Building secure, privacy aware,

quality Wi-Fi coverage via cooperation

Karri Huhtanen Arch Red Oy &

Open System Consultants Pty Ltd 22.9.2015

quality and the traditional way of building coverage

Photo by Karl-Ludwig G. Poggemann

In the beginning...

already a lot of separate, overlapping Wi-Fi

networks interfering with each other

Map by OpenStreetMap

already a lot of separate, overlapping Wi-Fi

networks interfering with each other

+ one more, the new

common Wi-Fi network

Then...

Map by OpenStreetMap

So this is bad, because...• more overlapping Wi-Fi networks => more radio

interference => all Wi-Fi network users suffer

• providing additional coverage, capacity and bandwidth always generates costs to someone

• maintaining, upgrading and repairing additional network always generates costs to someone

• often the additional coverage is also provided outdoors and from outside => which means excellent Wi-Fi coverage for magpies during Finnish winters

Photo by Andrew King

What to do?

Photo by Sean Hobson

Try cooperation...

Photo by Sean Hobson

Instead of this...

Map by OpenStreetMap

Let’s try this...

Map by OpenStreetMap

unification via

cooperation

We must be realistic...• Somebody has to cover the costs of providing coverage, capacity,

bandwidth and maintaining, upgrading and repairing network => Dividing work and costs makes sense => Let everyone handle and control their part of the network

• We need unified policies for network configuration, authentication, access filtering, IP addressing etc. => Let’s just choose open standard interfaces and policies, no specific vendors or service providers

• There will still be overlapping private networks, home networks etc. => interference cannot be removed but it can be reduced

• Coverage is not really needed everywhere, it is needed where the existing networks already are => with unified network settings around it is easier to access Internet in various places

So how can this be done?

Photo by Sean Hobson

two options

“Easy” “Proper”Scale by winnifredxoxo

“Easy”• use common but original Wi-Fi network name for all

cooperating networks, make the name neutral so that it is easier to adopt

• leave Wi-Fi network without authentication or encryption or specify common WPA2 pre-shared secret, share this secret to everyone

• have and enforce a common policy for Internet filtering and IP addressing everywhere

• wish for the best and believe in the goodness of the people

• that’s it: everyone controls and is responsible of their own part of network and partially what happens through it

Photo by Robby Van Moor

For few reasons “easy” option has not catched on

• People want to have unauthenticated, unencrypted and unfiltered networks to use, but very few want to provide such ones themselves.

• People still want to have curtains for privacy, doors for access control, pin codes for credit cards and mobile phones.

• People responsible of what happens in or through their networks are even more careful.

• “easy” networks are often filtered so heavily that instead of ‘open’ they often should be called ‘broken’.

• Access and capacity control, monitoring and network management are still needed, even in so called ‘open’ networks.

Photo by Thomas Guine

Photo by Robby Van Moor

“Proper”• use common but original Wi-Fi network name for all

cooperating networks, make the name neutral so that it is easier to adopt

• use WPA2 Enterprise encryption and authentication for everyone and every network, connect networks into coverage area by authentication federation

• have and enforce a common policy for Internet filtering, IP addressing and network configuration everywhere

• that’s it: everyone controls and is responsible of their own part of network and partially what happens through it, visitors leave trails that can be followed, device and visitor access can be controlled

But has this then catched on?• Short answer: Yes.

• eduroam(tm) (www.eduroam.org), the global authentication federation for universities and research organisations is the world’s 3rd most advertised Wi-Fi network and the roaming standard of academic world

• eduroam(tm) technologies and architecture have been applied in Wireless Tampere community network and its successor roam.fi, which is used already in Tampere and neighboring cities

• Belnet has started a pilot in Belgium about government roaming called govroam(tm) (www.govroam.be)

• The architecture is compatible with operator roaming and technologies such as SIM card or certificate authentication, elliptic curves etc. in addition to traditional username and password

What are the additional benefits?• A common Wi-Fi network with same network configuration

accessible everywhere securely with home organisation credentials but at the same time protecting the user privacy.

• Access to the network, used capacity and traffic can be controlled and prioritized. Trail of accountability exists.

• The core infrastructure and architecture is field tested, it has already been used and developed for over 10 years by operators, by eduroam etc.

• The core infrastructure can be extended and evolved as authentication and network technologies develop, in most times even without changes to the core.

• All technologies and interfaces used are open standards, defined mostly in IETF. There exists both open source and commercial options for components and services from several suppliers.

What now and in the future?

• All the components for building this kind of cooperative Wi-Fi authentication federation exists.

• Together with Centre of Open Systems and Solutions (COSS ry), already 2 operators and several cities and organisations, Wireless Tampere model is migrated and rebranded to roam.fi concept.

• roam.fi aims to be eduroam for any organisation, city, company or operator, not just academic organisations

• If interested, come and discuss with me or COSS about details.

Thank you. Questions?

Karri Huhtanen

https://www.twitter.com/khuhtanen

https://plus.google.com/+KarriHuhtanen/

these and more slides: http://www.slideshare.net/khuhtanen/

Additional Slidesfor technical and non-technical questions

Federated RADIUS RoamingFederation Top-Level

roam.fi RADIUS (proxy)

Home Organisationhomeorg.fi RADIUS

Visited Organisationvisitedorg.fi RADIUS

home organisation roam.fi Wi-Fi

network

visited organisation roam.fi Wi-Fi

network

RADIUS connections

Authentication in Home Network

Federation Top-Levelroam.fi RADIUS (proxy)

Home Organisationhomeorg.fi RADIUS

Visited Organisationvisitedorg.fi RADIUS

home organisation roam.fi Wi-Fi

network

visited organisation roam.fi Wi-Fi

network

secure authentication

directly to home RADIUS

username@homeorg.fi + password

Authentication in Visited Network

Federation Top-Levelroam.fi RADIUS (proxy)

Home Organisationhomeorg.fi RADIUS

Visited Organisationvisitedorg.fi RADIUS

home organisation roam.fi Wi-Fi

network

visited organisation roam.fi Wi-Fi

network

Authentication is tunnelled with TLS directly to home RADIUS.

Even Visited Organisation cannot see the actual credentials.

sameusername@homeorg.fi + password,

no change to network settings

WPA2 Enterprise Authentication

real identity+credentials can always be secure inside TLS

tunnel

Access Controller e.g. Wi-Fi

controller or access point

RADIUS authentication

service

RADIUS protocol + TLS tunnel

WPA2 Enterprise Authentication

outer identity needs only identify home organisation, otherwise anonymous identity allowed

Inside EAP message multiple methods of authentication and credentials can be used in parallel in same federated Wi-Fi networks.

Home organisation capabilities are the only limiting factor.

What about electromagnetic radiation, Wi-Fi and children?

• There is no scientific evidence or research results, which would prove that Wi-Fi is in anyway harmful.

• If additional discussion is needed, author strongly recommends discussion with for example Vesa Linja-aho, Lilja Tamminen, or scientists with actual degrees from relevant fields (physics, medicine, etc.)