Learning Center
Plans & pricing Sign in
Sign Out

Roaming and Service Management in Public Wireless Networks


									        Roaming and Service Management in Public
        Wireless Networks Using an Innovative Policy
                 Management Architecture
                                            Idir FODIL1,2, Guy Pujolle2
                                          6WIND, Advanced Networking Architectures
                                                Montigny-le-Bretonneux, France
                                              LIP6, Laboratory of Paris6 University
                                                           Paris, France
                                                {Idir.fodil, Guy.Pujolle}

                     ABSTRACT                                   1. INTRODUCTION
Nowadays, public wireless local area networks (WLANs),              The recent years have seen expanding
commonly called hotspots, are being largely deployed by         advances in new access network technologies
WISPs (Wireless Internet Service Providers) as means to
offering ubiquitous Internet access to their customers.         which aimed to provide users with high speed
Although, a substantial number of solutions have been           access to the internet, and ability to use their
proposed to improve security, mobility and quality of           network services everywhere and every time.
service on the wireless area, access network management         Among these, the IEEE802.11 [1] standard has
which is mandatory remains a very significant concern.
This paper describes RSM-WISP, a new management
                                                                confirmed that it is the most simple and effective
architecture designed for WISPs to facilitate the               technology for providing network access in
implementation and management of the services they offer        public places for users equipped with wireless
at the access side of the WLAN, and to manage roaming           cards.
contracts between WISPs. Our architecture is based upon             Initially, this technology was seen as
the policy-based management principles as introduced by
the IETF, combined with more intelligence at the network        potential threat to existing networks services for
edge. RSM-WISP adopts an architecture that is composed          both wireless operators and Internet service
of two elements: a WISP management center (MC) that             providers. But, the growing deployment of
deploy policies and monitors all the WLANs, and                 hotspot networks by new service providers
programmable access router (CPE) located in each WLAN.
The CPE ensure service enforcement, service differentiation
                                                                (super market, restaurant, trains, airports …),
(access to different service levels) and guarantee, user        lead them to take a more positive view and to
access management, and dynamic WLAN adaptation                  integrate hotspot as complement to their existing
according to user’s SLA (service level agreement). It also      offerings [2, 3, 4]. At the same time, demand for
permits automatic services update according to users’           more discerning network services such as
requirements. Concerning roaming management, it is
achieved on the CPE through multiple service provider           security, quality of service and mobility has
support capabilities. This approach provides WISPs with         significantly increased in order to fit the
simple, flexible and scalable solution that allows easy         emerging user applications such as VoIP, VoD,
services deployment and management at the access. This          multimedia instant messaging, interactive
Management architecture has been implemented tested and
validated on the 6WINDGate routers.
                                                                gaming, etc.
                                                                    In order to provide their users with their
Keywords- WLAN, Hotspot, IEEE802.11, WISPs, Policies,           subscribed service levels, and to benefit from
PBM, Management, Services, SLA, Roaming                         public WLANs deployment, WISPs must be able
                                                                to efficiently manage their public wireless
                                                                networks at the wireless side and Internet access
                                                                    The wireless management which consists in
                                                                guaranteeing micro mobility, security and quality
                                                                of service in the wireless side is actually
                                                                supported by significant projects in research,
                                                                industry and standardization community. For the
                                                                access network management, its main
                                                                functionalities are to provide means for services
specification      and     deployment,       service   2.1 Management Objectives
differentiation, user access management, security          In order to identify the hot spot access
guarantee and roaming management [5,6].                network management requirements, some roles
     Currently, there are numerous solutions that      need to be identified. The actors can be
allow access management in WLAN networks.              categorized by being one of the following:
However, most of them do not achieve service           - Single point WISP: business venue/site owner
differentiation, dynamic WLAN adaptation and             that offers public WLAN services as value add
heterogeneous network support [7]. Moreover,             to other core services. For example, hotels,
there is no available roaming model in hotspot           airports, coffee shop, etc.
networks. This situation motivated us to research      - Multiple point WISP: traditional service
a novel management architecture offering WISPs           providers such as ISPs, GSM/GPRS/3G
with the ability to provide efficient service            operators, those offer hotspot services as part
deployment and management.                               of their offerings.
     In this paper, we propose RSM-WISP,                   According to these roles, hotspot access
efficient, simple and scalable management              management can be grouped into two families:
architecture for public WLAN, which enables            WISP management, and roaming management.
service differentiation between users, network         WISP management: The WISP management is
adaptation      according     to     users     SLA,    a set of tools enabling efficient operations of the
heterogeneous access networks support, and             hotspot network within its resources in
roaming management.                                    accordance with WISP goals. It consists on the
     This architecture is based on the use of IETF     following points:
policy based management (PBM) [8, 9],                  - Network Provisioning: setting up suitable
enhanced with our improvements that allow                quality of service configurations in order to
more intelligence in access equipments. In RSM-          meet user needs, and maintaining effective
WISP, access management is processed at IP               hotspot operations.
Level in the access routers instead of access          - Reactivity: network monitoring and automatic
points. For policy configuration, some XML               adaptation when degradations affect services.
schemes have been defined, offering open, easy         - Access Management: authentication and
and customizable management architecture.                authorization of the users.
     We have implemented and validated this            - Adaptation: dynamic hotspot configuration
architecture on 6WINDGate routers, and we will           according to user service level agreement.
use it in the context of INFRADIO project [20],        - Accounting: varied billing strategies must been
which aims to deploy large IPv6 WLAN in                  supported like free access, prepaid access for a
university       campuses       with       advanced      certain amount of time or volume, pay per use
functionalities such as user access control.             period and differential fees for higher
     The rest of the paper is organized as follows.      bandwidth.
Hotspot management requirements are provided           - Robust and scalable: in order to provide the
in section 2. The RSM-WISP architecture, policy          same management process in all the hotspot
specification, implementation and current                belonging to the same WISP.
deployed usage scenario are detailed in section 3.     - Heterogeneous access network support:
And finally, conclusion, actual and future works         providing multiple point WISP with ability to
are overviewed.                                          include hotspot offer in their services. This
                                                         means that users can buy an Internet access
2. ACCESS NETWORK MANAGEMENT                             and use it at home (DSL or cable) and also in
                                                         hotspots of their provider.
