ancp Xiangqing. Chang
Internet-Draft Yang. Shi
Intended status: Informational Hangzhou H3C Tech. Co., Ltd.
Expires: June 19, 2012 T. Taylor
Huawei Technologies Co., Ltd.
December 17, 2011
Applicability of Access Node Control Mechanism to WLAN based Broadband
Networks
draft-xq-ancp-wlan-00.txt
Abstract
The purpose of this document is to provide applicability of Access
Node Control Mechanism ,as described in [ANCP-FRAMEWORK],to WLAN
based broadband access. The need for an Access Node Control
Mechanism between a Network Access Server (NAS) and an WLAN Access
Node is described.The Access Node Control Mechanism is also extended
for WLAN.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 19, 2012.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Chang, et al. Expires June 19, 2012 [Page 1]
Internet-Draft ANCP to WLAN December 2011
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4
5. Reference Architecture for WLAN Access Network . . . . . . . . 5
6. Motivation for explicit extension of ANCP to WLAN . . . . . . 6
7. Concept of Access Node Control Mechanism for WLAN based
access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
8. ANCP Based WLAN Topology Discovery . . . . . . . . . . . . . . 8
9. ANCP Based WLAN roaming status reporting . . . . . . . . . . . 8
10. ANCP based WLAN Configuration . . . . . . . . . . . . . . . . 9
10.1. Qos policy Configuration . . . . . . . . . . . . . . . . 9
10.2. Key transfer . . . . . . . . . . . . . . . . . . . . . . 9
10.3. Notification of subscriber's authentication result . . . 10
11. ANCP based WLAN Remote Connectivity Testing Capability . . . . 10
12. ANCP versus CAPWAP between the AC and WTP . . . . . . . . . . 10
13. Security Considerations . . . . . . . . . . . . . . . . . . . 11
14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11
16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
16.1. Normative References . . . . . . . . . . . . . . . . . . 11
16.2. Informative References . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12
Chang, et al. Expires June 19, 2012 [Page 2]
Internet-Draft ANCP to WLAN December 2011
1. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]
2. Introduction
With the fast popularization of WLAN terminal,WLAN are being deployed
widely across carrier networks to provide hotspot access service.It
is an important method for carriers to offload the data pressure of
2G/3G mobile network by WLAN access network.
[ANCP-FRAMEWORK] provides the framework and requirements for
coordinated admission control between a NAS and an AN with special
focus on DSL deployments. This document proposes the extension of
that framework and the related requirements to WLAN.
3. Terminology
o Wireless Local Access Network(WLAN):WLAN technologies include the
approved IEEE 802.11a, b,g and n specifications. WLAN is a high-
speed local wireless technology to enjoy broad deployment , most
notably in hotspots around the world, including homes and offices,
and increasingly cafes, hostels, and airports. WLAN is also known as
Wi-Fi(short for wireless fidelity).
o Wireless Termination Point (WTP): The physical or network entity
that contains an RF antenna and wireless physical layer (PHY) to
transmit and receive station traffic for wireless access networks.For
WLAN,WTP is also known as Aceess Point(AP).
o Access Controller (AC): The network entity that provides WTP access
to the network infrastructure in the data plane, control
plane,management plane, or a combination therein.
o Control And Provisioning of Wireless Access Points (CAPWAP): It is
a generic protocol defining AC and WTP control and data plane
communication.
o Station (STA): A device that contains an interface to a wireless
medium (WM).It is a subscriber device.
o Autonomous Wireless Local Area Network (WLAN) Architecture: It is
the traditional autonomous WLAN architecture, in which each WTP is a
single physical device that implements all the wireless services.
Chang, et al. Expires June 19, 2012 [Page 3]
Internet-Draft ANCP to WLAN December 2011
o Centralized WLAN Architecture: It is an hierarchical architecture
utilizing one or more centralized controllers for managing a large
number of WTP devices. It can be said that the full wireless
functions are implemented across multiple physical network devices,
namely, the WTPs and ACs.
o Access Node (AN): Network device, usually located at a service
provider central office or street cabinet that terminates
access(local) loop connections from subscribers. In case the access
loop is a Digital Subscriber Line (DSL), the Access Node provides DSL
signal termination, and is referred to as a DSL Access Multiplexer
(DSLAM).In case of WLAN, it is referred to as a AC.
o Network Access Server (NAS): Network element which aggregates
subscriber traffic from a number of ANs or ANXs. The NAS is often an
injection point for policy management,authentication and IP QoS in
the access network. It is also referred to as Broadband Network
Gateway (BNG) or Broadband Remote Access Server (BRAS).
