic can be separated into VLANs. This upgrade helps operators take a step in the right direction toward traffic security.
- Wi-Fi Agile Multiband™ support adds a number of features, including optional support for Fast Transition roaming with WPA2-PSK, improved guidance for clients to move to another AP in the network, tunneling of certain client-sent management frames (ANQP, WNM, Assoc) back to the Wi-Fi EasyMesh Controller, and support for association-disallowed attributes in beacons and probe responses from Wi-Fi EasyMesh Agents.
CableLabs’ Early and Continuing Involvement
Wi-Fi connectivity is key for CableLabs’ members, and CableLabs has been working closely on this Wi-Fi Alliance standard from the start. We were chosen to be the editor of the organization's test plan for both the first and second versions of the protocol, and we worked with Wi-Fi Alliance staff and vendors to develop the certification program. CableLabs continues to help lead and contribute essential technology to the Wi-Fi EasyMesh program.
Stay tuned for more press releases and blog posts to follow the progress of this new wireless technology.
RadSec, Securing RADIUS Message Exchange
With the ever-increasing use of mobile devices for data-rich activities, mobile networks have felt the burden of handling larger amounts of data. To gain relief, mobile operators have turned to offloading data onto Wi-Fi networks that are locally available—not only their own networks but Wi-Fi networks owned by their roaming partners. If the roaming partner’s Wi-Fi network is secured, then the subscriber’s credentials are exchanged between the roaming partner and the home operator, typically over the Internet. These credentials need to be secured while traversing the Internet, and the most common method is to use IPSec secure tunnels. Although IPSec secures and encrypts this critical information over the Internet, IPSec is not without issues and risks.
One issue is that the information is encrypted only from firewall to firewall, leaving the data unencrypted within both operator networks. In addition, setting up IPSec can be cumbersome because of the amount of work typically involved and the number of individuals, which can include the server administrator, network administrator, firewall administrator and security individuals. There’s also the issue of performing key exchanges and testing the connections; the entire process is repeated if either end of the connection needs to be altered, resulting in downtime.
A Solution to These Issues Is RADIUS Security (RadSec)
Although RadSec is still a draft specification within the IEEE (RadSec profile for RADIUS), it’s based on TLS RFC 6614 “Transport Layer Security (TLS) Encryption for RADIUS,” which enables the securing and encrypting of RADIUS messages between the RADIUS client and server. RadSec ensures that all RADIUS messages are secured and encrypted not only when they’re sent over the Internet but also when they’re deeper within each operator’s network, starting with the client and server. Because RadSec is based on TLS, the client and server are mutually authenticated at connection time, ensuring a trusted connection by chaining the certificates to a trusted Root Certificate. By using certificates, the revocation of certificates can be used to eliminate unauthorized connections. In addition, TLS offers encryption of the RADIUS exchange. Encrypting the exchange prevents the exposure of sensitive subscriber information at all points between client and server—within the roaming partner’s network, over the Internet and within the mobile operator’s network—making the entire path secure.
RadSec is flexible and scalable. With RadSec, the client or server IP addresses can be altered without having to reconfigure the secure tunnel settings, as is the case with IPSec. The number of peering clients and servers can also be increased as needed based on operational requirements—without requiring additional work to establish new secure tunnels. This flexibility contributes to RadSec’s scalability. With traditional secure tunnels, if additional roaming partnerships formed, firewalls need to be set up to support the new tunnels. With RadSec, at the most, firewall access control lists (ACLs) would need to be updated to allow traffic from and to the new partner; the same certificate can be used for all roaming partnership connections.
Based on the benefits of RadSec, CableLabs has led the work in Wireless Broadband Alliance (WBA) to introduce RadSec to the WBA Wireless Roaming intermediary eXchange (WRiX).
For more information about RadSec, please contact Luther Smith (firstname.lastname@example.org).
