February 28, 2012

More Secure, User-Friendly Hotspots On the Way

For users, hotspots are a double-edged sword. On one hand, these Wi-Fi networks in hotels, airports, trains, planes, cafes and other public venues deliver handy high-speed Internet access. But inconsistency and insecurity have also marred user experience and impeded usage.

Nonetheless, NPD In-Stat expects hotspot use to reach 120 billion connections by 2015. One reason is that mobile operators are anxious to offload 3G/4G by collaborating with vendors to backfill hotspot gaps.

Let's take a look at two closely related programs - Wi-Fi Alliance (WFA) Passpoint and Wireless Broadband Alliance (WBA) Next-Generation Hotspot (NGH) - to learn what enterprises can expect from hotspots in 2013 and beyond.

Passpoint: Outfitting the Players

According to WFA spokesperson Kevin Robinson, "Passpoint is a Wi-Fi certification program, bringing cellular-like roaming to mobile devices that visit Wi-Fi hotspots."

Specifically, Passpoint will test Wi-Fi clients and access points that implement the Hotspot 2.0 specification. That spec melds IEEE 802.11u (an 802.11 amendment with features for improving Wi-Fi interworking with external networks) with WFA Voice-Enterprise and WPA2-Enterprise certifications to automate hotspot discovery and selection, streamline authentication, protect data and support both inter-provider roaming and on-demand access.

How will Passpoint work? Picture a dual-mode smartphone, chowing down on 3G bandwidth when entering a Wi-Fi hotspot.

  1. Via 802.11u protocols, the phone learns about available hotspot capabilities, including network services and inter-provider agreements. From there, it can make an automatic policy-based decision about whether or where to roam.
  2. To roam, the phone mutually authenticates with a selected hotspot using a Passpoint-supported 802.1X Extensible Authentication Protocol (EAP) type: SIM, AKA, TLS or TTLS. SIM and AKA reuse the phone's cellular credentials, while TLS and TTLS use certificates or passwords.
  3. Once authenticated, the phone and hotspot exchange keys used by WPA2-Enterprise to stop over-the-air data eavesdropping or replay.
  4. Inter-provider agreements play a critical role, letting hotspots interact with proxy-operated hubs and mobile operator servers to enable payment for authorized services (see WBA). Passpoint hides this from hotspot subscribers with one exception. If the phone does not already have an account, Passpoint supports on-the-spot setup.

Users can still connect manually to hotspots by typing passwords into a portal before launching a VPN client. But users that subscribe to a roaming service get to skip these tedious, error-prone steps, auto-connecting any Passpoint-certified device to any trusted hotspot outfitted with Passpoint-certified infrastructure.

According to Robinson, Hotspot 2.0 plugfests (trials to debug specs and products) are now underway. The Passpoint program will launch in mid-2012; early certified products will ship soon after. However, given the sheer number of players engaged in this symphony, don't expect Passpoint ubiquity anytime soon.

Next-Generation Hotspot: Conducting the Orchestra

In fact, one might dismiss Passpoint as overly ambitious were it not a lynchpin in the WBA's NGH program. Mobile operators are struggling to meet skyrocketing 3G demand; 4G escalates competition for inherently limited resources. An offload solution is badly needed; NGH offers that salvation.

WBA members include both fixed broadband operators and the world's top mobile operators, including AT&T, DoCoMo, Orange and T-Mobile. Combined, these players operate nearly 300,000 Wi-Fi hotspots worldwide.

"We're an operator-centric organization, focused on using Wi-Fi from a services perspective. We're driving NGH to help operators establish roaming interoperability and integrate Wi-Fi into core networks," says WBA CEO Shrikant Shenwai.

NGH builds upon past WBA programs: Wireless Roaming Intermediary eXchange, or WIX (2007) and WISPr 2.0 (2009).

"WIX created a backend specification that operators now use to enable roaming [throughout] an ecosystem. With WISPr, we learned how to use 802.11 and 802.1X," explains Shenwai. "NGH starts with Hotspot 2.0 and details how to deploy seamless roaming in an end-to-end carrier environment."

But NGH is far more than a vision for 3G/Wi-Fi roaming. According to business workgroup chair Tiago Rodrigues, the WBA has completed an NGH Operators Guide, detailing seamless authentication and 3G/4G offload best practices, with implementation and business implications. A series of real-world trials achieved their target in November 2011, and a final report is expected "within weeks."

"We conducted end-to-end tests in production environments, implemented by key industry players," said Rodrigues (see figure at bottom).