4. Problem Statement
When wired carriers extend their network with wireless access
technologies, they prefer to reuse NAS architecture.For wired
carriers,NAS and AC usually coexist in the operator's WLAN access
network.Professional NAS is often deployed in the fixed network
already,so they prefer to reuse NAS devices for WLAN access network
as authentication device to reduce cost and avoid network
variation.NAS controls subscriber's access to network with AAA, and
AC manages WTPs and controls user's association to WLAN.The focus
throughout this document is based on this kind of application
scenery.Given the separation of NAS and AC, AC takes the role of
wireless AN.
Just like wired broadband access network,WLAN provides triple-play
services over IP to meet the increasing demand for broadband data
service.In order to carry out the QOS policy more effectively and
improve the utilization of network resouce,the cooperation between
the NAS and the wireless AN is also needed.
Furthermore,except for the common things with wired access
technology,there are special characters in WLAN.For example,the open
media of radio acess,the station's roaming.So, WLAN proposes new
requirement to enhance the exchange of information for NAS and
AN.Some related use cases include:
-----In order to ensure security of data transport over the
air,different encryption key is needed for each user. However,the
Chang, et al. Expires June 19, 2012 [Page 4]
Internet-Draft ANCP to WLAN December 2011
intermediate key material is held by NAS for every subscriber.So, NAS
need to deliver the material to wireless AN dynamically to generate
the final encryption key over the air.
-----To improve the utility of precious wireless spectrum, AN need to
get more status information of each user from NAS.
-----To make the user's roaming experience better,AN and NAS need
more cooperation.
It shows that a tighter coordination between NAS and Wireless AN is
necessary.Fortunately, ANCP intends to provide a general
communication mechanism between NAS and AN,and ANCP support to be
extended on demand. So,with the new WLAN requirement,ANCP need to be
extended for WLAN.
5. Reference Architecture for WLAN Access Network
RFC 5851 [RFC5851]provides detailed definition and functions of each
network element in the general broadband reference
architecture.Figures 1 shows an end-to-end broadband network with
WLAN access.
There are two WLAN architecture models.One is Centralized WLAN
Architecture(or Fit Architecture),the other is Autonomous WLAN
Architecture(or Fat Architecture). The need of deploying WLAN more
broadly and cost-effectively lead to the population of the
centralized WLAN architecture. The Access Node terminates the WLAN
access. It is refered to as AC in Centralized WLAN Architecture,and
as WTP in Autonomous WLAN Architecture.
Given the industry's trend of centralized WLAN architecture, the
primary focus throughout this document is on centralized WLAN
architecture.
RFC 5851 [RFC5851] defines the core of what distinguishes a NAS from
a typical routing system as per-user basis authentication,accountting
and policies.
Chang, et al. Expires June 19, 2012 [Page 5]
Internet-Draft ANCP to WLAN December 2011
Access Customer
<--- Aggregation ----> Premises
Network Network
+--------------------+ +---------------------+
+---------+ +---+ | +----------+ | | +---+ +-------+
| | +-|NAS|-|-<Eth>-|Access |-|-|-<Eth>-|WTP|-|Station|
---+ Regional| | +---+ | |Controller| | | +---+ | |
|Broadband| | | +----------+ | | +-------+
|Network |-| +------------|-------+ +---------------------+
---+ | | | +---------------------+
| | | +---+ | | +---+ +-------+
+---------+ +-|NAS| +---------|-<Eth>-|WTP|-|Station|
+---+ | +---+ | |
| +-------+
+---------------------+
NAS: Network Access Server
WTP: Wireless Termination Point
Figure 1: WLAN Broadband Aggregation Topology
6. Motivation for explicit extension of ANCP to WLAN
Compared with wired broadband access technologies,there are several
different points need to be considered:
o WLAN access protection
Strong over-the-air data protection is addressed in WLAN.For
example,802.11i greatly increases the level of over-the-air data
protection and access control on Wi-Fi networks.NAS will inevitably
help to negotiate key materials used for air protection, and it
should deliver the intermediate key material (called as PMK in WiFi)
to WLAN AN .
o Specific identification for WLAN subscriber
For DSL access technology, a PVC represent a subscriber. But for
WLAN access technology, many subscribers can access with the same
radio. It means that there are many subscribers who may use the same
VLAN. So when the subscriber's information is exchanged ,
subscriber's detail specific information need to be clarified.
o Radio Resource Control
Radio spectrum is a precious and limited resource. The communication
Chang, et al. Expires June 19, 2012 [Page 6]
Internet-Draft ANCP to WLAN December 2011
between WLAN AN and NAS make it possible to control radio resource
more efficiently among different wireless subscribers. For example,
according to certain rules, WLAN AN can kick off the inactive
subscribers.
o Roaming
Wireless user can roam from an Access Node to another Access Node.The
change of subscriber's location need to be tracked. And subscriber's
reauthentication need to be avoided to improve quality of
experience.However, subscriber's reauthentication often occur. for
example, in WLAN network, given the authentication method of NAS is
Portal, when a subscriber moved from an AN to another AN, the
subscriber's IP address is usually changed, and it has to be re-
authenticate at NAS although the latter AN understand the subscriber
's roaming status.If latter AN report roaming information to NAS, the
reauthentication can be avoid and the subscriber's roaming experience
will be improved.
