ALTAI WIRELESS BROADBAND NETWORK DESIGN WHITE PAPER

Transcription

1 ALTAI WIRELESS BROADBAND NETWORK DESIGN WHITE PAPER Comparing with enterprise network planning, public network planning is different. The characteristic and requirement of a public access network contributes to a unique network design.

2 1. Network Planning Requirements Network planning of public wireless access network is quite different from enterprise network planning. In order to make a proper design, it is necessary to understand some characteristics and general requirements of a public access network. 1.1 User Community Number of users The number of subscriber is usually huge in public access network. For example, a regional network that has 10,000 subscribers with 20% contention ratio, the number of concurrent access will go up to 2,000 easily. With this large user base, the network must be capable of supporting a large number of users requiring a large IP address pool, high-end switches and devices that support large MAC address space. Further, the network design must be scalable to support the ever-expanding user spaces. User groups The user groups of a public access shall be very varies. It may be a highly educated businessman, a primary school student, or even a hacker. Providing service to those different groups of users is a challenge. The network must be easy to use, and at the same time, has enough security to protect users and network against foreseeable hacking activities. 1.2 Usage Pattern and QoS requirements The network usage of a public access network is usually bursting, most of the usage is concentrated in busy hours, for example, lunch hour, or at night when every users are using Internet at home. How they are using the Internet is also a big different, it may be web surfing, video streaming, or even heavy duty downloading (e.g. BT). To avoid single user eats up most of the traffic and include the overall user satisfactory level, a proper bandwidth control must be applied in the network infrastructure. In fact some applications such as multimedia service require more than bandwidth control. Those traffics require high level real-time support. Those traffics have to be in higher priority, such that they will get transmitted as early as possible. This is especially important in those traffic jammed situation. The network must apply Quality of Service (QoS) measures to support real time applications. 1.3 Requirement list Here is a requirement list of a public wireless access network. The network shall: Capacity - Support at least 1,000 concurrent users - Be scalable to support ever growing user spaces User Support

3 - Support different types of terminals (e.g. laptop, PDA, smart phone etc.) - Be easy to use for all users with different education level - Only allow registered person or device to login Security - Provide wireless security to protect users against the hackers - Provide enough security to protect the infrastructure against the hackers Quality of Service - Provide per-user bandwidth control - Provide Quality-of-Service (QoS) for real time applications 2. Network Design A reference network design is presented here, to provide the basic setup for a public access network. The actual deployment shall be different in different environment. The purpose of this network design is to provide a reference of how to glue things together to provide a complete service which could meet the requirements discussed in previous section. To present the complete picture, the overall network design and the components are introduced here. Figure 1: Network Design for Single Regional Network

4 2.1 Network Elements Network Element Radius Server Service Controller AWMS Server VLAN Switch Altai A2 WiFi bridge Altai A8n Super WiFi base station Altai A8-Ein Super WiFi base station with antenna array Altai A2 AP Altai C1n, C1an and U1 CPE Functional Description To work with service controller (Captive Portal, MAC Authentication) and BTS (WPA) for user authentication Central gateway for each regional network, as a bandwidth controller, captive portal gateway, traffic prioritization and DHCP server. The model SC 1600 is available from Altai, the maximum numbers of concurrent users supported by the controllers is 2,500 with throughput control up to 12,000 Mbps. Element Management system for Altai network equipment VLAN switch that support VLAN, QoS, and large MAC address space For wireless backhaul bridging from a wired outlet to a remote network site. PTP or PTMP wireless connections are possible. A wireless backhaul can be formed using A2, A2e or the built-in 5 GHz radio of A8n. Up to 4 backhauls can be aggregated to share one Internet wired outlet. A2-A2 can support up to 12 km LOS, A8n-A8n up to 30 km, and A2e-A2e up to 50 km, depending on the antenna used. Data rate can be supported up to 300 Mbps, equivalent to throughput of 160 Mbps For primary large area coverage with LOS coverage radius of 1,000 m and NLOS radius of 250 m (urban), 350 m (suburban) or 500 m (rural) depending on the NLOS conditions. Each A8n supports for a maximum of 512 clients and typically 100 concurrent users are used for calculation purpose. Horizontal coverage angle can be 90, 180, 270, 360 degrees or any angles in between, by installing the 4 sectors antennas in different directions. Down-tilting is possible for different target coverage areas A8-Ein can be used if the coverage area is in long sector shape and omni coverage is not required. The LOS coverage radius can go up to 1,700 m and NLOS radius up to 500 to 800 m depending on the environments. The horizontal beamwidth is 100 degree. The use of A8-Ein can give 5 db or more enhancements in RSSI as compared to A8n and hence larger penetration and higher throughput could be achieved. A few A8-Ein can be co-located at one site for larger horizontal coverage A2 can be used for coverage enhancement where A8n coverage is seriously blocked in NLOS environments. It can extend up to 450 m LOS and 250 m NLOS coverage radius. A2 can also be used for capacity enhancement where a maximum of 256 clients (typical 50 concurrent users in calculation) can be added. A2 can be configured as AP (Ethernet connection), repeater (to extend A8n coverage wirelessly in 2.4 GHz) or CPE (to extend A8n coverage to Ethernet connection) Wireless CPE to repeat outdoor signal to indoor and provide an Ethernet connection for high speed broadband service. The C1n operates at 2.4 GHz, while the C1an operates at 5

