Applicability of Access Node Control Mechanism to WLAN based Broadband Networks

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119

With the fast popularization of WLAN terminal,WLAN are being deployed widely across carrier networks to provide hotspot access service.It is an important method for carriers to offload the data pressure of 2G/3G mobile network by WLAN access network. [ANCP-FRAMEWORK] provides the framework and requirements for coordinated admission control between a NAS and an AN with special focus on DSL deployments. This document proposes the extension of that framework and the related requirements to WLAN.

o Wireless Local Access Network(WLAN):WLAN technologies include the approved IEEE 802.11a, b,g and n specifications. WLAN is a high-speed local wireless technology to enjoy broad deployment , most notably in hotspots around the world, including homes and offices, and increasingly cafes, hostels, and airports. WLAN is also known as Wi-Fi(short for wireless fidelity). o Wireless Termination Point (WTP): The physical or network entity that contains an RF antenna and wireless physical layer (PHY) to transmit and receive station traffic for wireless access networks.For WLAN,WTP is also known as Aceess Point(AP). o Access Controller (AC): The network entity that provides WTP access to the network infrastructure in the data plane, control plane,management plane, or a combination therein. o Control And Provisioning of Wireless Access Points (CAPWAP): It is a generic protocol defining AC and WTP control and data plane communication. o Station (STA): A device that contains an interface to a wireless medium (WM).It is a subscriber device. o Autonomous Wireless Local Area Network (WLAN) Architecture: It is the traditional autonomous WLAN architecture, in which each WTP is a single physical device that implements all the wireless services. o Centralized WLAN Architecture: It is an hierarchical architecture utilizing one or more centralized controllers for managing a large number of WTP devices. It can be said that the full wireless functions are implemented across multiple physical network devices, namely, the WTPs and ACs. o Access Node (AN): Network device, usually located at a service provider central office or street cabinet that terminates access(local) loop connections from subscribers. In case the access loop is a Digital Subscriber Line (DSL), the Access Node provides DSL signal termination, and is referred to as a DSL Access Multiplexer (DSLAM).In case of WLAN, it is referred to as a AC. o Network Access Server (NAS): Network element which aggregates subscriber traffic from a number of ANs or ANXs. The NAS is often an injection point for policy management,authentication and IP QoS in the access network. It is also referred to as Broadband Network Gateway (BNG) or Broadband Remote Access Server (BRAS).

When wired carriers extend their network with wireless access technologies, they prefer to reuse NAS architecture.For wired carriers,NAS and AC usually coexist in the operator's WLAN access network.Professional NAS is often deployed in the fixed network already,so they prefer to reuse NAS devices for WLAN access network as authentication device to reduce cost and avoid network variation.NAS controls subscriber's access to network with AAA, and AC manages WTPs and controls user's association to WLAN.The focus throughout this document is based on this kind of application scenery.Given the separation of NAS and AC, AC takes the role of wireless AN. Just like wired broadband access network,WLAN provides triple-play services over IP to meet the increasing demand for broadband data service.In order to carry out the QOS policy more effectively and improve the utilization of network resouce,the cooperation between the NAS and the wireless AN is also needed. Furthermore,except for the common things with wired access technology,there are special characters in WLAN.For example,the open media of radio acess,the station's roaming.So, WLAN proposes new requirement to enhance the exchange of information for NAS and AN.Some related use cases include: -----In order to ensure security of data transport over the air,different encryption key is needed for each user. However,the intermediate key material is held by NAS for every subscriber.So, NAS need to deliver the material to wireless AN dynamically to generate the final encryption key over the air. -----To improve the utility of precious wireless spectrum, AN need to get more status information of each user from NAS. -----To make the user's roaming experience better,AN and NAS need more cooperation. It shows that a tighter coordination between NAS and Wireless AN is necessary.Fortunately, ANCP intends to provide a general communication mechanism between NAS and AN,and ANCP support to be extended on demand. So,with the new WLAN requirement,ANCP need to be extended for WLAN.

