Secure, extensible and heterogenic wireless networks

Download PDF
3 downloads 135 Views 112KB Size Report
Comment
of a wireless network (i.e. IEEE 802.11b/g) to rural. 1Institute of Electronic and ... aims to encourage a more competitive telecommunica- tions environment[14] by ... cost of equipment VSAT technology is preferable as an. Internet gateway, and ...
Secure, extensible and heterogenic wireless networks: A model for community oriented wireless Internet in South Africa B.Whittington, G.Halse, A.Terzoli Department of Computer Science, Rhodes University, Grahamstown, 6140, South Africa September 2003

Abstract

educational institutions, where infrastructure does not otherwise exist. 1

We present an IEEE 802.11b/g wide area network model tailored for the South African environment South Africa today South Africa is a country in be(political, economic, social and technological) to tween two worlds, the developed, and the developing; provide underpriviledged schools and educational as such, the environment is somewhat unusual. The institutions with Internet connectivity. Building on country has inherited both good and bad features of the wireless networking concepts we create a model two worlds, creating a mix of social, political, and ecothat is easily deployable in rural and infrastructure nomic problems. There are large disparities between bereft areas, employing 802.1x as the authentication the wealthy and the poor, both in monetary terms, and mechanism. The model aims to be economical, access to facilities. The resulting environment means centrally managed and easily deployable.

South African policies are aimed at bridging the gap

Keywords: Wireless, Community, Education, IEEE

between rich and poor, while creating a globally competitive economy. The model proposed in this paper

802.11b, IEEE 802.1x, rural development, PPPoE

aims to give underpriviledged people access to privileged resources to empower them economically, giving South Africa a globally competitive edge. The South African Minister of Communications, Dr Ivy Matsepe-

1 Introduction

Casaburri, commented at a recent colloquium of national convergence, “...the choice is not between every

Currently there are many approaches to providing bandwidth to the end user (e.g. modem, ISDN, xDSL, Cable, Wi-Fi, Satellite).

technology or none. Rather, we must ensure that we do not get left behind in this global reality and that we

Each approach has differ-

ing requirements and cost models. Each has strengths adapt accordingly so as to meet the challenges of new and weaknesses regarding best deployment (economi- technologies and of new times.” [11]. cal and technical). This paper explores the deployment of a wireless network (i.e. IEEE 802.11b/g) to rural Legislation Present legislation prohibits transmission 1 Institute

of voice, or data, between two private properties with-

of Electronic and Electrical Engineers

1

2 EXISTING SOLUTIONS

out the use of a licensed carrier. Choice of carrier is

such, with the assistance of an incumbent operator.

limited to Telkom, one of the two cellular networks, or recently, Sentech[4, 10]. Additionally, a second major

Community service As part of license agreements each of the operators have had to full a quota of com-

network operator will be issued with a carrier license relatively soon. So, the provision of suburban area (i.e.

munity service, i.e. providing telecommunication infrastructure to township areas. Telkom, for example,

transmission outside of property boundaries) wireless, is impossible without a network operator, or an operator’s license. The regulation of radio frequencies is

have been obliged to fulfill fixed line requirements, “Telkom is obliged to install 2.69 million new lines

governed by ICASA2 , which defines the allowed use of particular bands and their respective licensing schemes.

over the five year fixed exclusivity period; 1.67 million lines to under-serviced areas as well as converting

ICASA refers to itself as “The Authority [that] regua further 1.25 million analogue lines to digital. Over lates the telecommunications and broadcasting indus120,000 public pay phones will be installed over the tries in the public interest”[1]. The frequencies that same period.”[6]. Numerous other innovative solutions the 802.11b/g networks use is in the 2.4-2.5Ghz range, have been implemented, such as DECT4 phone infraswhich falls into the international Industrial, Scientific tructure. Although relatively large amounts of money and Medical band (ISM) ITU3 . In South Africa (and in have gone into providing resources to historically dismost other countries) there are type approvals for the advantaged areas there is still a need for more developequipment you may use in these bands, and stipulations ment. There have been many successes, there have also as to what you may, or may not, do. Currently in terms been failed projects too. “Community centers, resource of the “Declaration of Certain Apparatus to be and not centers and digital villages in townships will continue to to be Radio Apparatus for the purposes of Act No 3 of under achieve in their goals of bringing Internet access 1952" No 1790 issued on 17 November 1995, WLANs to a sizeable proportion of residents in disadvantaged used for short distance in the ISM bands on single sites areas.”[5]. (e.g. in an office complex) are permitted and exempt from spectrum licensing[12].