  • Step 1 verified 3G roaming between visited and home network operators and via hub providers such as TNS.
  • Step 2 added Wi-Fi hotspots, using devices from vendors such as Cisco and Ruckus that implemented Hotspot 2.0.
  • Step 3 conducted more extensive real-world tests between providers such as Orange and SMART. The final report will document lessons learned by the 16+ operators and vendors that passed NGH tests.

While NGH is ambitious, it has been proven in trials with participants anxious to earn revenue and cut costs through Wi-Fi offload. Yes, ubiquitous roll-out will take time (think 3G). And thorny details such as roaming policy must be worked out. But enterprises should expect mobile operators to start pushing Passpoint/NGH services in 2013. Early adopters might start by enrolling international travelers most likely to reap tangible transparency and security  benefits.




It seems like these smart/secure hotspot efforts eventually could be applied to deliver to enterprises what we used to call "fixed-mobile convergence" (FMC) - more accurately called "mobile-mobile convergence." For enterprises, the goal is/was to transition users from cellular to private Wi-Fi when possible for cost reasons and then back to cellular when that's all that's available. The on-premises solution to this problem didn't really take off, but if the smarts are already in the network to help carriers offload cellular traffic and keep users connected and happy (and assuming the right associations at the back end are made), it would seem that an enterprise flavor of this setup could eventually work, too.

It is an impressive amount of technology, but it seems completely operator-driven. To a certain extent, it is a complicated way to serve the users a cigar from their own box!

Let’s for a moment separate voice and data. To switch a voice call from a mobile network to a wireless network with fixed back haul only requires that the mobile devices recognize the wireless network, negotiate the right to use it, establish a connection to an Internet-facing server of the mobile operator and then use that pipe instead of the mobile connection. There has been a protocol for this for many years (GAN/UMA), but apparently the solution was too cheap (did not bring in enough extra money for the operators) to get implemented. The biggest problem is that it allows users to bypass the roaming tariffs. Your story doesn't say so, but I expect that these new protocols will give the operators precise control over locality and allows them to either block or charge access trough foreign hotspots.

For data, the solution is even simpler: as soon as an accessible wireless network with Internet connectivity is detected, the user’s data sessions can move off the mobile network. No need to bother the servers and cash register of the mobile operator. Until IPv6 with mobile IP is implemented, we may need a little service form the mobile operators, their NAT gateway, to keep establishes session alive.

What are the goals of these projects? Will a user with a mobile contract be able to use any hotspot, or will we again witness how our connectivity is used as a game of monopoly between big businesses, in the name of shareholder value?
The key difference between the telephone networks and the Internet has always been that the later was user-driven. No centralized control structures, no top-down decision making and look what it brought us. Maybe it is time for a similar approach to mobile networks including "mobile-wireless convergence".


Joanie, Ernst,

I think you're both getting at enterprise-centric FMC vs. carrier-centric FMC debate. The key difference being who is in control of authentication, routing, and of course resulting revenue/expense.

Historically, carrier-centric FMC extended a cellular network operator’s mobile voice solution to integrate with selected enterprise assets, from indoor connectivity by corporate WLANs to calling features (e.g., directory, voicemail) by corporate IP PBXs. The best-known carrier-centric FMC solution is the one cited by Ernst: Unlicensed Mobile Access (UMA). As he notes, carriers have been slow to embrace UMA for reasons that include loss of voice revenue, lack of control over private network QoS, and the complexity of integrating a plethora of IP PBX systems.

Alternatively, enterprise-centric FMC extended a private corporate network and IP PBX to deliver a consistent set of voice services to mobile devices, even when users roam onto external cellular networks. Unlike carrier-centric FMC, enterprise-centric FMC requires little or no collaboration with a cellular operator. Instead, an enterprise IP PBX can deliver Unified Communication services by routing business calls through an adjunct UC server. Alternatively, a dedicated Mobility Controller can route business calls by interacting with Mobility Clients running on dual-mode 3G/Wi-Fi handsets. Either way, e-FMC lets the enterprise authenticate the user/device and make routing (and roaming) decisions.

Circling back to hotspot roaming, Hotspot 2.0 and Passpoint are needed to help manufacturers embed necessary capabilities into mobile devices and make sure they interoperate in a consistent, proven way with WLAN infrastructure and back-office systems, no matter who owns those piece parts and how they might be assembled into a roaming service. In my view, carrier-centric NGH is the "carrot" - a compelling business reason for operators and their equipment suppliers to bother implementing and testing this Hotspot 2.0 foundation.

But once a Passpoint foundation has been established, perhaps enterprise-centric alternatives can use it to automate roaming between privately-operated WLANs and commercial (3G/4G+hotspot) networks. To apply Ernst's analogy, enterprises could then smoke their own cigars free of charge, while using subscriptions to auto-pay for cigars consumed when away from that box.