5 GHz. A8n to C1n distance can go up to 2.7 km LOS and 1.3 km NLOS. C1n/C1an can be used for indoor wireless coverage. C1n can also be used as AP alone, for 60 degree horizontal indoor coverage. The U1 is a 2.4 GHz CPE with an USB cable to be powered from a laptop 2.2 IP Planning Backend Layer x/ Regional Layer Infrastructure Network Element (i.e. BTS, VLAN Switch etc.): x/ Wireless Client: / (for 1020 IP addresses under 1 service controller) The regional layer network is partitioned inside its own subnet. The subnet has subnet mask, and the infrastructure network elements occupy the x as IP addresses. The remaining IP address range, to , provides up to 1,020 IP addresses will be used for the wireless clients under one service controller. If a region requires more than 1,000 concurrent users, we need to add one service controller for each increase of 1,000 concurrent users. The second service controller can use IP address range to for another 1,020 IP addresses, and so on for more service controllers. 2.3 Network Scalability Each service controller will only serve up to 1,000 concurrent wireless clients. When the user space is growing it is recommended to expand the network by installing more service controllers in a regional network. If the network is ever growing, it is recommended to expand the network by installing more regional networks. To manage multiple-regional network, a centralized AWMS CCS server will be placed at backend layer, which manage the whole network through multiple AWMS Proxy servers located inside each regional network. Each regional network requires one AWMS proxy server, which can manager up to 300 network elements. Up to 6 proxy servers can be managed by one AWMS server, which can support up to 2,000 network elements for the whole network. All service controllers, APs and AWMS server and AWMS proxy servers are under management VLAN.

6 Figure 2: Network Diagram for Multiple Regional Networks 2.4 SSID and VLAN Planning There are three networks (SSIDs) in this network each of them is serving specific network services and purpose. wisp_wireless: for general internet usage wisp_wireless_secure: for general internet usage with stronger security wisp_service: for administrative purposes, its SSID is suppressed; users will not be able to discover this network. This network is the only one which could access to equipment s management interface SSID VLAN Traffic Priority Authentication wisp_wireless 2 Normal Captive Portal (and optional MAC address) wisp_wireless_sec ure wisp_service (SSID Suppressed) Encryption Open Bandwidth Control 1 Mbps per client 3 Normal 802.1x/EAP AES 1 Mbps per client 1 [native] Normal WPA2-PSK AES 1 Mbps per client

7 The networks are assigned to different VLAN for the following purposes: Restrict the layer 2 traffic of the Large subnet, into a more restricted boundary to reduce the overhead comes with Large subnet The users in different VLAN will not be able to access each other directly All infrastructure equipments are grouped into the default VLAN, which avoid the users (assigned into different VLAN) to login to the equipment 3. Coverage Design The use of network elements as described in the above will be different which depends on the type of applications and services to be deployed. In general, wireless broadband applications can be divided into three types as shown in Figure 3 below, namely hotspots and hotzones, city-wide WiFi and residential broadband. The corresponding network elements that can be used are described below. Figure 3: Wireless Broadband Coverage Design The general coverage designs are as follow: The first step in network design is to provide macro coverage over the service areas. The 11a/b/g/n A8n series will be used if high capacity is the main consideration; otherwise the 11a/b/g A8 series can be a low cost alternative. The second step is to provide micro coverage as well as to enhance coverage over shadow areas, to provide additional user capacity and throughput capacity. The A2 series can be used for all the purposes above. The next step is to enhance the signal strength to meet targeted throughput as well as to extend indoor coverage. The C1n series can satisfy all the above by either set as CPE to extend outdoor signal to indoor, or as a standalone AP, or a pair can be used as repeater for complete indoor coverage.