Field Trial Results Show Wi-Fi CERTIFIED Vantage™ Devices Offer Significant Improvement to Network Performance
In a high-traffic, high-volume user environments such as subways, airports, and stadiums, maintaining a reliable connection and moving consistently across access points (APs) in a Wi-Fi network has always been a challenge for users and operators. A solution to this issue is now commercially available in the form of Wi-Fi CERTIFIED Optimized ConnectivityTM and Wi‑Fi CERTIFIED Agile MultiBandTM AP and client devices. These are core certifications to the WFA Wi-Fi CERTIFIED VantageTM program. These Wi-Fi Vantage TM devices contain features that optimize management and control frame transmissions, network discovery, authentication, and network transition. A field trial was conducted to measure the performance of a Wi‑Fi network using of Wi-Fi Optimized ConnectivityTM and Wi‑Fi Agile MultiBandTM devices embedded in a highly congested urban environment centered around a busy subway station. Results show the following improvements over non-Wi-Fi Vantage devices:
Optimized Network Discovery
Without Wi-Fi Vantage, the inefficiencies of network discovery and response messages can severely disrupt existing client connections and make it difficult for clients to attach to the network. The optimized network discovery features in Wi-Fi Vantage include suppression of, and broadcast of, probe responses by the AP and also include probe request deferral and suppression by the client. Field trial results show that the number of probe responses in a Vantage network were reduced by 76% on the 2.4 GHz radios and by 72% on the 5 GHz radios. This resulted in a probe response airtime usage reduction of 67% in 2.4 GHz and 44% in 5 GHz.
Without Wi-Fi Vantage, clients can experience long reconnection setup times when moving back into a previously-joined network. With Wi-Fi Vantage, this re-connection setup time is reduced using Fast Initial Link Setup (FILS) Authentication. When FILS Authentication was tested in the Wi-Fi Vantage network, results showed that the connection setup times decreased by 76% (from 228 ms to 55 ms).
Fast Network Transition
Without Fast Network Transition (FT), clients must perform a full Extensible Authentication Protocol (EAP) when roaming, possibly interrupting the end-user experience. With Wi-Fi Vantage, once a client device decides to roam to a different AP, band, or channel, the association and connection happen quickly and seamlessly. Test results show that FT roaming improved client re-connection setup times by 84%, reducing it from 203 ms to 31 ms. In addition, Fast Network Transition can be deployed with, and will work alongside, FILS Authentication to further optimize client connections and roams.
A full-featured Wi-Fi Vantage network will benefit overall network performance and user experience, especially in high-traffic, high-volume environments. Some Vantage features may already be included in operator-managed Wi-Fi networks using vendor-specific implementation and nomenclature. Field trial results will allow operators to assess the value of a partial- or full-featured Vantage certified Wi-Fi network. CableLabs’ joint leadership with the operator community (cable and mobile operators) created the vision and roadmap for the Wi-Fi Vantage program while partnering with the Wi-Fi ecosystem and will continue these efforts for the next generation of Wi-Fi Vantage.
Wi-Fi Alliance Launches Wi-Fi CERTIFIED 6™ Certification Program
Wi-Fi 6 has been around for almost a year, in the news and on the shelves. Tuesday, however, marked a key milestone to the deployment of the next generation of Wi-Fi connectivity; the Wi-Fi Alliance has announced the launch of the Wi-Fi CERTIFIED 6 ™ certification program. Wi-Fi CERTIFIED 6™ provides the assurance that certified devices will interoperate and meet the industry-agreed standard requirements. With more than one billion Wi-Fi 6 chipsets expected to be shipped annually by 2022, interoperability is playing a crucial role to guarantee a proper operation of Wi-Fi networks and a seamless user experience.
Based on the IEEE 802.11ax standard, Wi-Fi 6 enhances the former Wi-Fi generations by delivering greater network capacity, improving performance in congested environments, increasing data rates, and improving power efficiency. IEEE 802.11ax Working Group started work on the next generation of Wi-Fi back in 2014. The former 802.11 standards focused primarily on delivering higher peak and aggregated throughput but with the rapid evolution of the Wi-Fi landscape, new use cases and challenges needed to be addressed. The exponential growth of Wi-Fi connected devices made it critical to focus on actual field conditions. 802.11ax, known as Wi-Fi 6, addresses the congestion and interference issues seen especially in dense deployments, to deliver higher average throughput per user. The targeted deployments include busy airports or train stations, public venues, mobile traffic offload, and apartment complexes. For Cable Operators this can translate to improved efficiency by serving multiple users at a higher average throughput in a residential environment or public hotspots.