Based on reusing the general framework and protocol of ANCP,typical
elements which need to be defined for ANCP in WLAN environment
include the following:
---New WLAN capability need to be defined for establishment of
adjacency relationship
---New WLAN subscriber identification needs to be defined
---New message type or TLV need to be defined for delivering open air
key material from NAS to WLAN AN
---New message type or TLV need to be defined for identifying invalid
or unauthenticated user to AN for better radio resource control
---New message type or TLV need to be defined for AN to update NAS
with roaming user information for better roaming experience
7. Concept of Access Node Control Mechanism for WLAN based access
The Access Node Control Mechanism defines a quasi real-time, general-
purpose method for multiple network scenarios with an extensible
communication scheme. The mechanism consists of control function,
and reporting and/or enforcement function.Controller function is used
to receive status information or admission requests from the
reporting function. It is also used to trigger a certain behavior in
the network element where the reporting and/or enforcement function
resides. The reporting function is used to convey status information
Chang, et al. Expires June 19, 2012 [Page 7]
Internet-Draft ANCP to WLAN December 2011
to the controller function that requires the information for
executing local functions. The enforcement function can be contacted
by the controller function to enforce a specific policy or trigger a
local action.
Typical use cases related to reporting function for ANCP in WLAN
environment include the following:
ANCP Based WLAN Topology Discovery
ANCP Based WLAN roaming status reporting
Typical use cases related to control function and/or enforcement
function for ANCP in WLAN environment include the following:
ANCP based WLAN Configuration.
ANCP based WLAN Remote Connectivity Testing Capability.
ANCP based use cases in WLAN environment will be described in detail
in the section that follow.Some use case is similar as the situation
in DSL access,others are paticular for WLAN access.
8. ANCP Based WLAN Topology Discovery
In order to convey user related policies to correct Access Node, NAS
need to gain knowledge about the topology of the access network and
the attributes of the link.Through the procedure of WLAN Topology
Discovery,Access Node communicate access network topology information
and any corresponding updates to the NAS.
For WLAN,when WTP start to run,AC(Access controller) will create a
logical port for each radio on WTP.Since AC has known the topology of
WTPs,NAS can just convey user related policies to AC,and AC will
relay the information to corresponding WTP.So NAS does not bother to
know all the WTPs,and just know the identification of AC and the vlan
scope of users who come from the AC.Each logical port on AC can
belong to different vlan or the same vlan.So the creation and
deletion of each logical port may lead to upate vlan information to
NAS.
9. ANCP Based WLAN roaming status reporting
Wireless user is movable.In WLAN,a station can roam from a WTP to
another WTP,or from a AC to another AC. Ideally,it is not necessary
for the roamer to reauthenticate.However,the IP address is usually
Chang, et al. Expires June 19, 2012 [Page 8]
Internet-Draft ANCP to WLAN December 2011
changed due to the variation of vlan.Given the authentication method
is portal(which is the most convenient authenticate method for user
since it is authenticated through web interface),the change of IP
address will cause reauthentication at NAS.In WLAN,AC has the ability
to understand the roaming status of the roamer.So if AC report the
user's roaming status to NAS through ANCP mechanism,the
reauthentication at NAS can be avoided.
The roaming status reporting message contains AC
identification,user's original IP address and new IP address. When
the NAS receive the message,it update the user related entry to
permit the user with new IP address pass directely, and relay the
variation infomation to AAA server to ensure user's correct accouting
and record.
10. ANCP based WLAN Configuration
10.1. Qos policy Configuration
The ANCP mechanism make it possible to perform Qos action on the
granularity of each user at wireless access edge. It is good to
improve the utility of wireless radio resource by limiting the low
priority user's flow and ensure the high priority user's flow as
early as possible.
After the wireless subscriber authenticated at NAS,NAS convey the QOS
profile information to wireless Access Node, i.e. Access Controller.
Then the Qos policy can be enforced at AC and WTP.
10.2. Key transfer
Many wireless user need air protection due to security. With the
definition of 802.11i(or WPA/WPA2), the air key material is
negotiated in the procedure of 802.1x authentication between user and
AAA server through NAS.So the intermediate key,i.e pairwise master
key (PMK),is held by NAS.However,AC need to establish the final air
key with the user based on PMK. Therefore,NAS must transfer the
intermediate key to AC based on the ANCP mechanism.