2 Existing Solutions

Changes Draft legislation (the “Convergence Bill”) aims to encourage a more competitive telecommunica-

Wired solutions Currently there are numerous initia-

tions environment[14] by altering the manner in which data services are licensed. In the light of global attitudes

tives to provide electronic and networking resources to underprivileged areas, especially disadvantaged

towards Wi-Fi networks, and shifting attitudes towards the telecommunications industry, the bill aims to alter

schools. As part of their community service, Telkom have been obligated to install fixed lines (i.e.copper

regulatory mechanisms in a manner which will allow

telephone lines) into rural areas. Fixed lines allow for installation of modem or xDSL connectivity, although

free competition between service providers. Until the legislation is implemented and regulatory changes oc-

problems with the quality of the lines installed can

cur, the provision of wireless services without the use of a network operator is illegal. Community projects

heavily reduce the throughput of the modem. Many rural areas have DECT infrastructure, and as such, stan-

must function within the existing framework, and as

dard modems and xDSL are unusable. Many rural

2 Independent

Communications Authority of South Africa 3 International Telecommunications Union

4 Digital

2

Enhanced Cordless Telecommunications

3 THE MODEL

schools now have access to the Internet via modems,

broadband resources to become accessible to all. IEEE

but bandwidth is severely limited, and sharing of it is less than ideal. A few pilot projects involving xDSL

802.11 solutions are ideal for the rural environment as the equipment requires little, or no existing infrastruc-

have been explored, e.g. Nyaluza Secondary School in Grahamstown. Although xDSL is wider band, severely

ture. A central Internet resource, in the form of xDSL, or VSAT, can be shared to a suburban area using Wi-

degraded speeds were attained, due to distance to ex-

Fi networks. This flexibility is especially important in

changes, and quality of copper lines[2]. Microsoft has South Africa as telecommunications companies are realso contributed a large amount of money into providing luctant to put wired solutions into township areas. Wirecomputer labs for underpriviledged schools, the most successful example of which is the Soweto Digital Vil-

less solutions (specifically 802.11a/b/g) have been indicated as the way forward for developing countries by

lage [3]. These centers normally service the wider community, while enabling the students to access otherwise

the United Nation secretary of state, Kofi Anan.

expensive equipment, and become familiar with modern technology.

3 The model

Wireless solutions Presently there are a few wireless services available in South Africa, but these solutions

Figure 1: Network Structure

are expensive, due to specialized and often fairly complex equipment. An example is VSAT5 . VSAT is a highly reliable, broadband solution, but is also a fairly costly solution for deployment to a single site. African Sky (a Canadian philanthropic company) have created two “distance learning”[13] centers, i.e. computer centers which use proprietary 2.4Ghz communication devices to talk to a central VSAT station. Another wireless project is that of the e-Busses. “The project has seen the outfitting of busses with computers and satellite dishes in an effort to take the Internet to communities that have never had access to it.” [15]. Due to the cost of equipment VSAT technology is preferable as an

The model centers around three components, the base station, the bridge, and the client. The base station is

Internet gateway, and not as a last mile solution.

a standard 802.11 access point, which will allow for clients to associate and send and receive data. The 802.11{b|g} wireless solutions There are no le-

’bridge’ is composed of two parts, the actual bridge, which backhauls connectivity to the base station, and

gal 802.11a/b/g community wireless solutions implemented in South Africa, due to type approval limits

the access point, which mirrors the base station’s services. Figure 1 depicts the network model. The bridge

for 802.11 equipment[12]. There are, however, examples of education based, government implemented com-

can either be integrated into the access point, as is

munity wireless projects in India, where the aim is for 5 Very

the situation in proprietary solutions, or externally connected.

Small Apature Transmitter

3

3 THE MODEL

The Bridge The wireless bridge transparently for-

for backhaul links, for which long distances need to

wards and maintains traffic between two points of connectivity. Wireless bridge devices are usually used in a

be covered reliably. To increase hot-spot coverage directional antennae are not ideal, as our aim is for area

situation where two disjoint LAN’s need to be linked, coverage, not distance. Common implementations of where a wire link is not feasible. A bridge normally suburban area wireless networks see clients using diplugs into two or more LAN’s and forwards traffic to

rectional antennae (Yagi Array Antennae, or Parabolic

a different network. Wireless bridges are conceptually Dish) while base stations make use of omni-directional the same, but consist of a wireless device connected to antennae. each LAN, which forward traffic to their counterpart LAN’s using a wireless protocol. These bridges can

Heterogeneity Because our access point and bridge

support two modes, point to point, where one bridge only communicates with another, and point to multi-

are separated by what is effectively a standard Ethernet network, we can use multiple vendors for each part.

point, where many client bridges can associate to one base bridge. By connecting a wireless bridge to an ac-