    The target scenario is a packet-switched           Roaming Management: To provide attractive
wireless data networks, based on the IEEE              hotspot services with user security assurance,
802.11 wireless access technology. In a typical        convenience and always the same level of
public wireless networks, users access the             services, it is mandatory that the customers can
internet services via access points (AP) in each       use their Internet services when away from their
cell over the wireless channel, and APs are            WISP networks without having to buy new
interconnected via the wired backbone. Multiple        subscription. To achieve this goal, roaming
cells form a subnet, several subnets together          contracts must be established between service
cover the entire public place and are                  providers. There are two different roaming
interconnected via an access router.                   scenarios:
- Per bandwidth: this roaming contract is                   Unfortunately, current network management
  between single point WISP and multiple point          cannot provide suitable tools for achieving the
  WISP. Single point WISP rent a specific               above needs. This is essentially due to the fact
  bandwidth for multiple point WISP, who                that network management is not much
  applies its own user and service management           automated, and need skilled staffs with accurate
  strategies. A single point WISP may have              knowledge of the various management tools.
  contracts with one or several multiple point          Moreover, existing tools are closed, service
  providers. For example, in an airport we can          specific and cannot allow new service
  find one or several multiple point WISP.              deployment. These generate extremely complex
- Per user: this roaming relationship is                and very difficult network management, which
  established between multiple point WISPs, like        weighs down and slows down introduction of
  roaming in GSM networks. When users arrive            new services, as well as significantly increase
  in foreign network, authentication is done            service providers operating costs.
  between the user, the foreign WISP and the
                                                        2.3. Policy Management Solution
  user WISP. After successful authentication, the
                                                            Many projects have been carried out by the
  user is authorized to access available services.
                                                        research and industrial community, especially by
  After disconnection, the foreign provider
                                                        the IETF, and led to the design of new network
  invoices the user WISP.
                                                        management model based on the use of policies,
2.2. Management Challenges                              named policy based management (PBM).
     Hotspot management would achieve network               The most significant benefit of policy-based
service planning, service differentiation between       network management is that it promotes the
users, service guarantee, rapidly reacting when         automation of establishing management level
services are not suited, and roaming handling.          objectives over wide-range of network devices.
     Numerous solutions been proposed [12, 13,          Policy-based network management allows much
14, 15, 16], but most of them don’t address the         more rapid modification of the management
whole access management paradigm. Some,                 requirements after deployment, adapt rapidly to
provide AAA functionalities (authentication,            changing management requirements via run-time
authorization, accounting), others provide              reconfigurations, rather than re-engineer new
security, and others mobility management.               object modules for deployment [10].
Moreover, dynamic WLAN adaptation according                 We investigate the use of IETF policy based
to     users    SLA,      service    differentiation,   management approach in wireless LAN networks
heterogeneous network support, and roaming              combined with central management held by
management are not achieved.                            access router instead of access points. We have
     The first reason is that service differentiation   enhanced the IETF architecture, because it is
and heterogeneous network support cannot be             incomplete even though it is worthy foundation,
achieved using layer 2 based solutions, because         since service providers and users needs have not
they are link layer specific and cannot provide         been translated into suitable policies [11], and
means for identifying services. Secondly,               intelligence is not distributed among network
management is distributed among access points           equipments.      Furthermore, we focused on
of the WLAN, which is not optimum network               designing an IP level solution, because it’s the
management solution because more than one AP            only way to differentiate services and to provide
has to be configured and adapted [19]. Thirdly,         independent access network support.
dynamic network adaptation according to users               As result, we designed a policy architecture,
and services is very difficult and challenging task     which provides WISPs with ability to offer
with currently available network management             innovative and differentiated services to their
tools. And finally, roaming management is very          customers, to manage them in simple easier and
complex in such environment, because multiple           more cost effective way, and to have roaming
service provider support on hotspot network still       contracts with other WISPs.
hard task.                                                  The key technical innovation of our
     The key missing piece is an access                 architecture is that access routers are
management architecture that facilitates a real         programmable allowing dynamic, easier and fast
integration of all the management requirements          services deployment, user management, and
in a simple and efficient manner.                       roaming management. This is done thanks to
                                                        automatic translation of users’ service level
agreements and WISP service specifications into                                                         Directory
XML policies which are pushed from                                                                       Server

management center towards the access router.
These policies are dynamically and quickly
translated into network configurations when
users logged on, thanks to robust policy
architecture implemented on the router, simple                                              Protocol
and light XML schemas, advanced filtering                                     Policy
engine that combine quality of service and            Network                 Server
filtering actions, IP address management through
DHCPv4/ DHCPv6 server or IPv6 stateless                         Transaction
mechanisms, and Radius functionalities. In                        Protocol
addition, users are able to modify their requested                                                       Server

services or to request new ones. Furthermore,                                          Time Protocol
roaming management is achieved through
multiple service provider support on the access             Fig1. The IETF Policy Based Management
router by providing virtual dedicated router for
each WISP.                                           created the Common Open Policy Service
                                                     (COPS) protocol for that purposes. The PDP
                                                     takes decisions either with or without being
3. IETF POLICY BASED MANAGEMENT                      solicited   (respectively  outsourcing   and
                                                     provisioning mode).
