Internet DRAFT - draft-xq-ancp-wlan


ancp                                                    Xiangqing. Chang
Internet-Draft                                                 Yang. Shi
Intended status: Informational              Hangzhou H3C Tech. Co., Ltd.
Expires: June 19, 2012                                         T. Taylor
                                           Huawei Technologies Co., Ltd.
                                                       December 17, 2011

 Applicability of Access Node Control Mechanism to WLAN based Broadband


   The purpose of this document is to provide applicability of Access
   Node Control Mechanism ,as described in [ANCP-FRAMEWORK],to WLAN
   based broadband access.  The need for an Access Node Control
   Mechanism between a Network Access Server (NAS) and an WLAN Access
   Node is described.The Access Node Control Mechanism is also extended
   for WLAN.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on June 19, 2012.

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect

Chang, et al.             Expires June 19, 2012                 [Page 1]
Internet-Draft                ANCP to WLAN                 December 2011

   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Conventions  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   4.  Problem Statement  . . . . . . . . . . . . . . . . . . . . . .  4
   5.  Reference Architecture for WLAN Access Network . . . . . . . .  5
   6.  Motivation for explicit extension of ANCP to WLAN  . . . . . .  6
   7.  Concept of Access Node Control Mechanism for WLAN based
       access . . . . . . . . . . . . . . . . . . . . . . . . . . . .  7
   8.  ANCP Based WLAN Topology Discovery . . . . . . . . . . . . . .  8
   9.  ANCP Based WLAN roaming status reporting . . . . . . . . . . .  8
   10. ANCP based WLAN Configuration  . . . . . . . . . . . . . . . .  9
     10.1.  Qos policy Configuration  . . . . . . . . . . . . . . . .  9
     10.2.  Key transfer  . . . . . . . . . . . . . . . . . . . . . .  9
     10.3.  Notification of subscriber's authentication result  . . . 10
   11. ANCP based WLAN Remote Connectivity Testing Capability . . . . 10
   12. ANCP versus CAPWAP between the AC and WTP  . . . . . . . . . . 10
   13. Security Considerations  . . . . . . . . . . . . . . . . . . . 11
   14. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 11
   15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11
   16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
     16.1.  Normative References  . . . . . . . . . . . . . . . . . . 11
     16.2.  Informative References  . . . . . . . . . . . . . . . . . 11
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12

Chang, et al.             Expires June 19, 2012                 [Page 2]
Internet-Draft                ANCP to WLAN                 December 2011

1.  Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in RFC 2119 [RFC2119]

2.  Introduction

   With the fast popularization of WLAN terminal,WLAN are being deployed
   widely across carrier networks to provide hotspot access service.It
   is an important method for carriers to offload the data pressure of
   2G/3G mobile network by WLAN access network.

   [ANCP-FRAMEWORK] provides the framework and requirements for
   coordinated admission control between a NAS and an AN with special
   focus on DSL deployments.  This document proposes the extension of
   that framework and the related requirements to WLAN.

3.  Terminology

   o Wireless Local Access Network(WLAN):WLAN technologies include the
   approved IEEE 802.11a, b,g and n specifications.  WLAN is a high-
   speed local wireless technology to enjoy broad deployment , most
   notably in hotspots around the world, including homes and offices,
   and increasingly cafes, hostels, and airports.  WLAN is also known as
   Wi-Fi(short for wireless fidelity).

   o Wireless Termination Point (WTP): The physical or network entity
   that contains an RF antenna and wireless physical layer (PHY) to
   transmit and receive station traffic for wireless access networks.For
   WLAN,WTP is also known as Aceess Point(AP).

   o Access Controller (AC): The network entity that provides WTP access
   to the network infrastructure in the data plane, control
   plane,management plane, or a combination therein.

   o Control And Provisioning of Wireless Access Points (CAPWAP): It is
   a generic protocol defining AC and WTP control and data plane

   o Station (STA): A device that contains an interface to a wireless
   medium (WM).It is a subscriber device.

   o Autonomous Wireless Local Area Network (WLAN) Architecture: It is
   the traditional autonomous WLAN architecture, in which each WTP is a
   single physical device that implements all the wireless services.