8 For 2.4/5GHz dual-band dual concurrent (DBDC) coverage design, the A8n series can be used for macro coverage. Then, the new A2-Ei and A2w can be used for micro coverage for outdoor and indoor respectively. Lastly, the C1n/C1an can be added for coverage/signal enhancement in 2.4/5 GHz respectively. If wireless backhaul is required, the A2 series can be used for high capacity long range PTP/PTMP bridging. While the C1an can be used for shorter range PTP/PTMP bridging at lower cost. 4. QoS Functionality Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped. 4.1 Altai A8n QoS Features When configuring QoS, users can select specific network traffic, prioritize it, and use congestion-management and congestion-avoidance techniques to provide preferential treatment. Implementing QoS in wireless LAN makes network performance more predictable and bandwidth utilization more effective. When configuring QoS, users create QoS profiles. Based on this, AP can apply different policies to the user traffic. The QoS implementation is based on WMM, which is a subset of the e draft. It prioritizes traffic between the AP / bridge and wireless client device / peer bridge device, on a per VAP basis. Altai A8n supports following QoS profiles: Fixed QoS Policy - Very High (for voice) - High - Normal - Low ToS / 802.1q / e IP Port Range The QoS policies are mapped to WMM access categories. Each access category supports different parameters (minimum / maximum contention windows, fixed slot time, and transmit opportunity) to calculate back-off times for frame transmission. As a rule, high-priority frames have short back-off time. When QoS feature is enabled, all packets send to wireless clients will queue according to WMM access categories. Fixed QoS policy When a user specifies a fixed QoS policy (i.e. Very High, High, Normal, and Low), all outgoing traffic for that particular VAP is transmitted at the priority of the corresponding QoS policy, even for frames that have a different e, IP ToS, WMM priority value.

9 ToS / 802.1q When a user selects the ToS / 802.1q QoS policy, packets are prioritized based on IP ToS value. IP Port Range When a user selects Protocol / Port Range QoS policy, packet ToS value is set based on the protocol (i.e. UDP or TCP) / Port Range (i.e. Destination port number packet received from wireless client, Origination port number packet send to wireless client). Port Range can either be a single port or a contiguous range (maximum 8 per protocol). 4.2 QoS Settings For the purpose of QoS, a dedicated VAP (i.e. SSID) shall be used. All clients shall associate with the specified VAP for better broadband quality. The VAP shall support different security, QoS profile, and VLAN ID. Security If security is not an issue, use Open in security mode. For higher security, WPA shall be used. However, this could affect the maximum capacity. QoS profile Voice application that requires the highest priority shall be set as Very High with ToS tagging enabled. Real time application such as surveillance that requires higher priority shall be set as High with ToS tagging enabled. All standard data traffic will be transmitted in a normal priority queue, and the packets are tagged with Normal ToS. The packet tagging could help the backend network priority the traffic from end-to-end. VLAN ID For multimedia service that requires priority, the backend network shall setup a VLAN for multimedia service, so that the traffic can be assigned to a higher priority, if the equipment does not support the ToS/802.1q fields. WMM client setting The client which supports WMM, shall be further enhanced, when transmitting packets. Some WMM handheld devices support ToS setting, when the ToS is set to a higher priority. The client handshakes with AP through WMM, and send the packets earlier as soon as possible. 5. Service Controller Functionality 5.1 Overview