3.1 Policy Definition
    From the RFC 3198, “ a policy can be             3.3 Blanks of this Architecture
defined from two perspectives: a definite goal,          There are two major drawbacks in this
course or method of action to guide and              architecture and in the policy representation
determine present and future decisions… and a        model proposals:
set of rules to administer, manage and control       − Lack of transition model between the SP-client
access to network resources”. In other words,          SLA and the network devices: For example, to
policies allow managing the network in terms of        set up a videoconference - contractually
users, services and applications, not in device        defined with a delay, a loss rate, a jitter and a
technically terms. A policy is a set of rules that     bandwidth rate - the SP network administrator
command the network how to operate. Policies           must know the scheduling and queuing
are based on the SLA jointly agreed between an         algorithms (among others) to be used, in order
ISP and client. SLA translation into device            to specify policies for well configuring routers
dependant configuration is done through policies.      and ensuring a good service delivery. Today’s
Policy is defined as follows:                          network equipment diversity makes it difficult
  IF Conditions Then 1st list of actions               to achieve correctly today, due to the lack of
                  Else 2nd list of actions.            equipment independent transition mechanism
    A policy may include one or more                   between the videoconference parameters and
conditions, and on or more actions. If the             the network equipment configurations.
conditions –some or all- are evaluated to true,      − No Intelligence in the PEPs: This is due to the
then the totality or part of the actions must be       fact that PEPs in this model have no memory
enforced. Conditions allow knowing when to do,         of the previous events or network state .
whereas the actions express what to do.                Moreover, all intelligence is concentrated at
3.2 Architecture                                       the PDP who directs PEPs on how to react to
    In this approach, a central decision server,       some events by downloading policies, even
called Policy Decision Point (PDP), provides the       when the same events recur. This led, to a non-
underlying       equipments,     called   Policy       scalable architecture, since PDP has to manage
Enforcement Point (PEP), with configuration            different policies set for each PEP. Moreover,
directives to be followed with policies.               The PEP relies on the PDP presence, even in
    The policy exchange between the PDP and            cases where this is not absolutely necessary.
its PEPs may be achieved using SNMP,                   Let us take as example, a LAN where the
Diameter, LDAP or a proprietary communication          administrator can always access the Internet,
protocol. However, the RAP Working Group has           whenever and from wherever is logged in. For
  this, the following policy is pushed from PDP       Using this policy model, we create a distribute
  to PEP :                                            management model where more intelligence is
  “If (source address = specified address) then       pushed toward the PEPs (access networks).
  allow web traffic for source address” ... (1)           Moreover, amount of messages exchanged
  Each time, the administrator gain access to the     PEPs and PDP are reduced. And finally, more
  network, the PDP send her/his IP address to the     scalability and flexibility are brought to the PBM
  PEP in order to revaluate the policy (1) and to     architecture.
  install it.
3.4 How to fill the gap?                              4. RSM-WISP
     The proposed approach to fill the first gap          The main objective of the RSM-WISP
introduced in the last point should be to             architecture is to provide WISPs with suitable
disassociate the network infrastructure from the      tools enabling them to efficiently manage their
offered service. Adding a further abstraction         networks and users, and to establish and manage
level is necessary. This abstraction level provides   roaming contracts with other WISPs. Based on
the administrator with the possibility to deploy      the use of policies installed on the access router
services without having to know which device          by WISP and according to users SLA containing
parameters to configure. This abstraction level       allowed services and QoS parameters, the access
allows the service level agreement translation in     router configure itself dynamically to ensure the
an equipment independent configuration. In the        contracted service. For Roaming Management,
previous example, the SP administrator must           according to the roaming contract (per user, or
only specify the QoS (rate, delay, and jitter) and    per bandwidth), WISPs can install their own
security parameters that are written in the           policies on the router and manage their users.
agreement.                                            Policies of different WISP are separated and we
     Concerning the second gap, we will extend        assume that no conflict can happen between them
PEPs functionalities in order to allow them to        since the access router appears as a dedicated
take more decisions. This is done by redefining       router for each WISP.
policies as follows:                                  4.1 Architecture
     On event                                             The RSM-WISP architecture has two main
          IF Conditions Then 1st list of actions      components (figure 2), the management Center
                         Else 2nd list of actions.    who takes on the WISP sold SLA guarantee and
     An event, one can quote the arrival of new       the access router (CPE) linking the public
user, new applications…etc. Conditions contain        WLAN to the Internet.
parameters related to the events such as user
profile, application type and to network
equipment parameters such as time of the day,
quality of service, number of users...etc. Actions
are related to services such as allowing certain
type of traffic, VPN establishment, DiffServ QoS
marking… etc
The PDP installs these policies on the PEP, who
monitor events by itself and make the
appropriate policy decisions. If we consider the
LAN administrator example taken before, the
following policy will be pushed only once from
     On New User (If user=administrator) then
                allow web traffic
     The PDP only direct the PEP on how to
evaluate the administrator user IP address
(scripts, AAA client, syslog, mobile agents).
Thanks to that, the PEP enforces by itself the
policy without needing PDP mediation
                                                                 Fig2. RSM-WISP Architecture
The Management Center: The management                 − Enforcement of the policies sent by the PS,
center is the component of the architecture           − Translation of these policies in proprietary
related to the WISP. The Management Center is           configurations,
responsible for the SLA negotiation, the              − Auto-adaptation according to the network
generation of relevant policies and the                 state,
application of these policies on the access router    − Reconfiguration or new PS policies
(CPE). The management center is responsible of          solicitations,
deploying the same policies on all the WLANs of       − Response to monitoring requests sent by the
the same WISPs, thus ensuring same service for          PS,
users in all WLANs. The management Center             − Periodic delivery of monitoring information up
also allows to monitor WLANs and to deploy              to the PS,
new policies. The management center is a set of       − Storage of policies sent by the PS.
five modules:
                                                      Management Center and Access Routers
− Service Portal (SPo): the business interface        communication: The policy server is the link
   between the service provider and the               between the management center and the access
   customers. The service portal providers the        routers. The communication between the Policy
   customer with a graphical SLA negotiation          Server and the access routers is achieved via 5
   interface and graphical service trade interface.   exchanges: provisioning (from PS to CPE)
− The customer Agreement Database (CAD): the          through a secured protocol, policy enforcement
   Database where are stored the WISP- customer       reports, on demand monitoring (PS send
   SLAs. The customer Agreement Database              monitoring request to the CPE) periodical
   security must be paid careful attention.           monitoring information reports (periodically sent
− The Policy Server (PS): the core of the             from CPE to PS), and policy solicitation (when
   management Center. This module is                  an unknown behavior occurs, the CPE sends a
   responsible for generating the set of WISP         request to the PS. The PS deals with the problem,
   policies that will be enforced on the network      takes the appropriate decisions and sends the
   access routers, and monitoring the multiple        relevant policies to the CPE).