RFC 5851 provides detailed definition and functions of each network element in the general broadband reference architecture.Figures 1 shows an end-to-end broadband network with WLAN access. There are two WLAN architecture models.One is Centralized WLAN Architecture(or Fit Architecture),the other is Autonomous WLAN Architecture(or Fat Architecture). The need of deploying WLAN more broadly and cost-effectively lead to the population of the centralized WLAN architecture. The Access Node terminates the WLAN access. It is refered to as AC in Centralized WLAN Architecture,and as WTP in Autonomous WLAN Architecture. Given the industry's trend of centralized WLAN architecture, the primary focus throughout this document is on centralized WLAN architecture. RFC 5851 defines the core of what distinguishes a NAS from a typical routing system as per-user basis authentication,accountting and policies.

Premises Network Network +--------------------+ +---------------------+ +---------+ +---+ | +----------+ | | +---+ +-------+ | | +-|NAS|-|--|Access |-|-|--|WTP|-|Station| ---+ Regional| | +---+ | |Controller| | | +---+ | | |Broadband| | | +----------+ | | +-------+ |Network |-| +------------|-------+ +---------------------+ ---+ | | | +---------------------+ | | | +---+ | | +---+ +-------+ +---------+ +-|NAS| +---------|--|WTP|-|Station| +---+ | +---+ | | | +-------+ +---------------------+ NAS: Network Access Server WTP: Wireless Termination Point ]]>

Compared with wired broadband access technologies,there are several different points need to be considered: o WLAN access protection Strong over-the-air data protection is addressed in WLAN.For example,802.11i greatly increases the level of over-the-air data protection and access control on Wi-Fi networks.NAS will inevitably help to negotiate key materials used for air protection, and it should deliver the intermediate key material (called as PMK in WiFi) to WLAN AN . o Specific identification for WLAN subscriber For DSL access technology, a PVC represent a subscriber. But for WLAN access technology, many subscribers can access with the same radio. It means that there are many subscribers who may use the same VLAN. So when the subscriber's information is exchanged , subscriber's detail specific information need to be clarified. o Radio Resource Control Radio spectrum is a precious and limited resource. The communication between WLAN AN and NAS make it possible to control radio resource more efficiently among different wireless subscribers. For example, according to certain rules, WLAN AN can kick off the inactive subscribers. o Roaming Wireless user can roam from an Access Node to another Access Node.The change of subscriber's location need to be tracked. And subscriber's reauthentication need to be avoided to improve quality of experience.However, subscriber's reauthentication often occur. for example, in WLAN network, given the authentication method of NAS is Portal, when a subscriber moved from an AN to another AN, the subscriber's IP address is usually changed, and it has to be re-authenticate at NAS although the latter AN understand the subscriber 's roaming status.If latter AN report roaming information to NAS, the reauthentication can be avoid and the subscriber's roaming experience will be improved. Based on reusing the general framework and protocol of ANCP,typical elements which need to be defined for ANCP in WLAN environment include the following: ---New WLAN capability need to be defined for establishment of adjacency relationship ---New WLAN subscriber identification needs to be defined ---New message type or TLV need to be defined for delivering open air key material from NAS to WLAN AN ---New message type or TLV need to be defined for identifying invalid or unauthenticated user to AN for better radio resource control ---New message type or TLV need to be defined for AN to update NAS with roaming user information for better roaming experience

The Access Node Control Mechanism defines a quasi real-time, general-purpose method for multiple network scenarios with an extensible communication scheme. The mechanism consists of control function, and reporting and/or enforcement function.Controller function is used to receive status information or admission requests from the reporting function. It is also used to trigger a certain behavior in the network element where the reporting and/or enforcement function resides. The reporting function is used to convey status information to the controller function that requires the information for executing local functions. The enforcement function can be contacted by the controller function to enforce a specific policy or trigger a local action. Typical use cases related to reporting function for ANCP in WLAN environment include the following: ANCP Based WLAN Topology Discovery ANCP Based WLAN roaming status reporting Typical use cases related to control function and/or enforcement function for ANCP in WLAN environment include the following: ANCP based WLAN Configuration. ANCP based WLAN Remote Connectivity Testing Capability. ANCP based use cases in WLAN environment will be described in detail in the section that follow.Some use case is similar as the situation in DSL access,others are paticular for WLAN access.