Bridged links would need to be limited to one vendor, as each vendor has a proprietary mechanism for bridg-

cess point we maintain the connection between the access point and the LAN transparently. The benefits of

ing between devices. Importantly, for the South African environment, potentially multiple donors and vendors

such a situation are twofold : the extension of the wirecould contribute to the deployment of a wireless netless LAN is limitless, as each access point transparently work in a rural area. maintains a backhaul to the wired LAN, and the nature of the backhaul link is highly flexible, allowing for a highly extensible and heterogenous network. The cov-

Security There is a need for access to be limited

erage of the wireless LAN can easily be extended, as each new hot-spot can host other hot-spots, in a point to

to clients whom have been granted it. Access control is required to prevent unauthorized access, and

point manner. Clients within a hot-spot zone need only associate to the nearest access point to gain access to

to maintain control over bandwidth usage. There are two approaches to providing secure, manageable authentication, 802.1x and PPPoE6 . 802.1x [8] is a stan-

LAN resources.

dard authentication mechanism issued by the IEEE in response to security problems associated with WEP7 .

Coverage With this extensible model the only limits on the growth of the LAN is the physical extension of

802.1x compliant access points are configurable to retrieve authentication details via a TCP/IP connection to

the wireless LAN, and the coverage of each hot-spot. The coverage is limited by two factors, the power out-

a RADIUS8 server. This enables central management of clients, as accounts can be created, reviewed, and

put of the device, and the amplification of the antenna. In South Africa, and most of the world, the limit on out-

deleted, while allowing to track a client’s usage on the network. PPPoE is not limited to a specific medium,

put strength of the 802.11 wireless devices is 100mW. Because of the power output limit of the devices, we

and runs as a layer above the Ethernet9. Practical implementations of PPPoE and 802.11x will be discussed

are forced to examine antennae which can further extend coverage. Using a pair of directional antennae, the

below.

range of wireless devices can be extended to well over

6 Point

to Point Protocol over Ethernet Equivalence Protocol 8 Remote Authentication Dial In User Service 9 PPPoE is frequently deployed by xDSL service providers 7 Wireless

ten kilometers, although this would requires the use of fairly bulky (60cm) parabolic radio dishes. This is ideal 4

4 IMPLEMENTATION

(approximately 4Mbps), using the flat panel antenna.

Figure 2: Enabling 802.1x Authentication

With a maximum range established, we took multiple samples within the physical boundary, with excellent results.

PPPoE/Security PPPoE authenticates clients who connect to a PPP11 service. Once authenticated, clients are allocated an IP address. PPPoE was used for the test-bed as 802.1x was minimally supported at the time. Community wireless projects have documented success using PPPoE [9]. There are a two core authentication methods that can be configured with PPP, namely CHAP12 and PAP13 , and each have proprietary implementations and variations. Clients to the network need a configured PPP client capable of both PPPoE, as well as whichever implementation of authentication was used. In a scaled implementation of the network there would need to be a manual distribution method (e.g. CD’s) of the software need to access the network. According to

Management Management and control of the network is centralized to a server running FreeBSD, a RADIUS service, a proxy service (so as to minimize In-

Holland, “Windows XP is the only Microsoft operating system that includes a PPPoE client” [7].

ternet bandwidth usage) and a firewall service, to limit attacks on the server and the clients. By centralizing control the system administrator can monitor account usage, and potentially curb bandwidth usage.

CHAP CHAP authentication issues a client with a challenge, the client responds to the challenge with a secret, which is then verified. CHAP can be config-

4 Implementation

ured as a two way mechanism for added security, i.e. the client concurrently issues the server with a chal-

Range tests Currently a deployment consisting of a

lenge. For the purposes of a test-bed network The MS-CHAP-V1 and MS-CHAP-V2 protocols both of-

base station with range extending antennae, and a client

fer encrypted secret exchanges, and either is appropriate to the station, has been tested. An 8dB gain omni- for secure authentication. MS-CHAP-V214 was chosen directional antenna was attached to a standard 802.11b as the authentication method. MS-CHAP-V2 is a Miaccess point. Distance tests were conducted using a crosoft engineered[17, 16] method for authentication. PDA10 with a PCMCIA 802.11b card. Field tests of During testing it was found that Linux PPP clients were

the setup were done using a 19dB gain flat panel directional antenna, and a 12 dB gain Yagi array antenna.

unable to authenticate to the server, due to incompatibilities with MS-CHAP-V2.