   WLANs and taking decision if any problem
   occurred. These monitoring is done thanks to       4.2 Policy Specification:
   periodically reports sent by access routers, and       In order to provide policies those allow
   to monitoring requests sent from PS toward the     appropriate translation of WISPs and users
   CPE.                                               requirements onto access router configurations,
− The Policy Database (PDB): ensure the storage       we have specified the entire service provisioning
   of the policies.                                   and adaptation process. Thanks to this model, we
− Management tool (MNT): used by the WISP             have identified two policy families: WISP
   administrator to manage the PS, the databases      Policies and Roaming Policies.
   and the Service Portal.                            Roaming Policies: point to the subscribed
The Access Router (CPE): Rather than                  roaming contracts between the WISPs. These
configuring and managing each access point by         policies contain parameters related to foreign
itself, we choose to configure access router. Like    WISP, associated roaming model, and AAA
that, user’s re- authentication in the same WLAN      parameters. If a foreign WISP has per bandwidth
is avoided, and handoff delays are reduced.           roaming contract, it will insert its own policies
Moreover, access points provisioning and              for users and services management as described
management can be done by the router, allowing        after. But, if the contract is per user, service
global view of the network and more efficient         deployment will be done only when new user
resource management.          In the RSM-WISP         connect to the hotspot and according to
architecture, the CPE is the equivalent of the        parameters pushed by the foreign WISP. In other
PEP+PDP (Policy enforcement and policy                words, when a roaming contract is established on
decision points) [8, 9] in the IETF architecture.     per user model, users coming from foreign
The CPE is more “intelligent” than a simple PEP       WISPs are treated as users of the local WISP.
since it has the capability of monitoring events,     WISP-Service Policies: These policies define
keeping network states, and providing users the       the set of policies chosen by the WISP
ability to modify their services on the fly.          administrator in order to manage their own
The CPE ensure plays the following roles:             services and their users. For foreign WISPs who
                                                      have per bandwidth contract, they also insert
their own WISP-Services policies in order to                 On Service update IF request= “change” then
manage their users and services. We divide these                     service_bandwidth =”new_rate”
policies into service specification, service update,   - User Access Management Policies (UAMP):
user access management and on-demand service             UAMP policies allow access control
policies.                                                management of the users by specifying which
- Services Specification policies (SSP): These           types of users have access to certain services,
  policies represent the full description of service     under which conditions, and dynamic network
  deployment methods adopted by the WISP to              adaptation according to the users SLA. When
  manage its services. Since deploying                   applying these policies, the access router
  differentiated services consists in specifying IP      adapts itself to meet the user’s quality of
  service parameters (port, protocol, etc) and           service requirements contained in the service
  their quality of service, we divide the SSP            level agreement (SLA). There are two possible
  policies in two categories: QOSP and FAP.              types of SLA that a WISP can sell, which led
  - Quality of service policies (QOSP): These            to two possible types of UAMP policies:
    policies allow WISPs, to specify their own           - Per service SLA: in this SLA, users can
    services according to the quality of service           choose one or more service among services
    strategy adopted in the hotspot network.               list, and for each service specify their own
    Obviously, specified strategies are tightly            quality of service parameters. For example,
    depending on the home WISP quality of                  WISP sells VoIP, FTP, Mail, Web, VoD, and
    service strategy. In case where DiffServ is            Video Conferencing. User John will buy
    applied, each service will be assigned to              VoIP and Mail, while Barbara buys VoD,
    specific class of service (example: VoIP               Mail and FTP. Each service of each user has
    EF, Web       BE) with associated parameters.          its own quality parameters. In order to give
    In case where Not DiffServ strategy, each              WISP with ability to manage their users and
    service will be assigned a specific queue on           services, the UAMP policies have been
    the output.                                            defined as follows:
                                                                        On New User
  - Filtering Actions Policies (FAP): These                             If (service name) and (conditions)
    policies give a description of the services                         Then Authorize service
    through filtering rules. Parameter of the                           Else re-adaptation
    filtering policies can be static (example:             Conditions are related to quality of service
    destination port =80) to handle known                  parameters (available bandwidth, etc), date,
    services or dynamic to handle applications             time, number of currently running service
    such as VoIP, VoD, etc (pushed when a                  sessions, etc.    Re-adaptation consist in
    session is launched). The filtering rules can          authorizing service, even when conditions
    be either IPv6 or IPv4.                                are not accepted through quality of service
    In order to provide users with their                   dynamically reconfiguration. For example,
    guaranteed service levels, the filtering               the voice over IP service is programmed
    policies are applied in coordination with the          using the following policy:
    quality of service policies. This is done               If (service = VoIP and VoIP available bandwidth)
                                                                 Then authorize VoIP else Readapt.
    thanks to an enhanced filtering engine that
                                                           If there is no available bandwidth for VoIP
    combine filtering and quality of services
                                                           service, then the access router evaluate if it
                                                           can recover bandwidth from other classes or
- Service updates Policies (SMP): In network
                                                           change its configuration thanks to Readapt
  management process, the WISP must be able
  to dynamically change its current services
                                                         - Packaged SLA: in this SLA, services are
  specification. For example, it may change
                                                           grouped in different packages, and users can
  bandwidth or services parameters. For those
                                                           buy one among them. Each package has its
  reasons we have defined the services updates
                                                           specific QoS parameter. For example gold
  policies that provide WISP with ability to
                                                           package contain VoIP, Mail and Web with
  dynamically change its current configuration.
                                                           20, 20 and 20 Kbps respectively. Time
  Currently, we provide means for changing
                                                           connection is related to the entire service
  Bandwidth parameters of existing service or
                                                           package. In this SLA, when user buys a
  class of service in DiffServ case. This policy is
                                                           package, he/she is given a profile. In order to
  defined as follows:
                                                           manage this packages, the WISP will
    program its access router using the following          have used the following access router
    UAMP policies:                                         functionalities: Dual stack (Ipv4 and Ipv6
     On New user If (user_profile) and (conditions) then   support), DHCPv4/ DHCPv6 server, Radius
                Allow list of services                     Client, Filtering, and Quality of services.