Chang, et al.             Expires June 19, 2012                 [Page 3]
Internet-Draft                ANCP to WLAN                 December 2011

   o Centralized WLAN Architecture: It is an hierarchical architecture
   utilizing one or more centralized controllers for managing a large
   number of WTP devices.  It can be said that the full wireless
   functions are implemented across multiple physical network devices,
   namely, the WTPs and ACs.

   o Access Node (AN): Network device, usually located at a service
   provider central office or street cabinet that terminates
   access(local) loop connections from subscribers.  In case the access
   loop is a Digital Subscriber Line (DSL), the Access Node provides DSL
   signal termination, and is referred to as a DSL Access Multiplexer
   (DSLAM).In case of WLAN, it is referred to as a AC.

   o Network Access Server (NAS): Network element which aggregates
   subscriber traffic from a number of ANs or ANXs.  The NAS is often an
   injection point for policy management,authentication and IP QoS in
   the access network.  It is also referred to as Broadband Network
   Gateway (BNG) or Broadband Remote Access Server (BRAS).

4.  Problem Statement

   When wired carriers extend their network with wireless access
   technologies, they prefer to reuse NAS architecture.For wired
   carriers,NAS and AC usually coexist in the operator's WLAN access
   network.Professional NAS is often deployed in the fixed network
   already,so they prefer to reuse NAS devices for WLAN access network
   as authentication device to reduce cost and avoid network
   variation.NAS controls subscriber's access to network with AAA, and
   AC manages WTPs and controls user's association to WLAN.The focus
   throughout this document is based on this kind of application
   scenery.Given the separation of NAS and AC, AC takes the role of
   wireless AN.

   Just like wired broadband access network,WLAN provides triple-play
   services over IP to meet the increasing demand for broadband data
   service.In order to carry out the QOS policy more effectively and
   improve the utilization of network resouce,the cooperation between
   the NAS and the wireless AN is also needed.

   Furthermore,except for the common things with wired access
   technology,there are special characters in WLAN.For example,the open
   media of radio acess,the station's roaming.So, WLAN proposes new
   requirement to enhance the exchange of information for NAS and
   AN.Some related use cases include:

   -----In order to ensure security of data transport over the
   air,different encryption key is needed for each user.  However,the

Chang, et al.             Expires June 19, 2012                 [Page 4]
Internet-Draft                ANCP to WLAN                 December 2011

   intermediate key material is held by NAS for every subscriber.So, NAS
   need to deliver the material to wireless AN dynamically to generate
   the final encryption key over the air.

   -----To improve the utility of precious wireless spectrum, AN need to
   get more status information of each user from NAS.

   -----To make the user's roaming experience better,AN and NAS need
   more cooperation.

   It shows that a tighter coordination between NAS and Wireless AN is
   necessary.Fortunately, ANCP intends to provide a general
   communication mechanism between NAS and AN,and ANCP support to be
   extended on demand.  So,with the new WLAN requirement,ANCP need to be
   extended for WLAN.

5.  Reference Architecture for WLAN Access Network

   RFC 5851 [RFC5851]provides detailed definition and functions of each
   network element in the general broadband reference
   architecture.Figures 1 shows an end-to-end broadband network with
   WLAN access.

   There are two WLAN architecture models.One is Centralized WLAN
   Architecture(or Fit Architecture),the other is Autonomous WLAN
   Architecture(or Fat Architecture).  The need of deploying WLAN more
   broadly and cost-effectively lead to the population of the
   centralized WLAN architecture.  The Access Node terminates the WLAN
   access.  It is refered to as AC in Centralized WLAN Architecture,and
   as WTP in Autonomous WLAN Architecture.

   Given the industry's trend of centralized WLAN architecture, the
   primary focus throughout this document is on centralized WLAN

   RFC 5851 [RFC5851] defines the core of what distinguishes a NAS from
   a typical routing system as per-user basis authentication,accountting
   and policies.