The greatest line of sight distance we could attain was 5.2Km, from which we attained in excess of 500KB/s 10 Personal

11 Point

to Point Protocol Handshake Authentication Protocol 13 Password Authentication Protocol 14 Microsoft CHAP version 2

12 Challenge

Digital Assistant

5

REFERENCES

REFERENCES

Problems with the implementation Erratic connec- security solution, due to functional problems and detivity problems became apparent after further testing. It appears that the link to the server would be broken,

ployment requirements. Investigation into 802.1x has shown it to be a more viable security mechanism, which

but internal PPP timers, which are responsible for reg- fulfills our requirements. istering a down event, continued to be acknowledged. The extensible nature of the model allows for multiThis problem was found with both FreeBSD and Winvendor, ad hoc networks to be built. Because of the dows implementations of the PPPoE client. It appears flexibility, the model is ideal for the South African envithat this problem is associated specifically with using ronment, allowing multiple donors to contribute for the PPPoE over Wi-Fi Ethernet. A wireless link can briefly deployment of communication infrastructure into rural be interrupted (due to loss of signal, i.e. line of sight areas. With our requirements fulfilled, implementation is compromised temporarily), but immediately recover. of a viable, secure, extensible, and heterogenous netThis means the user has to manually disconnect and work model is possible. Under the test environment the restart the dial up procedure. model has shown success, and as such, should be considered for a full scale implementation. 802.1x Because 802.1x is a hardware level authentication method, it requires no 3rd party software distri-

References

bution, and as such, it is a preferable method of authentication. 802.1x was developed specifically to resolve problems with the PPPoE protocol, as Holland states

[1] Icasa:overview. [Online]. Available: http://www.icasa.org.za/default.aspx?page=1009

“Recognizing the shortcomings of PPPoE and the need for a native Ethernet solution for access control, the

[2] (2002) Open source in south african schools: Two case studies. [Online]. Avail-

IEEE has developed the IEEE 802.1x-2001 standard. The protocol is adaptable to either device authentica-

able:

tion or user authentication for access to Ethernet-based network LANs, MANs, and broadband services.” [7].

http://mombe.org/ guy/papers/highway-

africa-2002/HALSE-Highway-Africa-2002.pdf

802.1x solves the aforementioned problems by being an Ethernet, and thus driver level implementation. Support

[3] S. Batchelor. lage, soweto,

for 802.1x is standard on current Wi-Fi cards, and can be flash upgraded onto many older cards.

based

training

(2003, Jan.) south africa: centre.

Digital vilCommunity

[Online].

Available:

http://www.sustainableicts.org/Digital%20Village%20full.pdf [4] T. Burrows and R. Weidemann. (2003, Aug.)

Sentech challenges landlines. [Online]. Available: http://www.itweb.co.za/sections/telecoms/2003/0308291152.asp?A=

5 Conclusions

[5] A.

With the use of bridging equipment we are able to

Goldstuck,

“Internet

access

in

south

africa, 2002,” May 2002. [Online]. Available:

extend the range of the wireless network beyond the bounds of conventional 802.11 networks, although ex-

http://www.theworx.biz/access02

ploration of how far the range can be extended is outside of the scope of this paper.

[6] S. A. Government. (1998, Nov.) Community service obligation quantum. [Online]. Available: http://docweb.pwv.gov.za/docs/misc/obligations.html

We explored PPPoE, and found it to be an inappropriate 6

REFERENCES

REFERENCES

[7] G. Holland. (2003,

Sept.) 802.1x:

[17] ——, “Microsoft ppp chap extensions, version 2,”

Sub-

RFC 2759, Jan. 2000.

scriber authentication for ethernet-based metro/broadband. [Online]. Available: http://www.riverstonenet.com/technology/802.1x.shtml [8] Local and metropolitan area networks: PortBased Network Access Control, IEEE Std. 802.1X-2001, 2001. [9] R.

Kohutek. (2003,

June) Project

warta:

Wireless authentication, routing, traffic control and accounting. [Online]. Available: http://www.hpi.net/whitepapers/warta/ [10] F.

Mail.

(2003,

May)

Sentech

has

an

agressive plan to provide high-speed, wireless internet services. [Online]. Available: http://www.miro.co.za/NewsSentech.htm [11] M. of Communications. (2003, June) Address by the minister of communications, dr ivy matsepecasaburri, at the national colloquium on convergence policy, johannesburg. [Online]. Available: http://docweb.pwv.gov.za/docs/sp/2003/150703.html [12] I. C. A. of South Africa, “Telecommunications act (103/1996): Notice in terms of section 27,” The South African Government Gazette, vol. 456, no. 25120, pp. 3–8, 2003. [13] SpaceDaily. Canada’s african sky breaks ground in south africa. [Online]. Available: http://www.spacedaily.com/news/vsat-00d.html [14] L. Stones. (2003,

Sept.) Convergence bill

aims to boost competition. [Online]. Available: http://allafrica.com/stories/200309250440.html [15] B. Wright, “Bussing past the digital divide,” South African Computer Magazine, vol. 11, no. 8, Aug. 2003. [16] G. Zorn, “Microsoft ppp chap extensions,” RFC 2433, Oct. 1998. 7