               Else degrade to other profile
                                                           Figure3 shows the elements of the RSM-WISP
    Conditions are related to available bandwidth
                                                           implementation architecture.
    on the access router, or to number of current
                                                           Policy Manager: All policies defined in our
    connected users. For example, for the
                                                           architecture are described and validated using
    precedent gold package, the WISP will
                                                           XML schemas and installed using: CLI
        if (user=gold) and (available bandwidth ) then     (command line interface), an XML/HTTP
            Allow Mail, VoIP, Web                          connection, or a web interface directly of from
            Else degrade to silver package.                remote machine. The Policy manager which is
     The available bandwidth provides means for            handled by the WISP administrator can receive
     checking if there are enough resources for            policies from foreign WISPs when they have
     the specified service package.                        roaming contracts. It is responsible of validating
  For the both SLA, the UAMP policies provide              the policies XML schemas, storing them in
  means for dynamic service deployment thanks              database, sending Add/Delete/Update messages
  to automatic router adaptation.                          to the appropriate WISP block. The entire policy
- On-Demand Service Policies (ODSP):                       manager has been developed using C++
  Materialize the value added services that a              language, because it provides more flexibility
  WISP may offer for its customers. For                    and scalability in implementing new services.
  example, user may change its profile from                For the XML validation and translation, we have
  silver to gold, in order to have better quality on       use the libexpat library which is simple and
  voice over IP. The application of service                efficient library written in C language.
  update policies generates a modification of the          WISP block: When a foreign WISP establish
  associated filtering policies that have been             roaming relationship according to per bandwidth
  applied for the user. For example, new filtering         model, a new module called WISP block is
  actions may be added to allow more services,             instantiated and created on the access router.
  or traffic conditioning component update to              The WISP block contains policy enforcement,
  allow more bandwidth, etc.                               policy rule tree and monitoring modules.
  These policies provide users with means for
  service upgrade and are pushed directly from                      CLI                         XML/HTTP                 WEB
  user terminal to the access router (Web
  interface or some protocols).                                                                                                         DATABASE
  These policies have two main objectives,                                             Policy Manager
  provide users with means for dynamically
  changing their requirements and allow them to
  configure access equipments according to their
  SLA that is stored in the user side (smart card).
  At present, we have defined the following                           WISP Block                                 WISP Block
         On Update if (request=”change”) Then                      Policy
                                                                                 Policy                        Policy
                                                                               Rule Tree                                 Rule Tree       Users
            (user_profile = “new_profile”)                                                                                             DATABASE
  This policy allows users to dynamically change
  their profile, thus allowing them to get more
                                                                                Monitoring                               Monitoring
  services without interruption.
4.3 Architecture Implementation                                                                                                       Event Manager
     As described in the precedent section, access
routers play the major role in the RSM-WISP                                                                                             Users Associated
architecture. They are able to enforce services,                                           Router Services API                         Router Rules (QoS,
manage users, and provide value added services
for these users. The PS (policy server) provision
                                                                QoS              AAA Client               Filtering           DHCP
policies and monitor the public wireless
networks. In this section, we describe the RSM-
WISP implementation on the access router. We                                 Fig3. Router Policy Implementation
Policy Enforcement: The policy enforcement               the event occurs, the events module sends
module is the heart of the Policy Architecture on        notification to the Policy-Cond object, which
the access router. It ensures the following tasks        will evaluate the condition in order to execute
− After reception of the policies from the Policy        one of the two branches of the policy (Then or
  Manager, it translates these policies into C++         Else).
  objects and stores them in tree structure, and      − Action object contains the different actions that
  processes them. The policies which can be              will take place when the events occurred.
  directly applied (QOS Policies) are translated         These actions are related to quality of service,
  to routers rules thanks to the Router Service          and filtering actions.
  API Module. For the others, it notifies the         This tree is of complexity equal to 1, because
  “event module” of the events types it is waiting    when new event is launched, the associated set of
  for (UAM policies are launched by arrival of        policies is directly retrieved without searching
  new users).                                         the entire tree.
− Communicate with monitoring module to get           Users Database: This database contains
  local router information. For example,              information about connected users such as
  bandwidth use, number of users, ... etc             profile, IP address, team and others. The WISP
− Ensure keeping states about users deployed          Administrator uses it by the policy manager
  services in order to remove them when the user      module, and also in order to have statistic
  leaves the network. These states are stored in      information.
  the user associated router rules base.              Event Manager: This module is responsible of
− Periodically, or on request, it sends monitoring    managing events such as arrival of new users,
  reports to the Policy manager.                      new application request, or other events. This
The policy enforcement module has also been           module interacts with existing modules such as
developed using C++ language.                         authentication, web server, and CLI. Moreover,
Monitoring: The Monitoring module provides            this module allows adding new functionalities on
the policy enforcement a global view about all        the policy manager such as other authentication
local router parameters and states. Currently, we     mechanisms or new events. For the event
can monitor quality of service, filtering, and date   manager we have used the C language.
and Time parameters. In addition, monitoring          Users Associated Router Rules: This file
provide very important information for achieving      contains indexes of actual router rules deployed
billing. These information concern amounts of         for each user. The index size is low because it
data volume per IP address, last time an IP           contains only single information per user. This
packet goes through the router, etc. The              file allows removing or updating services for
Monitoring module can be acceded using XML            users.
requests, or simple function calls.
All the monitoring information is sent to the
policy enforcement point or can be directly sent
to the Policy Server (PS). In addition, the PS can
access directly to the monitoring module by
sending XML requests.
Router Policy Tree: Policies are translated from
XML schemas and stored in tree structure as
shown in figure 4. This tree is composed of the
following objects:
− Policy entry object represents the root of the
  tree and contains Policy-St objects. Each
  Policy-St object represents a single policy and
  its structure is depicted in figure 4.
− Policy Wait is an object containing the event
  that will launch the policy execution. This
  object communicates with the events modules
  in order to get notifications when event occurs.
