HOT SPOT-2.0 A Blessing in Disguise for Wifi

Introduction

Recently I started reading about 802.11 wlan technology, I had encountered with many features, but out of all HOTSPOT 2.0 is most popular from carrier wifi prospective. This will help mobile operators to provide seem less wireless roaming and data offload to reduce the burden on the overly crowded high density cellular network. 

I feel even though almost 80% of the world data traffic going via wifi and widely used but research and new feature addition is quite slow in last decade compared to 3GPP based technologies. However, recently wifi feature development is fast tracked after google, facebook, ruckus and many similar internet companies shown some interest in this old man technology. It is one of the feature which has made possible for Wifi to converge with most popular technologies like 2G/3G/4G, which are typically used by major Mobile Operators in the world.

History Behind HOTSPOT

Normally when we think about HOTSPOT, it is always about our smartphone HS and sharing our mobile data connection with our friends and family. But here we are discussing about Mobile Carrier HOTSPOT which is quite different. First it was started by T-Mobile primarily as a public access WLAN technology and coined the term HOTSPOT as part of their commercial branding to make it more popular in North American market.

Limitation of old HOTSPOT

When it will connect to one SSID , it will with same SSID till we disconnect it manually or it will disconnect when we go out of range. No automatic Network Selection or Roaming facilities between visited network HOTSPOT or in-between 2 neighbor HS enabled APs or any devices. Like a mobile network connection wherever you go your device will latch on home or roam network automatically without manually doing any network selection, here of course  automatic network selection should be enabled. One more limitation is security and authentication.

This two primary reason forced wifi developer to think and find a way similar to like mobile network selection and roaming agreement. When device switched on, it will connect to any network in the world without any manual intervention. So HOTSPOT 2.0 is moving in that direction to get similar taste and feel of mobile network connection features like network selection, roaming, service differentiation based on operator policy, pre-paid billing mediation and security (Eg: EPS-AKA) and hope many more feature will come in future releases.

HOTSPOT 2.0

It is a blessings in disguise for Wifi to survive in 21st century to converge with mobile network technology. To make it possible many popular carrier wifi solution with HOTSPOT 2.0 provided by many well know vendors like cisco, aruba, ruckus and recently Nokia also jumped into this race to provide low cost solution to mobile operators and enterprise customers. So due to vast no of feature in HOTSPOT 2.0 , Wifi alliance a specification and certification body divided HS 2.0 into 2 releases.

Here I would like to clear one more doubt about passpoint also, it is nothing but a certification given to all the HOTSPOT 2.0 enabled devices by wifi alliance based on some certain condition laid by it, similar to AP certification by Wifi alliance and mobile certifications like GCF/PTCRB etc to avoid any interoperability issue between different network and OEM vendors. HOTSPOT 2.0 is a feature specification guide and 802.11u is for radio Physical and Mac layer specification by IEEE.

Courtesy Nokia

HS 2.0 is divided into 2 releases,

Hotspot Release-1 covers Network Selection/Discovery and Security/Authentication. 

Hotspot Release-2 covers Operator policy and Online Signup 

Network Selection/Discovery

This is one of the vital feature to inter-work with mobile technologies and to provide enhanced network selection and roaming service for HS 2.0 enabled client/UEs.

Like in LTE networks UEs get the network resources via RACH procedure and network supported information via system information blocks or during RRC procedures. But Wifi radio resource management is quite straight forward, here clients/STAs get network information(or HS capabilities) by doing passive scanning know as Beacon or it can send probe request, AP will respond to STA with probe response with HS capabilities.

HS 2.0 Capabilities

Before discussing Network selection/discovery we will see here, what new IEs supported in message frames to enable HS 2.0 Capabilities in AP and STAs, which is included in Beacon and Probe Response as per the Wifi Alliance technical specifications for HS 2.0.

AP Side Supported IEs

Following additional IEs are included as part of HS 2.0 REL-1 and in 802.11u.

Hotspot 2.0 Indication Element

When an AP supports Hotspot 2.0 capability and the hotspot security is WPA2-

Enterprise, the hotspot’s APs shall include a Hotspot 2.0 Indication element in beacon and probe response frames. The hotspot’s AP shall not include the Hotspot

2.0 Indication element if the security is not WPA2-Enterprise.

Indication Element

HS configuration element will have DGAF.

DGAF (Downstream Group-Addressed Forwarding)

This bit is always disabled if no multicast/broadcast service in use. This will cause “Hole 196” security attack due to a common GTK used by all the STAs for encryptions. I will discuss it in detail in a separate article.

Hotspot 2.0 ANQP Elements

ANQP- Access Network Query Protocol

It is a query protocol to find information about network and its capabilities which are not broadcasted or advertised by Beacons. It is an advertisement protocol based on 802.11u and used by client to get the network supported capabilities.

