ancp Xiangqing. Chang Internet-Draft Yang. Shi Intended status: Informational Hangzhou H3C Tech. Co., Ltd. Expires: June 19, 2012 T. Taylor Huawei Technologies Co., Ltd. December 17, 2011 Applicability of Access Node Control Mechanism to WLAN based Broadband Networks draft-xq-ancp-wlan-00.txt Abstract The purpose of this document is to provide applicability of Access Node Control Mechanism ,as described in [ANCP-FRAMEWORK],to WLAN based broadband access. The need for an Access Node Control Mechanism between a Network Access Server (NAS) and an WLAN Access Node is described.The Access Node Control Mechanism is also extended for WLAN. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on June 19, 2012. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect Chang, et al. Expires June 19, 2012 [Page 1] Internet-Draft ANCP to WLAN December 2011 to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4 5. Reference Architecture for WLAN Access Network . . . . . . . . 5 6. Motivation for explicit extension of ANCP to WLAN . . . . . . 6 7. Concept of Access Node Control Mechanism for WLAN based access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 8. ANCP Based WLAN Topology Discovery . . . . . . . . . . . . . . 8 9. ANCP Based WLAN roaming status reporting . . . . . . . . . . . 8 10. ANCP based WLAN Configuration . . . . . . . . . . . . . . . . 9 10.1. Qos policy Configuration . . . . . . . . . . . . . . . . 9 10.2. Key transfer . . . . . . . . . . . . . . . . . . . . . . 9 10.3. Notification of subscriber's authentication result . . . 10 11. ANCP based WLAN Remote Connectivity Testing Capability . . . . 10 12. ANCP versus CAPWAP between the AC and WTP . . . . . . . . . . 10 13. Security Considerations . . . . . . . . . . . . . . . . . . . 11 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 16.1. Normative References . . . . . . . . . . . . . . . . . . 11 16.2. Informative References . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 Chang, et al. Expires June 19, 2012 [Page 2] Internet-Draft ANCP to WLAN December 2011 1. Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119] 2. Introduction With the fast popularization of WLAN terminal,WLAN are being deployed widely across carrier networks to provide hotspot access service.It is an important method for carriers to offload the data pressure of 2G/3G mobile network by WLAN access network. [ANCP-FRAMEWORK] provides the framework and requirements for coordinated admission control between a NAS and an AN with special focus on DSL deployments. This document proposes the extension of that framework and the related requirements to WLAN. 3. Terminology o Wireless Local Access Network(WLAN):WLAN technologies include the approved IEEE 802.11a, b,g and n specifications. WLAN is a high- speed local wireless technology to enjoy broad deployment , most notably in hotspots around the world, including homes and offices, and increasingly cafes, hostels, and airports. WLAN is also known as Wi-Fi(short for wireless fidelity). o Wireless Termination Point (WTP): The physical or network entity that contains an RF antenna and wireless physical layer (PHY) to transmit and receive station traffic for wireless access networks.For WLAN,WTP is also known as Aceess Point(AP). o Access Controller (AC): The network entity that provides WTP access to the network infrastructure in the data plane, control plane,management plane, or a combination therein. o Control And Provisioning of Wireless Access Points (CAPWAP): It is a generic protocol defining AC and WTP control and data plane communication. o Station (STA): A device that contains an interface to a wireless medium (WM).It is a subscriber device. o Autonomous Wireless Local Area Network (WLAN) Architecture: It is the traditional autonomous WLAN architecture, in which each WTP is a single physical device that implements all the wireless services. Chang, et al. Expires June 19, 2012 [Page 3] Internet-Draft ANCP to WLAN December 2011 o Centralized WLAN Architecture: It is an hierarchical architecture utilizing one or more centralized controllers for managing a large number of WTP devices. It can be said that the full wireless functions are implemented across multiple physical network devices, namely, the WTPs and ACs. o Access Node (AN): Network device, usually located at a service provider central office or street cabinet that terminates access(local) loop connections from subscribers. In case the access loop is a Digital Subscriber Line (DSL), the Access Node provides DSL signal termination, and is referred to as a DSL Access Multiplexer (DSLAM).In case of WLAN, it is referred to as a AC. o Network Access Server (NAS): Network element which aggregates subscriber traffic from a number of ANs or ANXs. The NAS is often an injection point for policy management,authentication and IP QoS in the access network. It is also referred to as Broadband Network Gateway (BNG) or Broadband Remote Access Server (BRAS). 