− Policy-Cond is the object containing the
  conditions (one or more) of the policy. When                  Fig4. Policy Tree Implementation
Router Services API: We have designed these                       5. THE ACCESS CONTROL SCENARIO
API for the following three reasons:                                  To illustrate the use of RSM-WISP
- Provide single and simple way to use router                     Architecture, we describe the user access control
   services                                                       scenario required by WISPs for managing their
- Gather quality of service and filtering actions                 WLANs. Since RSM-WISP Architecture allows
   in the same module                                             WISPs to deploy the same policies in all their
- Offer means for dynamically adding, deleting                    access networks, so we can focus our scenario on
   and updating router rules.                                     one WLAN. For these we have deployed a
The API services are of two types: Functions                      WLAN platform in 6WIND.
calls and XML requests. The XML request
support has been added in order to provide PDP
                                                                  5.1 Platform
or other advanced equipment with ability to
                                                                    Figure 6 shows the platform, which is
directly monitor the equipment, and changes its
                                                                  composed of:
configuration without requiring other router
                                                                  − Service Provider Radius Server: allows
modules. For the implementation, we have used
                                                                    authentication, authorization and accounting
C language, because we access to kernel
functionalities and performance is very important                   for the users. Moreover, we have added users
issue.                                                              SLA attributes in the Radius user Database, in
Filtering Module: The Filtering Module called                       order to get this information during the user
PFM is an engine that allows filtering and quality                  authentication process.
of service deployment at the same time. It works                  − Management PC: This computer acts as Policy
as follows:                                                         Server. It allows remotely Policy installation
- Output interface: implementation of quality of                    on the 6WINDGate router using CLI (over
   service queuing disciplines. We specify queues                   Telnet or SSH), XML over HTTP, or using
   parameters (bandwidth, priority, borrow...) and                  WEB interface.
   scheduling algorithms (CBQ, WFQ...).                           − 6WINDGate Router: this router represents the
- Input interface: specification of filtering rules,                access router of the RSM-WISP architecture. It
   based on IP packet fields such as version,                       is programmed with Policies in order to
   protocol, port…                                                  dynamically react when new users arrives on
Quality of Service Module: This module                              the WLAN, or when new applications are
provides traffic conditioning elements such as                      involved such as VoIP, VoD…
droppers, markers, and shapers... It allows for                   − Wireless Access Points: we have deployed two
example traffic limiting for services or users.                     AP, which are connected to the Access Router
This module is very tightly coupled with the                        through an Ethernet Hub.
filtering engine since both provide an efficient                  − Mobile computers equipped with WLAN
quality of service and filtering rules. Figure 5                    Cards.
shows the treatment of the IP packet through                      − All the components of the platform are
QoS, and filtering modules (rules + QoS queues).                    IPv6/IPv4 capable.
                                                                  5.2 Usage Scenario
                          Router Services API                         This scenario may be summarized as
                                                                  follows: a WISP (in our case 6WIND) has an
                                                                  Internet access of 1,2Mbit/s and wants to provide
                                                                  3 different Services: VoIP, Web, Mail and for its
                                                                  users. Administrator use can access all the
                                                Queue 1
                                                                  services and all what he/she wants. In our
                                                                  deployment, the administrator specifies the
                                                                  following services conditions: 10 simultaneously
                           FORWARDING                     U
                                                                  VoIP session, 20 simultaneously Mail session
  U                                                       E
  T                                                       R   U
                                                                  and 20 Simultaneously Web sessions. Every
                                                                  user of 6WIND is assigned a service level
                                                Queue N
                                                                  agreement, which is stored in the Radius Server,
                                                                  and contains its authorized services and the
                                                                  associated quality of service parameters.
                   Fig5. IP Packet Treatment
                                                     these queues is CBQ (class based queuing). If
                                                     bandwidth is not used by a queue, the other one
                                                     recover it.
                                                     The filtering policies, are applied only when user
                                                     connect on the network and remove after

                                                                    Quality of Service Policies

                                                     <queue-bandwidth bandwidth=“1200 Kbps"/>
                                                     <queue-scheduler scheduler="cbq"/>
                                                      <service-name name=“local"/>
                                                      <service-bandwidth bandwidth=“200"/>
                                                      <service-name name=“VoIP"/>
                                                      <service-bandwidth bandwidth=“400"/>
                                                      <service-name name=“Web"/>
                                                      <service-bandwidth bandwidth=“200"/>
          Fig6. 6WIND WLAN Deployment
                                                      <service-name name=“Mail"/>
                                                      <service-bandwidth bandwidth=“200"/>
5.3 RSM-WISP Configuration                           </Service>
    In order to achieve the above requirements,      </QOS>
we need to configure the access router with the
appropriate policies and the Radius Server                         Filtering Actions Policies
configuration with the user’s contracts.
Access Router Configuration with                     <service-name name= "all"/>
Policies: The policies are pushed by the             <actions><action-ident number="1"/>
administrator on the access router using the         <action-type type="firewall"/>
                                                     <action-todo do = "allow all "/>
management tool and the router web interface.        </SERVICE>
There are two sets of policies, which are            <SERVICE>
provisioned, Service specification and user          <service-name name= “ VoIP"/>
access management policies.                          <actions> <action-ident number="1"/>
                                                     <action-type type="firewall"/>
Service Specification Policies (SSP): for            <action-todo do = “dynamic"/>
service specification, the administrator specifies   </SERVICE>
first the quality of service policies, and the       <SERVICE>
filtering rules associated for each service. We      <service-name name="web"/>
                                                     <actions> <action-ident number="1"/>
have decided to use the a non DiffServ
                                                     <action-type type="firewall"/>
configuration as follows                             <action-todo do="allow"/> <action-ipver ver="4"/>
- Default: in class of 200 Kbit/s. This class is     <action-proto pro="6"/> <ipsource ipsrc=“hostsrc"/>
   used by WISP for its control flows                <portsource portsrc=“any"/> <ipdestination ipdst=“any"/>
   (administrative, and other …)                     <portdestination portdst=“80"/></actions>
- VoIP Service: in Class with 400 Kbit/s.            <SERVICE>
- Web: in class with 200 Kbit/s.                     <service-name name=“Mail"/>
- Mail Service: in Class with 200 Kbit/s.            <actions> <action-ident number="1"/>
                                                     <action-type type="firewall"/>
- FTP Service: in class with 200Kbit/s.              <action-todo do="allow"/> <action-ipver ver="4"/>
For scheduling algorithm, the administrator          <action-proto pro="6"/> <ipsource ipsrc=“hostsrc"/>
chooses to use CBQ. The QoS policies are             <portsource portsrc=“any"/> <ipdestination ipdst=“any"/>
applied directly on the access router. The input     <portdestination portdst=“25"/>
interface (towards Internet) is divided into 3       </SERVICE>
queues, and the scheduling strategy between
- User Access Management Policies (UMAP):                         John Password= John
  In order to manage the user access to the four                    Pol_Profil= "VoIP, Web, Mail",
  services, the administrator specifies the UMAP                    Pol_Bandwidth=”40, 10, 20”,
  policies. In these policies the administrator will                Pol_Time="100,200,300"
  also specify its access rights and that there is
  only one administrator.                                 5.4 Access Control Management
                                                          Initially, all traffic is forbidden and can’t go
        User Access Management Policies                   through the access router. Setting specific
                                                          firewall rules does this.