10 For public access network, a sophisticated subscriber authentication system is always needed to control subscriber access and maintain accounting information. This function is provided now by the service controller in our system. In our network, the service controller acts as a gateway for the subscriber to access the internet and any other operator provided service. The subscriber has to acquire access right from the controller before their traffic can pass through. The following diagram illustrates a typical network setup with service controller access control. Figure 4: Access Control System Architecture As shown in the above figure, service controller situates in the junction between LAN and WAN in order to regulate traffic generated/requested by the subscribers in A8n. The figure also introduces another network component, RADIUS server. Its primary function is to act as a central registration repository of subscriber login information. It could support multiple service controllers in different regional network at the same time and allow the operator to maintain a single point of subscriber database. The basic operation between subscriber, controller and RADIUS server is shown below. When a subscriber attempts to login to the network, its login information is sent to the RADIUS server for verification through the controller. If the login is successful, the controller would open access for this subscriber. Vice versa, if login fails, the controller would block the subscriber from further entry to the network. Figure 5: Authentication Mechanism

11 In order for the subscriber to submit the login information, there are 2 practices adopted in our system, Web based login and MAC address authentication. In the following section, we would discuss them one by one. 5.2 Web Based Login (Captive portal) Nowadays, web browsing has already become one of the most favorable applications in broadband access. Therefore, open up a web browser right after connection setup would be a common practice for a lot of subscriber. Web based login tries to adapt to this practice using the browser. When a new subscriber connects to the network and accesses any web page with a browser, he/she would be redirected to the login page provided by the controller immediately. After the login information is entered to the web page and verified by the RADIUS server, the controller grants access to that subscriber and redirect he/she to the target web page. The process would be similar to the following diagram. Figure 6: Web based login Although web based login seems to be a very convenient ways for subscriber to gain access to the system, its biggest drawback is actually the need of a browser software. There are many devices in the WiFi world like WiFi phone which do not have browser software embedded into it. For those subscribers, another methodology is in place, MAC authentication. 5.3 MAC Address Authentication For devices without web browsing capability, the service controller also provide another authentication mechanism by using the MAC address, i.e. hardware address. Instead of requesting the subscriber to enter login information, device MAC address would be used automatically as the identity. Whenever the controller detect a packet with new MAC address, it would attempt to sent this address to the RADIUS

12 server and verify its identity. Therefore, the login would be completely automatic without any notice from the subscriber. However, under this scheme, the authentication could only be done to the device instead of the subscriber true identity. If there are more than one devices used by the subscriber, each of them has to be register by the operator individually. Also, MAC address is not a strong security measure as it can be easily spoofed. Therefore, this mechanism should be used carefully. 5.4 Billing and Accounting The service controller supports RADIUS accounting with a comprehensive set of attribute. They include: Maximum time a session can be active Maximum octets/bytes can be received/sent Maximum idle time in seconds allowed Number of octets/bytes received/sent Number of packets received/sent This attribute allows operator to implement a variety of business models and billing systems including real-time prepaid and postpaid structure. We can bill subscribers on service type, time of service, time duration, session traffic and combination of any kinds 5.5 Bandwidth Management Besides serving AAA function, the service controller can also perform the bandwidth management on traffic passing through it. Since the subscriber can access most service via the controller only, this bandwidth control functionality in the controller can effectively regulate traffic demand for the service network. The controller can basically perform two types of traffic control, bandwidth limitation and traffic prioritization. For both methodologies, they can be based on VLAN separation or subscriber configuration stored in RADIUS server. This allows the operator to provide a flexible service scheme for their subscriber. Bandwidth limitation method A maximum downlink/uplink bandwidth limit is set on each subscriber. The subscriber can only acquire up to their corresponding traffic limit through the service controller. Traffic prioritization method An overall bandwidth limit is set on the controller WAN port. Subscriber traffic would fall into four different classes from low to high with separate committed and maximum bandwidth percentage. For each traffic class, it can obtain at least the committed percentage of the WAN port bandwidth and up to its maximum percentage. However, when the sum up bandwidth requirement for all traffic classes is over 100%, a higher traffic class would take up all the lower class traffic percentage above the committed percentage.

