July 13, 2020
When Wi-Fi Alliance (WFA) introduced Hotspot 2.0 technology, it brought with it an opportunity to bring the Wi-Fi connection experience at par with that of the cellular connectivity experience. It eliminated the frictions for connecting to wi-fi networks where the users just need to switch on the Wi-Fi on their devices. The devices would automatically discover, select, and securely connect to an authorized Wi-Fi network in the vicinity of the user. It was the most important piece of the puzzle to enable seamless Wi-Fi roaming across different networks. However, there are still a few gaps or operational challenges that need to be addressed to enable seamless Wi-Fi roaming across the globe, such as:
Wireless Broadband Alliance (WBA), the industry body responsible for driving interoperable service experience within the global wireless ecosystem, is developing the OpenRoaming Framework as the policy framework to define an ecosystem for seamless and secure Wi-Fi roaming. It brings together all the stakeholders, such as Service Providers, Enterprises, Wi-Fi Hubs, identity providers, and operators to the new roaming federation. The WBA OpenRoaming federation would provide an open, interoperable, and trusted platform across the wireless ecosystem. A Wi-Fi network would be considered OpenRoaming enabled if the WBA OpenRoaming Organization Identifiers (OIs) are broadcasted inside the ANQP/HS2.0 information elements and the secure interworking to the federation participants is ensured as per the defined operational recommendations such as authoritative RadSec AAA endpoints, dynamic HSP network service discovery, data clearance and implementation of WBA PKIs, etc. The roaming user devices then simply match the RoamingConsortiumOI (RCOI) for automatic network discovery and selection.
The OpenRoaming operations are based on the following technology pillars:
Figure-1 shows the technical architecture of the OpenRoaming network deployment. In the framework, WBA considered various scenarios and worked on respective limitations such as the legacy deployments or small partners that are enabled via the larger Hubs either on the VNP (Visited Network Provider)or HSP side. Any partner can onboard the OpenRoaming framework, either directly or through Wi-Fi HUBs. The participating network providers and identity providers would be assigned a unique WBAID which is mandated to establish the RadSec connection. The WBA is ensuring to have the presence and preserve the status of all partners in the WBA global database. The database is continuously updated by WBA Program Office, WBA certificate issuers, and Hubs for onboarding as well as deboarding members. This database would be accessed through an authorized API to ensure the validity of the peer entities.
To provide the umbrella identification of OpenRoaming networks and the federation members, the WBA has been allocated two 24-bit Organization Unique Identifiers (OUI) by IEEE Registration Authority and extended it to OUI-36 format by adding a 12-bit extension to be derived based on WBA contextual identifiers. Combined 36-bit organization identifiers are termed as RoamingConsortiumOIs (RCOI).
The 12-bit RCOI extension defines the contextual identifiers for policy implementation of the networks catering to the different needs of the service providers across the federation and assuring better user experience. It contains the information about categorization of identity providers (Identity Type), exposure of user’s permanent ID in VNP network for authentication (PID field), and the tiering of the quality of service (QOS field). The exact match of the combined RCOI enables the roaming of users in different networks.
The four bits of Identity type can be used to define the HSP centric policies by the VNPs. The table below lists the categories of the identity types acquired by the HSP:
The binary PID field indicates the exposure of HSP user’s permanent Identity in the VNP network for the authentication purpose. If the field is set to ‘0’, then roaming users can remain anonymous.
The QoS field in the RCOIs defines the requirements of networks to provide the assured quality of service for the roaming users. The QoS tiering drives the network selection policies to ensure the requirements for serving the users are met by the VNP network.
The QoS context in the advertised RCOI also ensures that the visited network is fulfilling all the service level requirements set by WBA for the Wi-Fi services:
Baseline QoS: All networks under the OpenRoaming federation must meet the minimum requirements defined by WBA
Silver QoS: VNPs to provides the enhanced services shared with WBA as key performance parameters
Gold QoS: Indicates that VNP has assured the agreed Real-time metrics for the services and these real-time metrics shall also be provided in Radius messages to HSPs
The OpenRoaming federation recommends that if any VNP advertises a higher level of the QoS in RCOI, then it should also configure other sub-set QoS too. For example, VNPs configuring Gold QoS RCOIs should also configure Silver and Baseline RCOIs, and those configuring Silver should also configure Baseline QoS RCOIs as they are meeting the network requirements for the lower levels of QoS.