Chang, et al.             Expires June 19, 2012                 [Page 5]
Internet-Draft                ANCP to WLAN                 December 2011

                                Access                     Customer
                          <--- Aggregation ---->           Premises
                                 Network                   Network

                          +--------------------+ +---------------------+
      +---------+   +---+ |       +----------+ | |       +---+ +-------+
      |         | +-|NAS|-|-<Eth>-|Access    |-|-|-<Eth>-|WTP|-|Station|
   ---+ Regional| | +---+ |       |Controller| | |       +---+ |       |
      |Broadband| |       |       +----------+ | |             +-------+
      |Network  |-|       +------------|-------+ +---------------------+
   ---+         | |                    |         +---------------------+
      |         | | +---+              |         |       +---+ +-------+
      +---------+ +-|NAS|              +---------|-<Eth>-|WTP|-|Station|
                    +---+                        |       +---+ |       |
                                                 |             +-------+

    NAS: Network Access Server
    WTP: Wireless Termination Point

               Figure 1: WLAN Broadband Aggregation Topology

6.  Motivation for explicit extension of ANCP to WLAN

   Compared with wired broadband access technologies,there are several
   different points need to be considered:

   o WLAN access protection

   Strong over-the-air data protection is addressed in WLAN.For
   example,802.11i greatly increases the level of over-the-air data
   protection and access control on Wi-Fi networks.NAS will inevitably
   help to negotiate key materials used for air protection, and it
   should deliver the intermediate key material (called as PMK in WiFi)
   to WLAN AN .

   o Specific identification for WLAN subscriber

   For DSL access technology, a PVC represent a subscriber.  But for
   WLAN access technology, many subscribers can access with the same
   radio.  It means that there are many subscribers who may use the same
   VLAN.  So when the subscriber's information is exchanged ,
   subscriber's detail specific information need to be clarified.

   o Radio Resource Control

   Radio spectrum is a precious and limited resource.  The communication

Chang, et al.             Expires June 19, 2012                 [Page 6]
Internet-Draft                ANCP to WLAN                 December 2011

   between WLAN AN and NAS make it possible to control radio resource
   more efficiently among different wireless subscribers.  For example,
   according to certain rules, WLAN AN can kick off the inactive

   o Roaming

   Wireless user can roam from an Access Node to another Access Node.The
   change of subscriber's location need to be tracked.  And subscriber's
   reauthentication need to be avoided to improve quality of
   experience.However, subscriber's reauthentication often occur. for
   example, in WLAN network, given the authentication method of NAS is
   Portal, when a subscriber moved from an AN to another AN, the
   subscriber's IP address is usually changed, and it has to be re-
   authenticate at NAS although the latter AN understand the subscriber
   's roaming status.If latter AN report roaming information to NAS, the
   reauthentication can be avoid and the subscriber's roaming experience
   will be improved.

   Based on reusing the general framework and protocol of ANCP,typical
   elements which need to be defined for ANCP in WLAN environment
   include the following:

   ---New WLAN capability need to be defined for establishment of
   adjacency relationship

   ---New WLAN subscriber identification needs to be defined

   ---New message type or TLV need to be defined for delivering open air
   key material from NAS to WLAN AN

   ---New message type or TLV need to be defined for identifying invalid
   or unauthenticated user to AN for better radio resource control

   ---New message type or TLV need to be defined for AN to update NAS
   with roaming user information for better roaming experience

7.  Concept of Access Node Control Mechanism for WLAN based access

   The Access Node Control Mechanism defines a quasi real-time, general-
   purpose method for multiple network scenarios with an extensible
   communication scheme.  The mechanism consists of control function,
   and reporting and/or enforcement function.Controller function is used
   to receive status information or admission requests from the
   reporting function.  It is also used to trigger a certain behavior in
   the network element where the reporting and/or enforcement function
   resides.  The reporting function is used to convey status information

Chang, et al.             Expires June 19, 2012                 [Page 7]
Internet-Draft                ANCP to WLAN                 December 2011

   to the controller function that requires the information for
   executing local functions.  The enforcement function can be contacted
   by the controller function to enforce a specific policy or trigger a
   local action.

