Escolar Documentos
Profissional Documentos
Cultura Documentos
1. Introduction
Wi-Fi hotspots are expected to have an important
role in future provisioning of anywhere, anytime connectivity [1, 2]. They are quickly being deployed at
locations that tend to attract nomadic users, such as
cafes, airports, hotels, and conference centers. Although hotspots have limited range, they offer lower
installation costs and higher bandwidth than do competing alternatives, such as 3G wireless.
However, many hotspots have low utilization and
are unprotable [3]. This low utilization is not due to
incompatibility (many users notebook computers and
PDAs have a Wi-Fi interface) or other technologies
This project was funded in part by the Pittsburgh Digital Greenhouse through a grant from the Commonwealth of Pennsylvania, Department of Community and Economic Development.
dominance (3G deployment has been slow in most markets). The observed unprotability could limit growth
in the deployment of Wi-Fi hotspots.
Billing is often cited as a problem area that contributes to low hotspot utilization [3]: Existing billing
methods have drawbacks that turn away many potential users. Three of the most common methods are subscription, pay-per-use account, and prepaid token. Subscriptions give to the provider a steady revenue stream
and to the user the convenience of a xed price and
single monthly payment. However, subscriptions are
nontrivial commitments. Several concerns may militate
against such a commitment, including user doubts about
whether he or she will need access in a covered area often enough to justify the cost of a subscription. Users
can also be concerned about provider reliability.
Instead of a subscription, users may set up a pay-peruse account with a provider. Pay-per-use accounts typically draw funds automatically from one of the users
bank or credit card accounts, when the user gains access. Pay-per-use accounts can be less wasteful than are
subscriptions to sporadic users. However, many users
hesitate to open such an account with a provider that
is not perceived as reliable and well-established in areas frequented by the user. Many providers are startups
that do not meet such criteria. Moreover, a user may
occasionally need access in places that are not served
(directly or by agreement) by any of the providers that
serve areas more frequently visited by the user.
In the latter cases, users may prefer prepaid tokens
(PPTs). PPTs contain an id and password that are typically revealed by scratching a card and are activated
after rst use for a limited time. A user does not need
to set up any account to buy such a token; payment may
be, e.g., by cash or credit card. Prepaid tokens offer little risk to users. However, such tokens can complicate
access because they need to be physically obtained from
a vendor. In many cases (e.g., at an airport), vendor location may be inconvenient or not obvious. Moreover, a
vendor location may be closed when a token is needed.
Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks (LCN04)
0742-1303/04 $ 20.00 IEEE
This paper contributes an alternative billing architecture using virtual prepaid tokens (VPTs) and experimentally evaluates its performance. Users can buy a
VPT from a provider without any relationship between
them before or after a specic access session. Users buy
VPTs at the point and time of access, using a third-party
online payment server. Users can employ the same
server also for making or receiving many other types of
payment. Therefore, such an account is more exible
than is a conventional pay-per-use account, which can
be used only to purchase access from a specic provider
or set of providers. Like physical prepaid tokens, VPTs
do not require users to maintain a possibly wasteful subscription with the access provider. However, because
VPTs are bought online, they have several advantages
relative to PPTs, including saved time and no need of
stafng outlets for selling them.
The main difculty in VPT implementation is that
most current hotspot architectures authenticate a user
before authorizing any Internet access by the user. VPT
purchases require, however, that unauthorized users
communicate with payment servers on the Internet. The
VPT architecture accommodates such communication
while blocking all other Internet access by unauthorized users. Communication between user and payment server is secured end-to-end by SSL. The payment
server authenticates the user, debits the users credit or
bank account for the price of access, and credits that
amount to the provider. After verifying payment, the
provider authorizes full Internet access by the user.
VPTs involve more steps than do the password-based
authentication schemes typically used for subscriptions
and pay-per-use accounts. On the other hand, our experiments show that users arriving at a hotspot can buy
a VPT and gain full Internet connectivity in less than 15
seconds, i.e. much less time than it would take to buy
and activate a physical token.
VPTs can be used in hotspots that employ a captive
portal [4] or 802.1x [6] to authenticate users. Most current hotspots use a captive portal, but 802.1x enables
much better security. In particular, 802.1x enables mutual authentication between user and hotspot and persession encryption keys at the link layer. Although the
VPT architecture is secured end-to-end by SSL, 802.1x
can provide a valuable additional line of defense at the
link layer.
This paper also contributes a novel scheme that allows a single access point to support users authenticated by captive portal or 802.1x. Using this scheme,
hotspots can introduce 802.1x without disrupting service to legacy users. The main difculty for this integration is how to support broadcast packets, given that not
all clients may be using link-layer encryption. Our so-
Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks (LCN04)
0742-1303/04 $ 20.00 IEEE
access
point
5.Check password
LDAP
server
6.Access accept
gateway
Internet
Figure 1. Captive portals provide an intuitive Web-based interface for user authentication. No
special conguration is necessary in user computers.
Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks (LCN04)
0742-1303/04 $ 20.00 IEEE
LDAP
server
12. Establish account
5.Reserve id
4.Order VPT
access
point
gateway
Internet
online
payment
server
Figure 2. Users can employ an account with a third-party online payment server to buy a virtual
prepaid token for hotspot access. User and hotspot need not have any relationship before or
after access.
Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks (LCN04)
0742-1303/04 $ 20.00 IEEE
Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks (LCN04)
0742-1303/04 $ 20.00 IEEE
802.1x
server
WiFi
client
captive
portal
access
point
FTP
server
router
Internet
online
payment
server
Figure 3. Testbed used in the experiments. The proposed techniques involve changes only in
the access point and captive portal.
8. Experimental results
This section presents experimental results from a
prototype implementation of the proposed techniques.
Fig. 3 shows the testbed used. Reported averages are
the result of ve tries.
We implemented on an IBM ThinkPad T30 1.8 GHz
PC an access point with integrated gateway functionality, as described in Sections 2, 3, 6, and 7. This PC
contains an integrated Wi-Fi interface based on the Intersil Prism 2.5 chipset. It ran Linux 2.4.20 and a modied version of the HostAP 0.0.3 Wi-Fi driver [23]. The
modications necessary for our techniques increased
HostAPs code by roughly 32 KB. Additional memory
is necessary for maintaining session status. For 50 sessions, the additional table memory needed is about 1
KB. These results suggest that the proposed techniques
can be adopted in memory-constrained access points.
Testbed clients were two other T30 1.8 GHz PCs
running Windows XP Professional SP 1 and Internet
Explorer 6.0.28 congured to remember passwords and
auto-ll forms (to reduce variations due to data entry).
The 802.1x clients were congured to use the PEAP
protocol and dynamic WEP. The 802.1x authentication
Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks (LCN04)
0742-1303/04 $ 20.00 IEEE
Latency (s)
0.6
2.6
2.3
1.4
0.6
6.8
14.3
gured both clients with captive-portal or 802.1x authentication or each client with a different authentication method. We also congured either client to use
the integrated Prim 2.5 Wi-Fi interface while the other
client uses a Netgear, Orinoco Gold, Cisco Aironet 350,
or the integrated Prism 2.5 Wi-Fi interface. (The Cisco
interface needed to be congured to allow association
to mixed cell; the other interfaces used do not have an
equivalent conguration option.) We veried that both
clients operated correctly in all of the tested congurations.
9. Conclusions
Support for VPTs and simultaneous captive-portal
and 802.1x authentication can be added to an access
point with little extra memory, negligible overhead, and
good interoperability with various clients.
For occasional hotspot users, VPTs offer several advantages relative to other billing options. Unlike a subscription, VPTs do not have a monthly carrying cost. Instead of a pay-per-use account with the provider or aggregator, which can be used only to purchase access at
certain hotspots, VPTs use an account with a third-party
online payment server, which allows the user to employ
the account for any other payments as well. And unlike
physical prepaid tokens, VPTs allow a user to order and
obtain Internet access from a provider in less than 15 s,
even if the user has no previous or subsequent relationship with that provider or that providers aggregator.
Simultaneous support for captive-portal and 802.1x
authentication allows hotspots to provide recent Wi-Fi
security improvements to those clients whose conguration supports them, without disrupting legacy clients.
Improvements include mutual authentication between
client and hotspot (e.g. using EAP-TLS or PEAP) and
link-layer packet encryption and authentication with
dynamic per-session keys (e.g. using dynamic WEP,
WPA, or 802.11i). These improvements can provide a
valuable extra line of defense against attacks in the WiFi network. However, hotspots typically can provide
Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks (LCN04)
0742-1303/04 $ 20.00 IEEE
Table 2. Access point modications to support VPTs and simultaneous captive-portal and
802.1x authentication have negligible impact on performance (standard deviations represented
between brackets)
Auth. method
802.1x
Captive portal
Access point
unmodied
modied
unmodied
modied
References
[1] Wi-Fi Alliance. http://www.weca.net/
[2] IEEE, Wireless LAN medium access control (MAC)
and physical layer (PHY) specications, 1999.
http://standards.ieee.org/getieee802/
download/802.11-1999.pdf
[3] A. Stone, For-Fee Hot Spots Strive to Make Wi-Fi Pay,
Pervasive Computing, IEEE, pp. 3-7, July 2003.
[4] G. Appenzeller, M. Roussopoulos, and M. Baker, UserFriendly Access Control for Public Network Ports, in
Proceedings of INFOCOM, IEEE, pp. 699-707, March
1999.
[5] H. Xia and J. Brustoloni, Detecting and Blocking
Unauthorized Access in Wi-Fi Networks, in Proceedings of IFIP Networking2004 Conference, SpringerVerlag, Lecture Notes in Computer Science, 3042:795806, May 2004.
[6] IEEE, Port-based network access control, 2001.
http://standards.ieee.org/getieee802/
download/802.1X-2001.pdf
[7] C. Rigney, S. Willens, A. Rubens, and W. Simpson, Remote Authentication Dial In User Service (RADIUS).
RFC 2865, June 2000.
[9] A. Palekar, D. Simon, G. Zorn, , and S. Josefsson, Protected EAP protocol (PEAP). Internet Draft, Mar. 2003.
Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks (LCN04)
0742-1303/04 $ 20.00 IEEE