Prior to 802.11u, there was no option to request network to get the network capabilities. All the network discovery and selection based on basic info in beacon and probe response. When interworking with external network clause introduced in 802.11u. ANQP started using GAS frame to query network to get the additional supported capabilities from network which are not advertised by beacon or probe response.

GAS(Generic Access Service) frame

802.11 has specific frame to access network when device is un-authenticated or un-associated to invoke a specific action. This frame is known as Public Access Frame and GAS frames are subtype of public access frame, which enable STAs to do query network and this query will go beyond APs in wired network and fetch the advanced network discovery capabilities from the wifi/3gpp core network, which helps in providing roaming specific or many other services to STAs/UEs.

The Hotspot (HS) 2.0 ANQP elements provide additional functionality to 802.11u ANQP elements supporting HS 2.0 features. These elements are formatted as defined by the ANQP vendor-specific list element,

The Info ID field is a 2-octet field whose value is the value for the ANQP vendor-specific list i.e 56797.

The Length field is a 2-octet field whose value is set to 6 plus the length of the Payload field.

The OI is a 3-octet field. The OI field is set to the value used by the WFA. Each OI identifies a roaming consortium (group of SSPs with inter-SSP roaming agreement) or a single SSP.

The Type field is a 1-octet field allocated from the WFA TIA number space to indicate a HS 2.0 ANQP element type (value 0x11)

The Subtype field is a 1-octet field whose value identifies the HS 2.0 ANQP element. Values for the Subtype field are defined in below table.

The Reserved field is a 1-octet field to ensure that the header of the ANQP element is word aligned.

SubType Fields

HS Query List

The HS Query list provides a list of identifiers of HS 2.0 ANQP elements for which the requesting mobile device is querying in a HS ANQP Query. The HS Query list element is included in a GAS Query Request. The HS Query List must be used in a GAS Query Request to request HS2.0 Wi-Fi ANQP elements. Both the ANQP Query List and the HS2.0 Query List can be included in single GAS Query Request.

HS Capability list

The HS Capability list provides a list of information/capabilities that has been configured on an AP. Support for this HS ANQP element is mandatory, but its use is optional.

Operator Friendly Name element

The Operator Friendly Name element provides zero or more operator names operating in the IEEE 802.11 AN.

WAN Metrics element

The WAN Metrics element provides information about the WAN link connecting an IEEE 802.11 AN and the Internet. Transmission characteristics such as the speed of the WAN connection to the Internet are included.

Connection Capability element 

The Connection Capability element provides information on the connection status within the hotspot of the most commonly used communications protocols and ports. For example, a firewall upstream to the access network may allow communication on certain IP protocols and ports, while blocking communication on others.

NAI Home Realm Query

The NAI Home Realm Query is used by a requesting mobile device to determine if the network access identifier (NAI) realms for which it has security credentials are realms corresponding to SPs or other entities whose networks or services are accessible via this BSS. The requesting mobile device includes in an NAI Home Realm Query only the NAI Home Realm Name(s) for which it has credentials.

In response to the NAI Home Realm Query, a responding AP returns a NAI Realm The NAI Realm List includes only realms exactly matching realms contained in the NAI Home Realm Query.

Operating Class Indication element

The Operating Class Indication element provides information on the groups of channels in the frequency band(s) the Wi-Fi access network is using. This element reports the operating classes of APs in the same ESS as the AP transmitting this element. A mobile device supporting more than one frequency band (e.g. 2.4GHz and 5GHz) may use this element for BSS selection purposes.

Below we can see a basic list of requirement to enable HS support for AP and STAs.

Required Capabilities for Access Point to			Required Capabilities for Mobile Devices to
Support HS 2.0			support HS 2.0
WPA2-Enterprise; when an AP indicates			WPA2-Enterprise; when an AP indicates support
support for Hotspot 2.0, TKIP and WEP shall			for Hotspot 2.0, TKIP and WEP shall not be used.
not be used.
All the EAP methods like TLS, SIM,AKA and			All the EAP methods like TLS, SIM,AKA and TTLS
TTLS with MSCHAPv2			with MSCHAPv2
The Interworking information element			The Interworking information element including
including Venue Info and HESSID, support for			Venue Info and HESSID.
this element mandates support for GAS.
The Roaming Consortium information			The Roaming Consortium information element.
element.
Setting the Interworking bit in the Extended			Setting the Interworking bit in the Extended
Capabilities information element.			Capabilities information element.
The BSS Load element.			The BSS Load element.
Note: this element contains information on			Note: this element contains information on the
the current mobile device population and			current mobile device population and channel
channel utilization in the BSS.			utilization in the BSS.
The following ANQP elements supported.			The following ANQP elements supported.
o Venue Name information			o Network Authentication Type information
o Network Authentication Type information			o Roaming Consortium list
o Roaming Consortium list			o NAI Realm list
o IP Address Type Availability Information			o 3GPP Cellular Network information (only
o NAI Realm list			required for mobile devices having SIM
o 3GPP Cellular Network information			credentials)
o Domain Name list			o Domain Name list
o HS Query list			o HS Query list
o HS Capability list			o HS Capability list
o Operator Friendly Name			o Operator Friendly Name
o WAN Metrics			o WAN Metrics
o Connection Capability			o Connection Capability
o NAI Home Realm Query			o Venue Name information
o Operating Class Indication			o IP Address Type Availability Information
			o NAI Home Realm Query
			o Operating Class Indication