   Typical use cases related to reporting function for ANCP in WLAN
   environment include the following:

   ANCP Based WLAN Topology Discovery

   ANCP Based WLAN roaming status reporting

   Typical use cases related to control function and/or enforcement
   function for ANCP in WLAN environment include the following:

   ANCP based WLAN Configuration.

   ANCP based WLAN Remote Connectivity Testing Capability.

   ANCP based use cases in WLAN environment will be described in detail
   in the section that follow.Some use case is similar as the situation
   in DSL access,others are paticular for WLAN access.

8.  ANCP Based WLAN Topology Discovery

   In order to convey user related policies to correct Access Node, NAS
   need to gain knowledge about the topology of the access network and
   the attributes of the link.Through the procedure of WLAN Topology
   Discovery,Access Node communicate access network topology information
   and any corresponding updates to the NAS.

   For WLAN,when WTP start to run,AC(Access controller) will create a
   logical port for each radio on WTP.Since AC has known the topology of
   WTPs,NAS can just convey user related policies to AC,and AC will
   relay the information to corresponding WTP.So NAS does not bother to
   know all the WTPs,and just know the identification of AC and the vlan
   scope of users who come from the AC.Each logical port on AC can
   belong to different vlan or the same vlan.So the creation and
   deletion of each logical port may lead to upate vlan information to

9.  ANCP Based WLAN roaming status reporting

   Wireless user is movable.In WLAN,a station can roam from a WTP to
   another WTP,or from a AC to another AC.  Ideally,it is not necessary
   for the roamer to reauthenticate.However,the IP address is usually

Chang, et al.             Expires June 19, 2012                 [Page 8]
Internet-Draft                ANCP to WLAN                 December 2011

   changed due to the variation of vlan.Given the authentication method
   is portal(which is the most convenient authenticate method for user
   since it is authenticated through web interface),the change of IP
   address will cause reauthentication at NAS.In WLAN,AC has the ability
   to understand the roaming status of the roamer.So if AC report the
   user's roaming status to NAS through ANCP mechanism,the
   reauthentication at NAS can be avoided.

   The roaming status reporting message contains AC
   identification,user's original IP address and new IP address.  When
   the NAS receive the message,it update the user related entry to
   permit the user with new IP address pass directely, and relay the
   variation infomation to AAA server to ensure user's correct accouting
   and record.

10.  ANCP based WLAN Configuration

10.1.  Qos policy Configuration

   The ANCP mechanism make it possible to perform Qos action on the
   granularity of each user at wireless access edge.  It is good to
   improve the utility of wireless radio resource by limiting the low
   priority user's flow and ensure the high priority user's flow as
   early as possible.

   After the wireless subscriber authenticated at NAS,NAS convey the QOS
   profile information to wireless Access Node, i.e.  Access Controller.
   Then the Qos policy can be enforced at AC and WTP.

10.2.  Key transfer

   Many wireless user need air protection due to security.  With the
   definition of 802.11i(or WPA/WPA2), the air key material is
   negotiated in the procedure of 802.1x authentication between user and
   AAA server through NAS.So the intermediate key,i.e pairwise master
   key (PMK),is held by NAS.However,AC need to establish the final air
   key with the user based on PMK.  Therefore,NAS must transfer the
   intermediate key to AC based on the ANCP mechanism.

   After the WLAN subscriber authenticated at NAS,and NAS get the PMK
   from AAA server,the PMK is transfered from NAS to corresponding AC in
   addition to user related identification information.Based on the
   receive PMK,AC then negotiate with the corresponding user to get the
   final air key.

Chang, et al.             Expires June 19, 2012                 [Page 9]
Internet-Draft                ANCP to WLAN                 December 2011

10.3.  Notification of subscriber's authentication result

   Given the authentication method is portal,there are often many users
   who associated to WLAN without executing autentication on NAS.  These
   users occupies IP resources and WLAN resources.However,strictly
   speaking,they are not legal.In order to leverage these user's
   influence,it is good for AC to be notified the authentication result
   of each subscriber by NAS.Then,AC can selectively refuse to associate
   illegal users,include those who do not authicate,who are failed to
   authenticate,and who are put into blacklist.