Wi-Fi CERTIFIED 6™ key features
Wi-Fi CERTIFIED 6™ certification program includes a series of key features listed below:
- Downlink and uplink Orthogonal Frequency Division Multiple Access (OFDMA) where the channel width is split in different sub-channels that allocated to different clients. OFDMA increases the system efficiency while decreasing the latency in dense deployment, making more efficient use of the available spectrum. This allows multiple users to be served simultaneously compared to Wi-Fi 5 and earlier where a single user is served one at a time.
- Downlink Multiple User Multiple Input, Multiple Output (MU-MIMO) increases the system capacity. MU-MIMO was introduced in Wi-Fi 5 and is part of Wi-Fi 6 extends the capability to serve up to 8 users concurrently.
- Quadrature Amplitude Modulation (QAM) 1024 increases the peak throughput by 25% in good conditions compared to Wi-Fi 5.
- Transmit beamforming uses several transmit antennas on the access point to focus the signal to then destination station. This enables higher data rates at a longer range.
- Target Wakeup Time (TWT) is based on a scheduler that allows devices to negotiate when and how often they will wake up to send or receive data. TWT improves battery life of devices, a feature required for Internet of Things (IoT) devices.
- Basic Service Set (BSS) coloring allows for devices to recognize if incoming traffic is from an adjacent network, allowing devices to take measures to adapt transmissions to optimize intra-network activity.
Wi-Fi 6 certified devices must also meet 3 prerequisites:
- Wi-Fi CERTIFIED N (Wi-Fi 4) and Wi-Fi CERTIFIED AC (Wi-Fi 5) certifications ensure a backward compatibility with former Wi-Fi standards.
- Wi-Fi CERTIFIED Agile Multiband allows devices to make intelligent access point, band, and channel selection, improving efficiency and consistency on congested wireless networks.
- Wi-Fi CERTIFIED WPA3 improves security standards for authentication, authorization and encryption, resolving some vulnerabilities issues of WPA2 that emerged over the past years.
The Role of Wi-Fi 6 in the 10G Platform
Earlier this year, CableLabs® introduced 10G™, the cable industry’s vision for delivering 10 gigabit networks. The 10G platform includes a collection of technologies enabling 10 Gbps symmetrical speeds, lower latencies, enhanced reliability, and security. In addition to the wired related technologies such as DOCSIS 4.0 and P2P coherent optics, the platform includes a set of wireless technologies as an integral part of the network (e.g. Dual Channel Wi-Fi™ and Low Latency Wi-Fi). With almost half of the Internet traffic initiated from Wi-Fi connected devices, the cable industry is devoted to developing and enhancing wireless networks for a seamless user experience. Wi-Fi 6 increased capacity, lower latency, and higher throughput is supporting the necessary evolution of the wireless technologies to address the 10G roadmap.
Wi-Fi 6 is also addressed by Kyrio™, a subsidiary of CableLabs. Kyrios’s Wi-Fi 6 test setup (based on Otoscope®) provides a lab environment for controlled testing. In addition, the Kyrio test house is equipped with Wi-Fi 6 devices to simulate a real-world experience and characterize Wi-Fi 6 performance in a residential environment.
MAC Address Randomization: How User Privacy Impacts Wi-Fi And Internet Service Providers
In the era of mobility, location tracking is a major privacy concern for portable device users. Although a growing number of applications make use of location data, operating systems (OSs) provide the ability to turn off location services provided by the GPS or cellular/Wi-Fi connectivity. Wi-Fi access points, however, can monitor device locations without user consent by means of MAC addresses. As a countermeasure to this privacy threat, OS developers are anonymizing MAC addresses, thereby raising technical concerns among network operators.