13 6. Wireless Security As data is transmitted over the air in wireless networking, its security is always the concern of most operators. In the context of security, it is usually separated into two portions, authentication and encryption. Authentication It is the process in which both parties, operator network and subscriber, attempt to verify the TRUE identity of each other. It usually involves a shared secret (e.g. username/password, shared key and digital certification) between two sides and the verification of that shared secret. Once the identities are accepted, the network connection can be established. Common authentication methods in WiFi include WEP shared key, WPA-PSK and 802.1x. Encryption Since wireless traffic can be received by anybody in range to the transmission, the data should be rendered in such a way that it is unreadable from any unintentional parties without the correct secret. This is the process to transform data from plain text to cipher text with a shared encryption key between involved parties. Common encryption methods in WiFi include WEP, TKIP and AES. All of the above authentication and encryption methods constitute to the major security standard for WiFi today, WEP, WPA and WPA2. We will discuss each standard in the following sections. 6.1 Wired Equivalent Privacy (WEP) This is the original security standard proposed in standards It is supposed to provide protection to authorized users of a wireless LAN from casual eavesdropping equivalent to that provided by the physical security attributes inherent to a wired medium. WEP uses stream cipher RC4 for confidentiality and CRC-32 checksum for integrity. It performs a scrambled bit-wise XOR operation over the data stream based on the shared secret key between the subscriber and the operator network. The shared key (WEP key) can be 64 bits, 128 bits and 152 bits with longer key offering better protection to the data. The shared key also provides authentication function to the subscriber using a challenge-respond approach. However, there are several weaknesses on WEP security. First of all, the WEP stream cipher technique is known to be vulnerable under attack and there is plenty of software around to crack WEP key in minutes by sniffing out packet. Therefore, frequent change of WEP key is needed if WEP is applied. This reveals another weak spot towards the algorithm. This is even more adverse as all subscribers have to apply the same secret key. This highly increases the risk of key secret leakage. Actually, WEP standard does not specify the methodology for key distribution among subscriber. Therefore, it would be very difficult for operator to frequently change key for all user.

14 6.2 WiFi Protected Access (WPA) Due the deficiency of WEP security, WiFi Alliance proposed the advanced wireless security protocol, WPA. It is actually an early version of i standard which is IEEE effort to enhance WiFi security. WPA utilizes two different types of encryption algorithm, TKIP and AES (optional). TKIP, Temporal Key Integrity Protocol It is an improvement on original WEP protocol which provides automatic re-keying functionality to avoid the static key deficiency in WEP. It follows the stream cipher algorithm in WEP and provide individual secret key for each subscriber. It allows a smooth transition for WiFi hardware upgrade to the new security standards. However, it still encounters the same insufficiency as a weak cryptography algorithm. AES, Advanced Encryption Standard It is a block cipher algorithm which is the successor of DES, Data Encryption Standard. AES is one of the most popular algorithms used in symmetric key cryptography and is adopted as an encryption standard by the U.S. government. In general, the AES algorithm offers a better data protection than TKIP. Also, WPA provides new algorithm to improve subscriber authentication process which include Pre-Shared Key (PSK) scheme and 802.1x standard with RADIUS authentication. In the PSK approach, a shared secret passphase is held by both subscriber and operator network and authentication and encryption key is achieved through the 4-ways handshake mechanism. Since the passphase is not directly exposed to be used as the encryption key, there would be a better defense towards the shared secret. However, some badly chosen passphase can be compromised by sniffing through the 4-ways handshake process. Moreover, since the same passphase has to be shared by all subscribers in the network, there would be the same deficiency as the static WEP key. On the other hands, the 802.1x standard is originated from IEEE to provide port based authentication through RADIUS AAA system. Under this scheme, a subscriber would have to provide username/password information to the RADIUS server. The information would be passed through the associated AP based on Extensible Authentication Protocol (EAP). After the RADIUS server accepts the login information, it would inform the AP to accept subscriber association and send a generated pairwise master key to both AP and subscriber for the 4-ways handshake mechanism. Since 802.1x employ a subscriber login mechanism, there can be separated encryption secret for each different subscriber and provide a secure key distribution system. 6.3 WPA2 WPA2 is an enhanced version of WPA and is practically the WiFi Alliance version of i. AES has been made to be a mandatory encryption standard in WPA2 and two new features is added, which is pairwise master key caching and subscriber preauthentication. Both enhancements offer a faster handoff capability for subscriber station under WPA scheme. Conversely, weak as the default encryption of most routers may be, it often defeats a user's attempt to use his own laptop wirelessly at home.

15 Contacts Information: Headquarters: Altai Technologies Limited Unit 209, 2/F, East Wing, Lakeside 2, 10 Science Park West Avenue, Hong Kong Science Park, Shatin, Hong Kong Web: Tel: Fax: [email protected] Jul 17, 2009 Revised on Sep 11, 2009 Revised on Jul 17, 2013