4. Problem Statement When wired carriers extend their network with wireless access technologies, they prefer to reuse NAS architecture.For wired carriers,NAS and AC usually coexist in the operator's WLAN access network.Professional NAS is often deployed in the fixed network already,so they prefer to reuse NAS devices for WLAN access network as authentication device to reduce cost and avoid network variation.NAS controls subscriber's access to network with AAA, and AC manages WTPs and controls user's association to WLAN.The focus throughout this document is based on this kind of application scenery.Given the separation of NAS and AC, AC takes the role of wireless AN. Just like wired broadband access network,WLAN provides triple-play services over IP to meet the increasing demand for broadband data service.In order to carry out the QOS policy more effectively and improve the utilization of network resouce,the cooperation between the NAS and the wireless AN is also needed. Furthermore,except for the common things with wired access technology,there are special characters in WLAN.For example,the open media of radio acess,the station's roaming.So, WLAN proposes new requirement to enhance the exchange of information for NAS and AN.Some related use cases include: -----In order to ensure security of data transport over the air,different encryption key is needed for each user. However,the Chang, et al. Expires June 19, 2012 [Page 4] Internet-Draft ANCP to WLAN December 2011 intermediate key material is held by NAS for every subscriber.So, NAS need to deliver the material to wireless AN dynamically to generate the final encryption key over the air. -----To improve the utility of precious wireless spectrum, AN need to get more status information of each user from NAS. -----To make the user's roaming experience better,AN and NAS need more cooperation. It shows that a tighter coordination between NAS and Wireless AN is necessary.Fortunately, ANCP intends to provide a general communication mechanism between NAS and AN,and ANCP support to be extended on demand. So,with the new WLAN requirement,ANCP need to be extended for WLAN. 5. Reference Architecture for WLAN Access Network RFC 5851 [RFC5851]provides detailed definition and functions of each network element in the general broadband reference architecture.Figures 1 shows an end-to-end broadband network with WLAN access. There are two WLAN architecture models.One is Centralized WLAN Architecture(or Fit Architecture),the other is Autonomous WLAN Architecture(or Fat Architecture). The need of deploying WLAN more broadly and cost-effectively lead to the population of the centralized WLAN architecture. The Access Node terminates the WLAN access. It is refered to as AC in Centralized WLAN Architecture,and as WTP in Autonomous WLAN Architecture. Given the industry's trend of centralized WLAN architecture, the primary focus throughout this document is on centralized WLAN architecture. RFC 5851 [RFC5851] defines the core of what distinguishes a NAS from a typical routing system as per-user basis authentication,accountting and policies. Chang, et al. Expires June 19, 2012 [Page 5] Internet-Draft ANCP to WLAN December 2011 Access Customer <--- Aggregation ----> Premises Network Network +--------------------+ +---------------------+ +---------+ +---+ | +----------+ | | +---+ +-------+ | | +-|NAS|-|--|Access |-|-|--|WTP|-|Station| ---+ Regional| | +---+ | |Controller| | | +---+ | | |Broadband| | | +----------+ | | +-------+ |Network |-| +------------|-------+ +---------------------+ ---+ | | | +---------------------+ | | | +---+ | | +---+ +-------+ +---------+ +-|NAS| +---------|--|WTP|-|Station| +---+ | +---+ | | | +-------+ +---------------------+ NAS: Network Access Server WTP: Wireless Termination Point Figure 1: WLAN Broadband Aggregation Topology 6. Motivation for explicit extension of ANCP to WLAN Compared with wired broadband access technologies,there are several different points need to be considered: o WLAN access protection Strong over-the-air data protection is addressed in WLAN.For example,802.11i greatly increases the level of over-the-air data protection and access control on Wi-Fi networks.NAS will inevitably help to negotiate key materials used for air protection, and it should deliver the intermediate key material (called as PMK in WiFi) to WLAN AN . o Specific identification for WLAN subscriber For DSL access technology, a PVC represent a subscriber. But for WLAN access technology, many subscribers can access with the same radio. It means that there are many subscribers who may use the same VLAN. So when the subscriber's information is exchanged , subscriber's detail specific information need to be clarified. o Radio Resource Control Radio spectrum is a precious and limited resource. The communication Chang, et al. Expires June 19, 2012 [Page 6] Internet-Draft ANCP to WLAN December 2011 between WLAN AN and NAS make it possible to control radio resource more efficiently among different wireless subscribers. For example, according to certain rules, WLAN AN can kick off the inactive subscribers. o Roaming Wireless user can roam from an Access Node to another Access Node.The change of subscriber's location need to be tracked. And