Building secure, privacy aware, quality Wi-Fi coverage via cooperation

Building secure,
privacy aware,
quality Wi-Fi coverage
via cooperation
Karri Huhtanen
Arch Red Oy &
Open System Consultants Pty Ltd
22.9.2015

quality and the
traditional way of
building coverage
Photo by Karl-Ludwig G. Poggemann

In the beginning...
already a lot of separate,
overlapping Wi-Fi
networks interfering
with each other
Map by OpenStreetMap

already a lot of separate,
overlapping Wi-Fi
networks interfering
with each other
+
one more, the new
common Wi-Fi
network
Then...

So this is bad, because...
• more overlapping Wi-Fi networks => more radio
interference => all Wi-Fi network users suffer
• providing additional coverage, capacity and
bandwidth always generates costs to someone
• maintaining, upgrading and repairing additional
network always generates costs to someone
• often the additional coverage is also provided
outdoors and from outside => which means
excellent Wi-Fi coverage for magpies during
Finnish winters
Photo by Andrew King

What to do?
Photo by Sean Hobson

Try cooperation...

Instead of this...

Let’s try this...
uniﬁcation
via
cooperation

We must be realistic...
• Somebody has to cover the costs of providing coverage, capacity,
bandwidth and maintaining, upgrading and repairing network =>
Dividing work and costs makes sense => Let everyone handle and
control their part of the network
• We need unified policies for network configuration, authentication,
access filtering, IP addressing etc. => Let’s just choose open
standard interfaces and policies, no specific vendors or service
providers
• There will still be overlapping private networks, home networks
etc. => interference cannot be removed but it can be reduced
• Coverage is not really needed everywhere, it is needed where the
existing networks already are => with unified network settings
around it is easier to access Internet in various places

So how can this be done?

two options
“Easy” “Proper”
Scale by winnifredxoxo

“Easy”
• use common but original Wi-Fi network name for all
cooperating networks, make the name neutral so that it is
easier to adopt
• leave Wi-Fi network without authentication or encryption
or specify common WPA2 pre-shared secret, share this
secret to everyone
• have and enforce a common policy for Internet ﬁltering
and IP addressing everywhere
• wish for the best and believe in the goodness of the people
• that’s it: everyone controls and is responsible of their own
part of network and partially what happens through it
Photo by RobbyVan Moor

For few reasons “easy” option
has not catched on
• People want to have unauthenticated, unencrypted and unﬁltered
networks to use, but very few want to provide such ones
themselves.
• People still want to have curtains for privacy, doors for access
control, pin codes for credit cards and mobile phones.
• People responsible of what happens in or through their networks
are even more careful.
• “easy” networks are often ﬁltered so heavily that instead of ‘open’
they often should be called ‘broken’.
• Access and capacity control, monitoring and network
management are still needed, even in so called ‘open’ networks.

Photo by Thomas Guine
Photo by RobbyVan Moor
“Proper”
• use common but original Wi-Fi network name for all
cooperating networks, make the name neutral so that it is
easier to adopt
• use WPA2 Enterprise encryption and authentication for
everyone and every network, connect networks into coverage
area by authentication federation
• have and enforce a common policy for Internet ﬁltering, IP
addressing and network conﬁguration everywhere
• that’s it: everyone controls and is responsible of their own
part of network and partially what happens through it,
visitors leave trails that can be followed, device and visitor
access can be controlled

But has this then catched on?
• Short answer: Yes.
• eduroam(tm) (www.eduroam.org), the global authentication
federation for universities and research organisations is the world’s
3rd most advertised Wi-Fi network and the roaming standard of
academic world
• eduroam(tm) technologies and architecture have been applied in
Wireless Tampere community network and its successor roam.ﬁ,
which is used already in Tampere and neighboring cities
• Belnet has started a pilot in Belgium about government roaming
called govroam(tm) (www.govroam.be)
• The architecture is compatible with operator roaming and
technologies such as SIM card or certiﬁcate authentication, elliptic
curves etc. in addition to traditional username and password

What are the additional benefits?
• A common Wi-Fi network with same network configuration
accessible everywhere securely with home organisation credentials
but at the same time protecting the user privacy.
• Access to the network, used capacity and traffic can be controlled
and prioritized. Trail of accountability exists.
• The core infrastructure and architecture is field tested, it has already
been used and developed for over 10 years by operators, by eduroam
etc.
• The core infrastructure can be extended and evolved as
authentication and network technologies develop, in most times even
without changes to the core.
• All technologies and interfaces used are open standards, defined
mostly in IETF. There exists both open source and commercial
options for components and services from several suppliers.

What now and in the
future?
• All the components for building this kind of cooperative
Wi-Fi authentication federation exists.
• Together with Centre of Open Systems and Solutions
(COSS ry), already 2 operators and several cities and
organisations, Wireless Tampere model is migrated and
rebranded to roam.ﬁ concept.
• roam.ﬁ aims to be eduroam for any organisation, city,
company or operator, not just academic organisations
• If interested, come and discuss with me or COSS about
details.

Thank you. Questions?
Karri Huhtanen
https://www.twitter.com/khuhtanen
https://plus.google.com/+KarriHuhtanen/
these and more slides:
http://www.slideshare.net/khuhtanen/

Additional Slides
for technical and non-technical questions

Federated RADIUS Roaming
Federation Top-Level

roam.fi RADIUS (proxy)
Home Organisation

homeorg.fi RADIUS
Visited Organisation

visitedorg.fi RADIUS
home organisation
roam.fi Wi-Fi
network
visited organisation
roam.fi Wi-Fi
network
RADIUS connections

Authentication in Home Network

Home Organisation

homeorg.fi RADIUS

home organisation
roam.fi Wi-Fi
network
roam.fi Wi-Fi
network
secure
authentication
directly to home
RADIUS
username@homeorg.fi +
password

Authentication in Visited Network

Home Organisation

homeorg.fi RADIUS

home organisation
roam.fi Wi-Fi
network
roam.fi Wi-Fi
network
Authentication is
tunnelled with TLS
directly to home
RADIUS.
Even Visited
Organisation
cannot see the
actual credentials.
same

username@homeorg.fi + password,

no change to network settings

WPA2 Enterprise
Authentication
real identity+credentials can
always be secure inside TLS
tunnel
Access
Controller
e.g. Wi-Fi
controller or
access point
RADIUS
authentication
service
RADIUS protocol
+ TLS tunnel
WPA2 Enterprise
Authentication
outer identity needs only identify
home organisation, otherwise
anonymous identity allowed
Inside EAP message multiple methods of authentication and
credentials can be used in parallel in same federated Wi-Fi networks.
Home organisation capabilities are the only limiting factor.

What about electromagnetic
radiation, Wi-Fi and children?
• There is no scientiﬁc evidence or research results,
which would prove that Wi-Fi is in anyway
harmful.
• If additional discussion is needed, author strongly
recommends discussion with for example Vesa
Linja-aho, Lilja Tamminen, or scientists with actual
degrees from relevant ﬁelds (physics, medicine, etc.)

Building secure, privacy aware, quality Wi-Fi coverage via cooperation

More Related Content

What's hot

Similar to Building secure, privacy aware, quality Wi-Fi coverage via cooperation

More from Karri Huhtanen

Building secure, privacy aware, quality Wi-Fi coverage via cooperation