Based on the roaming policies and user profiles, the HSPs would provision a derived list of 36-bit RCOIs inside the Passpoint profile. The HSPs can provision the Passpoint profiles on user devices with specific Identity-types (such as organizations) and minimum required service/QoS level where users would be able to seamlessly connect while roaming.
The list of RoamingConsortiumOIs based on VNP policies are advertised by the visited HS2.0 networks. The roaming user devices automatically select the network and initiate the authentication if at least one of the broadcast RCOI exactly matches with the ones in the RoamingConsortiumOI list provisioned in the Passpoint profile.
For example, if the Aviation industry VNP allows the hospitality users to roam in its network, then the Passpoint profile should be provisioned with hospitality identity type and Aviation industry VNP network must broadcast hospitality industry RCOI in the network.
Another way can be to provision the device with RCOIs corresponding to “Any identity type” and similarly VNPs also broadcasting the same RCOIs to allow users with any identity.
The AAA-proxy of the VNP forwards the authorization and accounting data to the HSPs AAA server based on the HSP realm responded Access-Requests. The UDP Radius protocol requires the whitelisting of VNP AAA-proxy and a common shared-secret to communicate, yet it is prone to the expose of user information on the internet. This is why often a site-to-site IPSec tunnel is established to secure the Radius communication in legacy networks.
To address the above-mentioned issues, the OpenRoaming mandates the RadSec implementation on AAA endpoints using WBA’s PKI to secure the Radius messages inside a TLS tunnel using WBA PKI certificates between participating networks. All the participants must obtain the unique WBAID for the network endpoints involved in RadSec connection and validating the authoritative AAA server of the HSP. If any participating party does not support the RadSec on AAA endpoint, then it can take the services of Hubs for the RadSec termination. The RadSec endpoints during TLS connection establishment also ensures that HSP (or its Hub) is authoritative for the realm of the user identity.
Static configuration of connectivity between AAA endpoints had been one of the major challenges to enable the roaming among different Wi-Fi network providers as it requires the network operators to know both the routing configurations and the source IPs to whitelist in advance.
The OpenRoaming framework recommends the dynamic discovery for both the Home Service Providers (HSPs) and Identity Providers (IdPs) application endpoints, i.e., AAA and data and billing clearance interface.
The Network Authority (NAPTR) DNS configuration solves the problem of dynamically discovering the IP address of any service based on the combination of FQDN, service protocol, and ports. The NAPTR DNS response can also carry the WBA specific application service tags, defined for WRIX applications (WRIX d/f), to covey the capabilities of the HSP network. This would be useful to discover whether the target HSP supports the “Settled” or “Settlement-free” interface. The OpenRoaming federation recommends that all partner networks should implement the dynamic DNS configurations for their AAA and data clearance (WRIX-d/f) services to avoid any static configuration. If any network is unable to configure the dynamic DNS configuration for authoritative services, then it can take the services of Wi-Fi Hubs. In this case, the Hub and service operator can implement the static routing for Radius messages. The WRIX PKI with RadSec enables the AAAs to accept the connections from any valid AAA Proxy endpoint, which is a part of the federation network.
The WBA has completed the first phase of defining the operations of the OpenRoaming federation, WBA PKI requirements for deployment, and network provider onboarding methods. The Global Database of the WBA OpenRoaming participants is also in progress to facilitate the validation of the participant organizations during the authorization of users. The framework has the potential to fill the gaps of Wi-Fi roaming challenges concerning the interconnections, security, and service assurance in visited networks and avoid the connection requests from unwanted users. By addressing the major issues in existing roaming frameworks and promoting Passpoint to steer the network selection policies, the OpenRoaming ecosystem would prove to be a pathbreaking solution in the near future.