subscriber's reauthentication need to be avoided to improve quality of experience.However, subscriber's reauthentication often occur. for example, in WLAN network, given the authentication method of NAS is Portal, when a subscriber moved from an AN to another AN, the subscriber's IP address is usually changed, and it has to be re- authenticate at NAS although the latter AN understand the subscriber 's roaming status.If latter AN report roaming information to NAS, the reauthentication can be avoid and the subscriber's roaming experience will be improved. Based on reusing the general framework and protocol of ANCP,typical elements which need to be defined for ANCP in WLAN environment include the following: ---New WLAN capability need to be defined for establishment of adjacency relationship ---New WLAN subscriber identification needs to be defined ---New message type or TLV need to be defined for delivering open air key material from NAS to WLAN AN ---New message type or TLV need to be defined for identifying invalid or unauthenticated user to AN for better radio resource control ---New message type or TLV need to be defined for AN to update NAS with roaming user information for better roaming experience 7. Concept of Access Node Control Mechanism for WLAN based access The Access Node Control Mechanism defines a quasi real-time, general- purpose method for multiple network scenarios with an extensible communication scheme. The mechanism consists of control function, and reporting and/or enforcement function.Controller function is used to receive status information or admission requests from the reporting function. It is also used to trigger a certain behavior in the network element where the reporting and/or enforcement function resides. The reporting function is used to convey status information Chang, et al. Expires June 19, 2012 [Page 7] Internet-Draft ANCP to WLAN December 2011 to the controller function that requires the information for executing local functions. The enforcement function can be contacted by the controller function to enforce a specific policy or trigger a local action. Typical use cases related to reporting function for ANCP in WLAN environment include the following: ANCP Based WLAN Topology Discovery ANCP Based WLAN roaming status reporting Typical use cases related to control function and/or enforcement function for ANCP in WLAN environment include the following: ANCP based WLAN Configuration. ANCP based WLAN Remote Connectivity Testing Capability. ANCP based use cases in WLAN environment will be described in detail in the section that follow.Some use case is similar as the situation in DSL access,others are paticular for WLAN access. 8. ANCP Based WLAN Topology Discovery In order to convey user related policies to correct Access Node, NAS need to gain knowledge about the topology of the access network and the attributes of the link.Through the procedure of WLAN Topology Discovery,Access Node communicate access network topology information and any corresponding updates to the NAS. For WLAN,when WTP start to run,AC(Access controller) will create a logical port for each radio on WTP.Since AC has known the topology of WTPs,NAS can just convey user related policies to AC,and AC will relay the information to corresponding WTP.So NAS does not bother to know all the WTPs,and just know the identification of AC and the vlan scope of users who come from the AC.Each logical port on AC can belong to different vlan or the same vlan.So the creation and deletion of each logical port may lead to upate vlan information to NAS. 9. ANCP Based WLAN roaming status reporting Wireless user is movable.In WLAN,a station can roam from a WTP to another WTP,or from a AC to another AC. Ideally,it is not necessary for the roamer to reauthenticate.However,the IP address is usually Chang, et al. Expires June 19, 2012 [Page 8] Internet-Draft ANCP to WLAN December 2011 changed due to the variation of vlan.Given the authentication method is portal(which is the most convenient authenticate method for user since it is authenticated through web interface),the change of IP address will cause reauthentication at NAS.In WLAN,AC has the ability to understand the roaming status of the roamer.So if AC report the user's roaming status to NAS through ANCP mechanism,the reauthentication at NAS can be avoided. The roaming status reporting message contains AC identification,user's original IP address and new IP address. When the NAS receive the message,it update the user related entry to permit the user with new IP address pass directely, and relay the variation infomation to AAA server to ensure user's correct accouting and record. 