   After the WLAN subscriber authenticated at NAS,and NAS notify the
   result to AC.Based on the information,AC actively kick out those
   illegal user for a certain period of time.

11.  ANCP based WLAN Remote Connectivity Testing Capability

   A simple solution based on ANCP can provide the NAS with an access
   line test capability and to some extent fault isolation.  Controlled
   by a local management interface the NAS can use an ANCP operation to
   trigger the Access Node to perform a loopback test on the local loop.
   The Access Node can respond via another ANCP operation with the
   result of the triggered loopback test.  In the case of WLAN based
   local loop, the ANCP operation can trigger the AC to generate
   RF(radio frequency) ping to check the link status of specific user.

12.  ANCP versus CAPWAP between the AC and WTP

   CAPWAP is an internal protocol in WLAN.CAPWAP help to extend WLAN in
   a large scale and lower operating expenses.The intent of the CAPWAP
   protocol is to facilitate control, management and provisioning of
   WLAN Termination Points (WTPs) specifying the services, functions and
   resources relating to 802.11 WLAN Termination Points in order to
   allow for interoperable implementations of WTPs and ACs.  With
   CAPWAP,the subscriber related requirements which is described above
   can't be resolved.

   The focus of ANCP is on the communication between AN and NAS.With
   ANCP,subscriber-related service can be carried out effectively by
   delivering user-related information to access edge.

   Certainly,with the presence of CAPWAP,NAS does not bother to know WTP
   topology in detail and only need to know AC as Access Node.CAPWAP
   leverage the workload of NAS to implement ANCP mechanism by shielding
   WLAN internal structure.

Chang, et al.             Expires June 19, 2012                [Page 10]
Internet-Draft                ANCP to WLAN                 December 2011

13.  Security Considerations

   [ANCP-SECURITY] lists the ANCP related security threats that could be
   encountered on the Access Node and the NAS.  It develops a threat
   model for ANCP security, and lists the security functions that are
   required at the ANCP level.

14.  IANA Considerations

   To be determined.

15.  Acknowledgements

   Thanks to Tina Tsou for helpful comments on this document.

   The authors also thank their friends and coworkers Jianfeng Liu,Tao
   Zheng,Min Yao,Haitao Zhang and Xiaolan Wan.

16.  References

16.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2629]  Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
              June 1999.

   [RFC3990]  O'Hara, B., Calhoun, P., and J. Kempf, "Configuration and
              Provisioning for Wireless Access Points (CAPWAP) Problem
              Statement", RFC 3990, February 2005.

   [RFC6320]  Wadhwa, S., Moisand, J., Haag, T., Voigt, N., and T.
              Taylor, "Protocol for Access Node Control Mechanism in
              Broadband Networks", RFC 6320, October 2011.

16.2.  Informative References

   [RFC5713]  Moustafa, H., Tschofenig, H., and S. De Cnodder, "Security
              Threats and Security Requirements for the Access Node
              Control Protocol (ANCP)", RFC 5713, January 2010.

   [RFC5851]  Ooghe, S., Voigt, N., Platnic, M., Haag, T., and S.
              Wadhwa, "Framework and Requirements for an Access Node
              Control Mechanism in Broadband Multi-Service Networks",

Chang, et al.             Expires June 19, 2012                [Page 11]
Internet-Draft                ANCP to WLAN                 December 2011

              RFC 5851, May 2010.

Authors' Addresses

   Xiangqing Chang
   Hangzhou H3C Tech. Co., Ltd.
   Beijing Rnd Center of H3C,Oriental Electronic Bld.

   Phone: +86 010 82774889

   Yang Shi
   Hangzhou H3C Tech. Co., Ltd.
   Beijing Rnd Center of H3C, Digital Technology Plaza


   Tom Taylor
   Huawei Technologies Co., Ltd.


Chang, et al.             Expires June 19, 2012                [Page 12]