<policy-ident number="1"/>
<event type="newuser"/>                                   Authentication and Authorization: In order to
<conditions> <and>                                        rapidly demonstrate the practicability of our
<type-condition profile=“Administrator"/>                 architecture, we decide to use a simple and
<user-number profile=“Administrator” max=“1"/> </and>     robust authentication mechanism which is the
   </conditions> <then> <service name=“all"/> </then>
<policy-ident number=“2"/>
                                                          https protocol combined with a radius client.
<event type="newuser"/>                                   This is achieved thanks to web portal and radius
<conditions> <and> <type-condition application=“VoIP"/>   client embedded in the access router. The
<session_number maximum=10/> </and> </conditions>         advantages of this solution are that no specific
   <then><authorize service></then>                       configuration is on the machines of the users,
   <else> <pdp_request> </else>
<policy-ident number=“3"/>                                because web browsers supporting the HTTPS
<event type="newuser"/>                                   protocol are widely available.
<conditions> <and> <type-condition application=“Web"/>    When new user arrives on the WLAN, he/she
<session_number maximum=20/> </and> </conditions>         obtains an IPv4/IPv6 address using stateless or
   <then> <authorize service></then>
   <else> <pdp_request> </else>
                                                          statefull configuration mechanism. Statefull
<policy-ident number=“4"/>                                mechanism is achieved through the DHCPv4 or
<event type="newuser"/>                                   DHCPv6 server located in the access router. IPv6
<conditions> <and> <type-condition application=“Mail"/>   stateless mechanism is realized thanks to router
<session_number maximum=20/> </and> </conditions>         advertisement messages sent by the access
    <then> <authorize service></then>
    <else> <pdp_request> </else>                          router.
                                                          When the user activates Internet Brower, the web
     After this policy provisioning process, the          page is automatically displayed, thanks to divert
administrator must configure the Radius Server            rules. The user inserts its login and password.
with the user’s identity and their SLA.                   Once this information validated, the router sends
Radius Server Configuration: In our                       a radius request to the radius server to
platform, the radius server is used for                   authenticate the user. The radius server responds
authentication, authorization and accounting of           with accept or reject. The radius accept response
the users and for storing Users Service level             contain the user service level agreements
Agreements (SLAs). In this deployment, the                containing services, bandwidth and time.
SLA contains the services profile and the                 Dynamic Router Adaptation: Policies installed
authorized time connection for each service. For          on the router are dynamically evaluated
these we added for each user the following                according to the users SLA and IP address of the
attributes in the Radius Server Users Database:           user (access router retrieve it automatically).
                                                          For example, when John connects and is
− POL_SERVICE: specify a list of authorized
                                                          successfully authenticated, its SLA indicates that
  services for the user.
                                                          he can access to VoIP, Web, and Mail with
− POL_TIME: specify a list of the authorized
                                                          respectively 40 , 10 and 20 Kbit/s and for 100,
  time connection for the users services
                                                          200 and 300 seconds.
− POL_BANDWIDTH: specify a list of                        The router evaluates the UAMP policies related
  authorized bandwidth for each user service.             to the user-authorized service.
Two examples are given below, concerning the              For VoIP, the router will ask monitoring if there
administrator and me.                                     is available bandwidth or if currently VoIP
         Admin Password = admin                           sessions <10. If its OK, he authorize the VoIP
           Pol_Profil= "VoIP, Web, Mail",                 flow, else he will re-adapt it self. In the re-
           Pol_Bandwidth=”40, 10, 20”,                    adaptation, the router will verify first if there is
           Pol_Time="100,300,500"                         re-adaptation policy. If yes, it will apply it and
                                                          accept the session else he will ask the PDP for
 re-adaptation and according to this response the         router will send him/her a unique IPv6 prefix
 router will accept or reject the VoIP session.           through the router advertisement message and
Service Update: When the administrator wants              apply the filtering rules according to the user
to change bandwidth of some services, he/she can          prefix.
directly push policy on the access router or send       5.5 Performance Evaluation
XML request to the Router Services API. But we              The deployment of our proposed intelligent
prefer the first method. For example, to increase       access router in 6WIND, gives us very satisfying
Web Service bandwidth, the administrator sends          results in term of router performances (CPU,
the following policy:                                   memory) and user service establishment. But we
 <Service update>                                       have started other performance evaluation tests
<update_type=”QoS” request= “increase”
                     service =”service1” />             in context of very large WLAN networks with
          < bandwidth=”new_rate” from=”service2”/>      large number of users. We will also deploy this
</ Service update>                                      architecture in INFRADIO project to evaluate
When the access router receives this policy, the        the cost of policy management combined with
rate of the service1 is increased to meet the           wireless LAN networks. Also we will use this
required new_rate, and the rate of the service 2 is     solution in IST project within PLC (power line
decreased.                                              communications) public access networks. We
If the from parameter contain no service name,          think that these two projects will give us more
for example << bandwidth=”new_rate”>, then              results about our architecture and perhaps other
the access router ask the monitoring module             scenarios and enhancements.
for available bandwidth. The available
bandwidth will be then added to the service1
and report is sent to the policy server.