10. ANCP based WLAN Configuration 10.1. Qos policy Configuration The ANCP mechanism make it possible to perform Qos action on the granularity of each user at wireless access edge. It is good to improve the utility of wireless radio resource by limiting the low priority user's flow and ensure the high priority user's flow as early as possible. After the wireless subscriber authenticated at NAS,NAS convey the QOS profile information to wireless Access Node, i.e. Access Controller. Then the Qos policy can be enforced at AC and WTP. 10.2. Key transfer Many wireless user need air protection due to security. With the definition of 802.11i(or WPA/WPA2), the air key material is negotiated in the procedure of 802.1x authentication between user and AAA server through NAS.So the intermediate key,i.e pairwise master key (PMK),is held by NAS.However,AC need to establish the final air key with the user based on PMK. Therefore,NAS must transfer the intermediate key to AC based on the ANCP mechanism. After the WLAN subscriber authenticated at NAS,and NAS get the PMK from AAA server,the PMK is transfered from NAS to corresponding AC in addition to user related identification information.Based on the receive PMK,AC then negotiate with the corresponding user to get the final air key. Chang, et al. Expires June 19, 2012 [Page 9] Internet-Draft ANCP to WLAN December 2011 10.3. Notification of subscriber's authentication result Given the authentication method is portal,there are often many users who associated to WLAN without executing autentication on NAS. These users occupies IP resources and WLAN resources.However,strictly speaking,they are not legal.In order to leverage these user's influence,it is good for AC to be notified the authentication result of each subscriber by NAS.Then,AC can selectively refuse to associate illegal users,include those who do not authicate,who are failed to authenticate,and who are put into blacklist. After the WLAN subscriber authenticated at NAS,and NAS notify the result to AC.Based on the information,AC actively kick out those illegal user for a certain period of time. 11. ANCP based WLAN Remote Connectivity Testing Capability A simple solution based on ANCP can provide the NAS with an access line test capability and to some extent fault isolation. Controlled by a local management interface the NAS can use an ANCP operation to trigger the Access Node to perform a loopback test on the local loop. The Access Node can respond via another ANCP operation with the result of the triggered loopback test. In the case of WLAN based local loop, the ANCP operation can trigger the AC to generate RF(radio frequency) ping to check the link status of specific user. 12. ANCP versus CAPWAP between the AC and WTP CAPWAP is an internal protocol in WLAN.CAPWAP help to extend WLAN in a large scale and lower operating expenses.The intent of the CAPWAP protocol is to facilitate control, management and provisioning of WLAN Termination Points (WTPs) specifying the services, functions and resources relating to 802.11 WLAN Termination Points in order to allow for interoperable implementations of WTPs and ACs. With CAPWAP,the subscriber related requirements which is described above can't be resolved. The focus of ANCP is on the communication between AN and NAS.With ANCP,subscriber-related service can be carried out effectively by delivering user-related information to access edge. Certainly,with the presence of CAPWAP,NAS does not bother to know WTP topology in detail and only need to know AC as Access Node.CAPWAP leverage the workload of NAS to implement ANCP mechanism by shielding WLAN internal structure. Chang, et al. Expires June 19, 2012 [Page 10] Internet-Draft ANCP to WLAN December 2011 13. Security Considerations [ANCP-SECURITY] lists the ANCP related security threats that could be encountered on the Access Node and the NAS. It develops a threat model for ANCP security, and lists the security functions that are required at the ANCP level. 14. IANA Considerations To be determined. 15. Acknowledgements Thanks to Tina Tsou for helpful comments on this document. The authors also thank their friends and coworkers Jianfeng Liu,Tao Zheng,Min Yao,Haitao Zhang and Xiaolan Wan. 16. References 16.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, June 1999. [RFC3990] O'Hara, B., Calhoun, P., and J. Kempf, "Configuration and Provisioning for Wireless Access Points (CAPWAP) Problem Statement", RFC 3990, February 2005. [RFC6320] Wadhwa, S., Moisand, J., Haag, T., Voigt, N., and T. Taylor, "Protocol for Access Node Control Mechanism in Broadband Networks", RFC 6320, October 2011. 16.2. Informative References [RFC5713] Moustafa, H., Tschofenig, H., and S. De Cnodder, "Security Threats and Security Requirements for the Access Node Control Protocol (ANCP)", RFC 5713, January 2010. [RFC5851] Ooghe, S., Voigt, N., Platnic, M., Haag, T., and S. Wadhwa, "Framework and Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks", Chang, et al. Expires June 19, 2012 [Page 11] Internet-Draft ANCP to WLAN December 2011 RFC 5851, May 2010. Authors' Addresses Xiangqing Chang Hangzhou H3C Tech. Co., Ltd. Beijing Rnd Center of H3C,Oriental Electronic Bld. Beijing China(100085) Phone: +86 010 82774889 Email: chang_xq@h3c.com Yang Shi Hangzhou H3C Tech. Co., Ltd. Beijing Rnd Center of H3C, Digital Technology Plaza Beijing China(100085) Email: rishyang@gmail.com Tom Taylor Huawei Technologies Co., Ltd. Ottawa Canada Email: tom111.taylor@bell.net Chang, et al. Expires June 19, 2012 [Page 12]