In order to convey user related policies to correct Access Node, NAS need to gain knowledge about the topology of the access network and the attributes of the link.Through the procedure of WLAN Topology Discovery,Access Node communicate access network topology information and any corresponding updates to the NAS. For WLAN,when WTP start to run,AC(Access controller) will create a logical port for each radio on WTP.Since AC has known the topology of WTPs,NAS can just convey user related policies to AC,and AC will relay the information to corresponding WTP.So NAS does not bother to know all the WTPs,and just know the identification of AC and the vlan scope of users who come from the AC.Each logical port on AC can belong to different vlan or the same vlan.So the creation and deletion of each logical port may lead to upate vlan information to NAS.

Wireless user is movable.In WLAN,a station can roam from a WTP to another WTP,or from a AC to another AC. Ideally,it is not necessary for the roamer to reauthenticate.However,the IP address is usually changed due to the variation of vlan.Given the authentication method is portal(which is the most convenient authenticate method for user since it is authenticated through web interface),the change of IP address will cause reauthentication at NAS.In WLAN,AC has the ability to understand the roaming status of the roamer.So if AC report the user's roaming status to NAS through ANCP mechanism,the reauthentication at NAS can be avoided. The roaming status reporting message contains AC identification,user's original IP address and new IP address. When the NAS receive the message,it update the user related entry to permit the user with new IP address pass directely, and relay the variation infomation to AAA server to ensure user's correct accouting and record.

The ANCP mechanism make it possible to perform Qos action on the granularity of each user at wireless access edge. It is good to improve the utility of wireless radio resource by limiting the low priority user's flow and ensure the high priority user's flow as early as possible. After the wireless subscriber authenticated at NAS,NAS convey the QOS profile information to wireless Access Node, i.e. Access Controller. Then the Qos policy can be enforced at AC and WTP.

Many wireless user need air protection due to security. With the definition of 802.11i(or WPA/WPA2), the air key material is negotiated in the procedure of 802.1x authentication between user and AAA server through NAS.So the intermediate key,i.e pairwise master key (PMK),is held by NAS.However,AC need to establish the final air key with the user based on PMK. Therefore,NAS must transfer the intermediate key to AC based on the ANCP mechanism. After the WLAN subscriber authenticated at NAS,and NAS get the PMK from AAA server,the PMK is transfered from NAS to corresponding AC in addition to user related identification information.Based on the receive PMK,AC then negotiate with the corresponding user to get the final air key.

Given the authentication method is portal,there are often many users who associated to WLAN without executing autentication on NAS. These users occupies IP resources and WLAN resources.However,strictly speaking,they are not legal.In order to leverage these user's influence,it is good for AC to be notified the authentication result of each subscriber by NAS.Then,AC can selectively refuse to associate illegal users,include those who do not authicate,who are failed to authenticate,and who are put into blacklist. After the WLAN subscriber authenticated at NAS,and NAS notify the result to AC.Based on the information,AC actively kick out those illegal user for a certain period of time.

A simple solution based on ANCP can provide the NAS with an access line test capability and to some extent fault isolation. Controlled by a local management interface the NAS can use an ANCP operation to trigger the Access Node to perform a loopback test on the local loop. The Access Node can respond via another ANCP operation with the result of the triggered loopback test. In the case of WLAN based local loop, the ANCP operation can trigger the AC to generate RF(radio frequency) ping to check the link status of specific user.

CAPWAP is an internal protocol in WLAN.CAPWAP help to extend WLAN in a large scale and lower operating expenses.The intent of the CAPWAP protocol is to facilitate control, management and provisioning of WLAN Termination Points (WTPs) specifying the services, functions and resources relating to 802.11 WLAN Termination Points in order to allow for interoperable implementations of WTPs and ACs. With CAPWAP,the subscriber related requirements which is described above can't be resolved. The focus of ANCP is on the communication between AN and NAS.With ANCP,subscriber-related service can be carried out effectively by delivering user-related information to access edge. Certainly,with the presence of CAPWAP,NAS does not bother to know WTP topology in detail and only need to know AC as Access Node.CAPWAP leverage the workload of NAS to implement ANCP mechanism by shielding WLAN internal structure.

[ANCP-SECURITY] lists the ANCP related security threats that could be encountered on the Access Node and the NAS. It develops a threat model for ANCP security, and lists the security functions that are required at the ANCP level.

To be determined.

Thanks to Tina Tsou for helpful comments on this document. The authors also thank their friends and coworkers Jianfeng Liu,Tao Zheng,Min Yao,Haitao Zhang and Xiaolan Wan.