AP-HOTSPOT 2.0 Logs

Log Snippet

Security aspect in HS 2.0 Rel 1

This is one of the main reason due to which wifi is not much popular within carrier network deployment. After a wide consultation with different stakeholders like Mobile Operator, ISPs, device manufactures, Wifi alliance in HS Rel-1 has come up with enhanced security procedure which almost similar to 3GPP AKA and AES or it is a combination of security and authentication procedure based on WLAN and 3GPP.

Authentication

Hotspot Rel-2 supports only WAP-2 enterprise grade security with a mutual authentication technique which is based on 802.1X and which requires a radius server to accomplish the authentication. In 802.1x mutual authentication, following

EAP(Extensible Authentication Protocol framework) methods are supported as per the below table.

Please remember it is a similar type of mutual authentication which followed in LTE and known as EPS AKA where both UE and MME/HSS authenticate each other by using EPS-AKA. Here a four way handshake mechanism followed between STA and AAA server to accomplish the authentication procedure.

Strong Encryption

The Advanced Encryption Standard (AES) encryption is used over the wireless interface between a mobile device and the Passpoint APS. AES is one of the most advanced standards-based encryption algorithms available in the industry. The AES encryption keys (the Pairwise Transient Key [PTK] and the Group Temporal Key [GTK]) are derived from the unique Pairwise Master Keys (PMKs) generated as part of the IEEE 802.1X authentication process. We will discuss in detail about encryption key generation in a separate article.

The strong encryption used between a mobile device and the Passpoint AP makes it extremely difficult for an attacker to compute the keys needed to eavesdrop on the traffic exchanged between the devices. The integrity protection afforded by the AES

encryption mechanism makes it computationally impractical for an attacker to perform a man-in-the-middle attack.

Passpoint APs and mobile devices that are certified for WPA2 with Protected Management Frames (PMF) mitigate eavesdropping and DoS vulnerabilities. PMF does not protect pre-association ANQP frames.

Hot Spot 2.0 Deployement Model

With convergence of different wireless and wired technology, multiple deployment models are now adopted to implement Hot Spot in cellular and SP networks. For simplicity below I have explained about only Home network deployment models, similar way roaming can be implemented.

Hot Spot Deployment in cellular Network

Here cellular operator means Mobile operators who provides sim cards to access the mobile or wifi networks like Airtel, Vodafone etc.

Network discovery and authentication includes the following steps.

1.  Device detects Hotspot 2.0 indication in access point (AP) beacon frame (Extended Capabilities-Interworking Supported).

2.     Device will send GAS queries to ANQP server for 3GPP cellular network information and roaming consortium organizational identifiers (OIs).

3.  Device matches the information and OIs received against its list of credentials and preferred networks.

4.  Device automatically associates with Passpoint AP.

5.  Device performs IEEE 802.1X authentication to the home AAA server using EAP-SIM or EAP-AKA.

6.   Home AAA server communicates with home location register (HLR) using the Mobile Application Part (MAP) protocol.

MAP- It is an intelligent network protocol used as part of SS7 network.

Hot Spot Deployment in Service Provider Network

Here service provider means internet service provider who don’t provide any sim card to access the wifi network like Comcast, boingo wireless, ACT etc.

Network discovery and authentication includes the following sequence of steps.

1.  Device detects Hotspot 2.0 indication in AP beacon frame.

2.   Device queries ANQP server for network access identifier (NAI) realm list and roaming consortium OIs.

3.   Device matches the realms and OIs received against its list of credentials and preferred networks.

4.  Device automatically associates with Passpoint AP.

5.  Device performs IEEE 802.1X authentication to the Home AAA server using EAP-TLS or EAP-Tunneled TLS (EAP-TTLS) with MS-CHAPv2. 

Conclusion

Till now journey of Wifi is incredible in connecting billions of un-connected people in the world and keeping cost per bit as low as possible. Hotspot 2.0 will be an enabler for mobile operators to bring down further network cost, load on the spectrum crunched licensed mobile network, faster broadband, time to market, enhanced roaming between mobile operators and wifi service provider like hotels, public trasport, hospitals etc. and benefit for user will be like better connection management, superior network in terms of Quality of Service and Quality of Experience like in mobile network. 

Coming Soon HS 2.0 Rel 2 !!! Till then keep reading and Happy learning!!!