                                                                                              IP Auto Configuration
On Demand User Services: Users, whom are
already connected on the network, can ask for                                        DHCPV4 or
                                                                                    DHCPV6 or
more services from the access router. Currently                                    Statefull IPv6
we have only tested users profile changing, and                                             Authentication
we are implementing dynamic bandwidth update
requested from the user.                                                            Web Server

Accounting : Once the user is disconnected by                                                                                 Accounting information
                                                                                                                              For billing purposes
itself or disconnected by the access router ( time
                                                                                    AAA Client
expiration), an accounting message is sent to the
radius server containing time duration and also                                                     SLA From AAA Server        Disconnection

used data volume if necessary.                                                                                                 -Voluntary
                                                                                  Event Manager
Time and data volume Management: Users are                                                                                     -From the access router

automatically disconnected from the network
when their authorized time duration expired or
                                                                                  Policy Manager
they reached their authorized data volume.
Associated filtering and quality of service rules         Add/delete rules                             Store / delete index

are automatically deleted.                                       Router Service                       Policy Rule Tree
Then entire user management process is depicted
in the figure7.
IPv6 Support: Our architecture works very                             Fig7. Process of User Service Management
well with both IPv4 and IPv6 since our filtering
and quality of service engine is dual stack
capable.                                                6. CONCLUSION
The only problem we have seen with IPv6 is                   In this paper, new network management
related to the privacy. This is due to the fact, that   architecture for roaming and service management
when using IPv6 privacy, a user can have                in hotspot networks has been detailed. The lack
multiple addresses (different interface IP). We         of solutions that allow multiple service provider
have used two solutions:                                support, service guarantee and service
- Access router acts as DHCPv6 server                   differentiation led us to propose this architecture.
- The user authenticates itself using its link local    Our solution allows WISPs to get benefits from
   address. After successful authentication the         the large deployment of public WLANs, by
differentiating services offered to their                          [7] Idir Fodil and Vladimir Ksinant “User Service Management in
                                                                        Hotspot network using Policies”, European Wireless 2004, the
customers, efficient and simple architecture.                           fifth European wireless Conference, February 24-27 2004,
Moreover, since the access routers manage                               Barcelona, Spain
access network, we can extend its functionalities                  [8] A.Westrinen and al, “RFC 3198: Terminology for Policy
                                                                        Based Management ”, IETF, November 2001.
to manage access points and to interact with
                                                                   [9] David Kosiur,”Understanding Policy-Based Networking”.
wireless management solutions. For example,                             Wiley Computer Publishing, 2001.
access router may control radio resources, and                     [10] Raouf Boutaba and Jin Xiao, “ Network Management State of
allow or deny new users that try to associate in                        the Art”, WCC, IFIP World Computer Congress, August
busy or congested access points. This approach is                  [11] O.Corre, I.Fodil, V.Ksinant and G.Pujolle, “ An Architecture
currently subject of lot of works in IEEE and                           for Access Network Management with Policies”, MMNS
IETF [17].                                                              2003, 6th IFIP/IEEE Conference on Network Management,
                                                                        September 2003.
     Compared to the classical IETF PBM
                                                                   [12] Junbiao Zhang and al, “Virtual Operator based AAA in
architecture, our solution offer two major                              Wireless LAN Hot Spots with Ad-hoc Networking Support”,
improvements: (1) A Further abstraction level                           Mobile Computing and Communications Review, Volume 6,
has been added providing the administrator with
                                                                   [13] Joseph W. Graham II, "Authenticating Public Access
the possibility to deploy services without having                       networking", SIGUCCS’02, November 20-23, 2002,
to know which device parameters to configure.                           Providence, Rhode Island, USA.
(2) A distribute management model where more                       [14] IEEE Daft P802.1X/D11: Standard for Port based Network
                                                                        Access Control, LAN MAN Standards Committee of the
intelligence is pushed toward the access                                IEEE Computer Society, March 27, 2001.
equipments (access networks). Furthermore,                         [15] Pekka Nikander, “Authorization and charging in public
because of the IP based, our solution can work                          WLANs using FreeBSD and 802.1x”, USENIX annual
                                                                        technical conference, June 10-15 2002.
over different air interfaces, across wireless LAN
                                                                   [16] P. Kalhoun and al., “Light Weight Access Point Protocol”,
cards from different vendors, and does not                              Internet Draft, June 2003.
require any modification to layer 2 protocols.                     [17] IETF              CapWap            Working           Group,
     Currently, we are working on performances                
tests of RSM-WISP, and its improvement for                         [18] Alper E. Yegin, Yoshihiro Ohba, Reinaldo Penno, George
                                                                        Tsirtsis ,and Cliff Wang, “ Protocol for Carrying
providing roaming between WISPs. We are also                            Authentication for Network Access (PANA) Requirements”,
working on its deployment at large scale in the                         Internet Draft , June 2003.
INFRADIO project in order to get experience                        [19] David Schwab and Rick Bunt,”Characterising the Use of a
                                                                        Campus Wireless Network”, IEEE INFOCOM 2004
and more performances results. In addition, we                     [20] INFRADIO Project :
have also started the implementation of PANA
protocol [18] in context of roaming management
for providing automatic authentication and
authorization, and dynamic service provider
selection for users. And finally, we have started
working on interaction between access
management solution with wireless network
management in order to provider global hotspot
network management approach and architecture.

[1]   IEEE. 802.11b/d3.0 Wireless LAN Medium Access Control
      (MAC) and Physical Layer (PHY) Specification, August
[2]   Upkar Varshney and Ron Vetter, “Emerging Mobile and
      Wireless Networks”, Communications of the ACM, Vol. 43,
      N°. 6, June 2000.
[3]   Rajeswari Malladi and Dharma P. Agrawal, ”Current and
      Future Applications of Mobile and Wireless Networks”,
      Communications of the ACM, Vol. 45, N°. 10, October 2002.
[4]   A.Mahler and C.Steinfield The Evolving Hot Spot Market for
      Broadband Access “ITU Telecom World 2003 Forum panel
      on Technologies for Broadband, Geneva, October 2003”
[5]   Donald M. Fye, “Evolution of WLAN Roaming Services”,
      CDG WLAN Technical Forum, Dallas, Texas, October 2,
[6]   Michael Kende, “WLAN challenges and opportunities”,
      National Summit on Broadband Deployment , April 28, 2003

To top