Unique MAC Addresses Enable User Privacy Infringement in Wireless Networks
Every Wi-Fi radio has a unique 48-bit identifier called a MAC address that is assigned by the manufacturer. The MAC address is a Layer 2 (L2) address used to identify the source (sender) and the destination (receiver) of frames by most 802 network technologies, including Ethernet, Bluetooth and Wi-Fi.
Back in 2013, the privacy implications of targeted probe requests started to become widely publicized. Several companies were reportedly logging and tracking the addresses of nearby devices in unassociated states. In addition, during the connection to the AP, customers were not notified upfront that their movements would be tracked, and historic location data could be used for marketing purposes or sold to third parties.
MAC Address Randomization Increases Device Anonymity …
In response to these privacy vulnerabilities, most OSs—including Android, iOS, and Windows—began to implement their own variant of MAC address randomization while probing the Wi-Fi network. This probe mode guarantees anonymity until the client gets associated with an AP. IEEE 802.11 also stepped up to specify a similar feature in the IEEE 802.11aq Pre-Association Service Discovery amendment to the 802.11-2016 standard.
More recently, OSs have started to implement the use of MAC address randomization for device association to the network. The address is kept consistent per network (i.e., Service Set Identifier [SSID]), so the user doesn’t have to authenticate each time it connects to the same SSID. This feature was added to Android P for experimental purposes, whereas Android Q randomizes the MAC address by default, with per-network customization. Windows 10 implements a similar scheme, while iOS 12 supports the probe mode only.
… But Raises Concerns Over Networking Equipment and Services
Although MAC address randomization is evidently a major step toward user privacy, it can have a wide range of repercussions impacting the Wi-Fi network and other related services. The concerns can be classified into two major categories depending on how/where the MAC address is used, the L2 network layer or the system layer.
At Layer 2, MAC address randomization can impact network components: One client may be reported multiple times, and networking equipment might be filled up with outdated MAC addresses. Changing MAC address can also negate the effectiveness of some wireless features. For example, band steering and client steering that optimize client connectivity in a multiple AP environment depend on a unique MAC address for probes and association. To address these concerns, IEEE 802.11 recently formed a Random and Changing MAC Addresses (RCMA) group that is assessing the impact of changing MAC addresses on 802.11 features, for both associated and unassociated device states.
Because the MAC address is a Layer 2 identifier, its usage was not intended for beyond L2 networking. In a recent Liaison Statement to the Wireless Broadband Alliance, the IEEE 802.11 working group “strongly recommends against using any specific MAC address as an identifier for a user or device, outside the scope of the layer 2 communication.” However, due to its ubiquity and, so far, expected uniqueness, the MAC address is widely used for various purposes, such as security, access control and billing. The following are examples of such uses:
- MAC-based access often admits or denies wireless association based on the connecting device’s MAC addresses. This includes authentication methods using the MAC address in lieu of a username and password, Pay Per Use (PPU) passes and short-term complimentary services.
- Some accounting and billing systems use the MAC address as a unique device identifier.
- MAC address filtering is often used to add an extra layer of protection on the network (white/blacklist) and enforce policies such as parental control.
- Monitoring, troubleshooting and analytics of Wi-Fi deployments, including help desks, often rely on MAC addresses as part of the client identity.
- Lawful interception makes use of MAC addresses.
Although no recent public data are available, the use of randomization is expected to increase in the near future as more OSs implement it. The definition of a universal randomization policy would support user privacy while ensuring that Wi-Fi and Internet service providers can take proactive measures to update applications and upgrade networking equipment. This requires the involvement of all stakeholders, including standards bodies, hardware/software manufacturers, service providers and OS developers.
CableLabs is currently addressing this topic in the wireless R&D group. Please contact me if you’re interested in getting involved. To learn more about our work in standards and industry consortia, see our members-only (login required) wireless space.