Yes, that's what I was getting at, Lisa. Once a standard next-gen Wi-Fi hotspot foundation is in place, perhaps enterprises could piggyback on that foundation for their own roaming and cost-control reasons.

Initially, enterprise FMC focused on voice; to enable a voice session to roam on and off underlying cellular and Wi-Fi networks without interruption. There were a couple reasons/drivers. First, a user in motion might move out of cellular coverage but be in an area with Wi-Fi coverage. The goal was to prevent the call from dropping and, worse, the user having to sign on to the local hotspot with a credit card and related administrative malarkey to call back the person he/she was talking to. And callbacks were only doable if the user had a softphone (e.g., Skype) on the handset to make a VoIP-over-Wi-Fi call.

The second big driver for enterprises was toll bypass; to keep employees OFF the mobile operator's network whenever possible to avoid eating into monthly allotted minutes and not incurring overage charges, which are particularly hefty when employees roam overseas and, heaven forbid, hop from country to country throughout Europe.

The motivation today for operators, I believe, is simply capacity planning to keep up with DATA and multimedia loads on their networks. Their 3G networks are groaning under the weight of all the traffic (starting with the launch of the iPhone) and even at 4G speeds, we see users ticked off that carriers are having to throttle their speeds. (Note: I'm a user advocate, of course. However, I do think throttling is the most fair alternative carriers have available to them under current circumstances until more capacity becomes available. It's a better alternative than disconnecting people.)

Anyway, now that wireless DATA has finally come into its own after a couple decades of false starts, the carriers have acknowledged that they need to supplement their networks with capacity wherever and however they can get it. Generally, they're not all that crazy about something out of their control being part of their network service (e.g., unlicensed Wi-Fi), but what are they to do?

So what I see is that the carriers have their own operational (and yes, revenue-generating) agenda: to find a structured, secure approach to using Wi-Fi as part of their mobile network footprints. But I'm hoping the rest of us can benefit from their Wi-Fi offload efforts not only for more consistent and reliable coverage/capacity everywhere (the operators' goal) but also to support enterprises' own roaming/cost-control strategies.

Ernst, I think the biggest difference between the mobile networks and "The Internet" is the availability and ownership of network resources.

In the case of mobility, there is limited licensed spectrum and capacity. Spectrum is specifically assigned to respective carriers who, for all intents and purposes, "own" it.

On the wired side of things, there's an almost infinite amount of cable/fiber, routers and switches that can be deployed to keep building "The Internet" out farther and farther and to foster competition with others ("my fiber is as good as your fiber!").

Unfortunately, circumstances are a bit different with the airwaves - spectrum is limited and assigned and not all frequencies are created equal, in terms of serving the same applications. - Joanie

New white paper on Passpoint just published by Wi-Fi Alliance here:



Note that two features are deferred until 2013:

- Immediate account provisioning
- Operator policies

The latter refers to mechanisms to support operator-specific subscriber policies, including network selection policy. In other words, enterprise control over hotspot selection - especially relevant in locations like airports where several "equivalent" hotspots exist and enterprises may want to pick one based on subscription or cost.

Awesome - thanks for posting, Lisa!

The Wi-Fi Alliance has finally started certifying products under the Passpoint program. The first Wi-Fi CERTIFIED Passpoint products to achieve certification:

* BelAir 20E
* Broadcom Dualband 11n WiFi and Dual Band 802.11n AP
* Cisco CT2500 Series WLAN Controller and LAP1260 Series AP
* Intel® Centrino® Advanced-N 6230
* Marvell Plug – 88W8787 802.11 a/b/g/n Reference Design
* MediaTek Hotspot 2.0 Client V1
* Qualcomm Atheros Dual-Band XSPAN 802.11n AP and WLAN Adapter
* Ruckus Wireless ZoneFlex 7363 and ZoneDirector 1100

In a Wi-Fi Alliance poll of smartphone and tablet users in the US, UK, France, Japan, China, and Korea, 77 percent agreed that Passpoint-like service availability would motivate them to switch providers, either immediately or at contract end. Personally, I'd have to see the service's pricing and footprint before I could honestly answer that question!

For more info about Passpoint, including a link to the Hotspot 2.0 spec upon which Passpoint products are based, visit http://www.wi-fi.org/passpoint

Search Webtorials

Get E-News and Notices via Email




I accept Webtorials' Terms and Conditions.

Trending Discussions

See more discussions...

Featured Sponsor Microsites



Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Continuing past this point indicates your acceptance of our terms of use as specified at Terms of Use.

Webtorial® is a registered servicemark of Distributed Networking Associates. The Webtorial logo is a servicemark of Distributed Networking Associates. Copyright 1999-2018, Distributed Networking Associates, Inc.