After the WLAN subscriber authenticated at NAS,and NAS get the PMK
from AAA server,the PMK is transfered from NAS to corresponding AC in
addition to user related identification information.Based on the
receive PMK,AC then negotiate with the corresponding user to get the
final air key.
Chang, et al. Expires June 19, 2012 [Page 9]
Internet-Draft ANCP to WLAN December 2011
10.3. Notification of subscriber's authentication result
Given the authentication method is portal,there are often many users
who associated to WLAN without executing autentication on NAS. These
users occupies IP resources and WLAN resources.However,strictly
speaking,they are not legal.In order to leverage these user's
influence,it is good for AC to be notified the authentication result
of each subscriber by NAS.Then,AC can selectively refuse to associate
illegal users,include those who do not authicate,who are failed to
authenticate,and who are put into blacklist.
After the WLAN subscriber authenticated at NAS,and NAS notify the
result to AC.Based on the information,AC actively kick out those
illegal user for a certain period of time.
11. ANCP based WLAN Remote Connectivity Testing Capability
A simple solution based on ANCP can provide the NAS with an access
line test capability and to some extent fault isolation. Controlled
by a local management interface the NAS can use an ANCP operation to
trigger the Access Node to perform a loopback test on the local loop.
The Access Node can respond via another ANCP operation with the
result of the triggered loopback test. In the case of WLAN based
local loop, the ANCP operation can trigger the AC to generate
RF(radio frequency) ping to check the link status of specific user.
12. ANCP versus CAPWAP between the AC and WTP
CAPWAP is an internal protocol in WLAN.CAPWAP help to extend WLAN in
a large scale and lower operating expenses.The intent of the CAPWAP
protocol is to facilitate control, management and provisioning of
WLAN Termination Points (WTPs) specifying the services, functions and
resources relating to 802.11 WLAN Termination Points in order to
allow for interoperable implementations of WTPs and ACs. With
CAPWAP,the subscriber related requirements which is described above
can't be resolved.
The focus of ANCP is on the communication between AN and NAS.With
ANCP,subscriber-related service can be carried out effectively by
delivering user-related information to access edge.
Certainly,with the presence of CAPWAP,NAS does not bother to know WTP
topology in detail and only need to know AC as Access Node.CAPWAP
leverage the workload of NAS to implement ANCP mechanism by shielding
WLAN internal structure.
Chang, et al. Expires June 19, 2012 [Page 10]
Internet-Draft ANCP to WLAN December 2011
13. Security Considerations
[ANCP-SECURITY] lists the ANCP related security threats that could be
encountered on the Access Node and the NAS. It develops a threat
model for ANCP security, and lists the security functions that are
required at the ANCP level.
14. IANA Considerations
To be determined.
15. Acknowledgements
Thanks to Tina Tsou for helpful comments on this document.
The authors also thank their friends and coworkers Jianfeng Liu,Tao
Zheng,Min Yao,Haitao Zhang and Xiaolan Wan.
16. References
16.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
June 1999.
[RFC3990] O'Hara, B., Calhoun, P., and J. Kempf, "Configuration and
Provisioning for Wireless Access Points (CAPWAP) Problem
Statement", RFC 3990, February 2005.
[RFC6320] Wadhwa, S., Moisand, J., Haag, T., Voigt, N., and T.
Taylor, "Protocol for Access Node Control Mechanism in
Broadband Networks", RFC 6320, October 2011.
16.2. Informative References
[RFC5713] Moustafa, H., Tschofenig, H., and S. De Cnodder, "Security
Threats and Security Requirements for the Access Node
Control Protocol (ANCP)", RFC 5713, January 2010.
[RFC5851] Ooghe, S., Voigt, N., Platnic, M., Haag, T., and S.
Wadhwa, "Framework and Requirements for an Access Node
Control Mechanism in Broadband Multi-Service Networks",
Chang, et al. Expires June 19, 2012 [Page 11]
Internet-Draft ANCP to WLAN December 2011
RFC 5851, May 2010.
Authors' Addresses
Xiangqing Chang
Hangzhou H3C Tech. Co., Ltd.
Beijing Rnd Center of H3C,Oriental Electronic Bld.
Beijing
China(100085)
Phone: +86 010 82774889
Email: chang_xq@h3c.com
Yang Shi
Hangzhou H3C Tech. Co., Ltd.
Beijing Rnd Center of H3C, Digital Technology Plaza
Beijing
China(100085)
Email: rishyang@gmail.com
Tom Taylor
Huawei Technologies Co., Ltd.
Ottawa
Canada
Email: tom111.taylor@bell.net
Chang, et al. Expires June 19, 2012 [Page 12]