Leveraging Machine Learning and Artificial Intelligence for 5G
The heterogenous nature of future wireless networks comprising of multiple access networks, frequency bands and cells - all with overlapping coverage areas - presents wireless operators with network planning and deployment challenges. Machine Learning (ML) and Artificial Intelligence (AI) can assist wireless operators to overcome these challenges by analyzing the geographic information, engineering parameters and historic data to:
- Forecast the peak traffic, resource utilization and application types
- Optimize and fine tune network parameters for capacity expansion
- Eliminate coverage holes by measuring the interference and using the inter-site distance information
5G can be a key enabler to drive the ML and AI integration into the network edge. The figure below shows how 5G enables simultaneous connections to multiple IoT devices generating massive amounts of data. The integration of ML and AI with 5G multi-access edge computing (MEC) enables wireless operators to offer:
- High level of automation from the distributed ML and AI architecture at the network edge
- Application-based traffic steering and aggregation across heterogeneous access networks
- Dynamic network slicing to address varied use cases with different QoS requirements
- ML/AI-as-a-service offering for end users
ML and AI for Beamforming
5G, deployed using mm-wave, has beam-based cell coverage unlike 4G which has sector-based coverage. A machine learned algorithm can assist the 5G cell site to compute a set of candidate beams, originating either from the serving or its neighboring cell site. An ideal set is the set that contains fewer beams and has a high probability of containing the best beam. The best beam is the beam with highest signal strength a.k.a. RSRP. The more activated beams present, the higher the probability of finding the best beam; although the higher number of activated beams increases the system resource consumption.
The user equipment (UE) measures and reports all the candidate beams to the serving cell site, which will then decide if the UE needs to be handed over to a neighboring cell site and to which candidate beam. The UE reports the Beam State Information (BSI) based on measurements of Beam Reference Signal (BRS) comprising of parameters such as Beam Index (BI) and Beam Reference Signal Received Power (BRSRP). Finding the best beam by using BRSRP can lead to multi-target regression (MRT) problem while finding the best beam by using BI can lead to multi-class classification (MCC) problem.
ML and AI can assist in finding the best beam by considering the instantaneous values updated at each UE measurement of the parameters mentioned below:
- Beam Index (BI)
- Beam Reference Signal Received Power (BRSRP)
- Distance (of UE to serving cell site),
- Position (GPS location of UE)
- Speed (UE mobility)
- Channel quality indicator (CQI)
- Historic values based on past events and measurements including previous serving beam information, time spent on each serving beam, and distance trends
Once the UE identifies the best beam, it can start the random-access procedure to connect to the beam using timing and angular information. After the UE connects to the beam, data session begins on the UE-specific (dedicated) beam.
ML and AI for Massive MIMO
Massive MIMO is a key 5G technology. Massive simply refers to the large number of antennas (32 or more logical antenna ports) in the base station antenna array. Massive MIMO enhances user experience by significantly increasing throughput, network capacity and coverage while reducing interference by:
- Serving multiple spatially separated users with an antenna array in the same time and frequency resource
- Serving specific users with beam forming steering a narrow beam with high gain to send the radio signals and information directly to the device instead of broadcasting across the entire cell, reducing radio interference across the cell.
The weights for antenna elements for a massive MIMO 5G cell site are critical for maximizing the beamforming effect. ML and AI can be used to:
- Identify dynamic change and forecast the user distribution by analyzing historical data
- Dynamically optimize the weights of antenna elements using the historical data
- Perform adaptive optimization of weights for specific use cases with unique user-distribution
- Improve the coverage in a multi-cell scenario considering the inter-site interference between multiple 5G massive MIMO cell sites
ML and AI for Network Slicing
In the current one-size-fits-all approach implementation for wireless networks, most resources are underutilized and not optimized for high-bandwidth and low-latency scenarios. Fixed resource assignment for diverse applications with differential requirements may not be an efficient approach for using available network resources. Network slicing creates multiple dedicated virtual networks using a common physical infrastructure, where each network slice can be independently managed and orchestrated.
Embedding ML algorithms and AI into 5G networks can enhance automation and adaptability, enabling efficient orchestration and dynamic provisioning of the network slice. ML and AI can collect real time information for multidimensional analysis and construct a panoramic data map of each network slice based on:
- User subscription,
- Quality of service (QoS),
- Network performance,
- Events and logs
Different aspects where ML and AI can be leveraged include:
- Predicting and forecasting the network resources can enable wireless operators to anticipate network outages, equipment failures and performance degradation
- Cognitive scaling to assist wireless operators to dynamically modify network resources for capacity requirements based on the predictive analysis and forecasted results
- Predicting UE mobility in 5G networks allowing Access and Mobility Management Function (AMF) to update mobility patterns based on user subscription, historical statistics and instantaneous radio conditions for optimization and seamless transition to ensure better quality of service.
- Enhancing the security in 5G networks preventing attacks and frauds by recognizing user patterns and tagging certain events to prevent similar attacks in future.
With future heterogenous wireless networks implemented with varied technologies addressing different use cases providing connectivity to millions of users simultaneously requiring customization per slice and per service, involving large amounts of KPIs to maintain, ML and AI will be an essential and required methodology to be adopted by wireless operators in near future.
Deploying ML and AI into Wireless Networks
Wireless operators can deploy AI in three ways:
- Embedding ML and AI algorithms within individual edge devices for to low computational capability and quick decision-making
- Lightweight ML and AI engines at the network edge to perform multi-access edge computing (MEC) for real-time computation and dynamic decision making suitable for low-latency IoT services addressing varied use case scenarios
- ML and AI platform built within the system orchestrator for centralized deployment to perform heavy computation and storage for historical analysis and projections
Benefits of Leveraging ML and AI in 5G
The application of ML and AI in wireless is still at its infancy and will gradually mature in the coming years for creating smarter wireless networks. The network topology, design and propagation models along with user’s mobility and usage patterns in 5G will be complex. ML and AI can will play a key role in assisting wireless operators to deploy, operate and manage the 5G networks with proliferation of IoT devices. ML and AI will build more intelligence in 5G systems and allow for a shift from managing networks to managing services. ML and AI can be used to address several use cases to help wireless operators transition from a human management model to self-driven automatic management transforming the network operations and maintenance processes.
There are high synergies between ML, AI and 5G. All of them address low latency use cases where the sensing and processing of data is time sensitive. These use cases include self-driving autonomous vehicles, time-critical industry automation and remote healthcare. 5G offers ultra-reliable low latency which is 10 times faster than 4G. However, to achieve even lower latencies, to enable event-driven analysis, real-time processing and decision making, there is a need for a paradigm shift from the current centralized and virtualized cloud-based AI towards a distributed AI architecture where the decision-making intelligence is closer to the edge of 5G networks.
The Role of CableLabs
The cable network carries a significant share of wireless data today and is well positioned to lay an ideal foundation to enable 5G with continued advancement of broadband technology. Next-generation wireless networks will utilize higher frequency spectrum bands that potentially offer greater bandwidth and improved network capacity, however, face challenges with reduced propagation range. The 5G mm-wave small cells require deep dense fiber networks and the cable industry is ideally placed to backhaul these small cells because of its already laid out fiber infrastructure which penetrates deep into the access network close to the end-user premises. The short-range and high-capacity physical properties of 5G have high synergies with fixed wireless networks.
A multi-faceted CableLabs team is addressing the key technologies for 5G deployments that can benefit the cable industry. We are a leading contributor to European Telecommunication Standards Institute NFV Industry Specification Group (ETSI NFV ISG). Our SNAPS™ program is part of Open Platform for NFV (OPNFV). We are working to optimize Wi-Fi technologies and networks in collaboration with our members and the broader ecosystem. We are driving enhancements and are standardizing features across the industry that will make the Wi-Fi experience seamless and consistent. We are driving active contributions to 3GPP Release 16 work items for member use cases and requirements.
Our 10G platform complements 5G and is also a key enabler to provide the supporting infrastructure for 5G to achieve its full potential. CableLabs is leading the efforts for spectrum sharing to enable coexistence between Wi-Fi and cellular technologies, that will enable multi-access sharing with 3.5 GHz to make the 5G vision a reality.