SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

APTILO NETWORKS WHITE PAPER

By Claus Hetting, Senior Consultant & Analyst
Copyright Aptilo Networks v2 03-13

ABSTRACT
Seamless Wi-Fi offload is a new paradigm in unified mobile and wireless data services. This paper examines how mobile network operators can build on EAP-SIM and convergent Wi-Fi / 3G / LTE service management solutions to deliver high-quality carrier-class Wi-Fi to smartphones, tablets and non-SIM devices. Solutions will empower operators to address a broad base of users with new business models reflecting a range of new and attractive data service.

HOW
WI-FI OFFLOAD
Interested in WHY? Read our other white paper Seamless Wi-Fi Offload: A business opportunity today

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

EXECUTIVE SUMMARY
Seamless Wi-Fi offload is enabling a new paradigm in combined Wi-Fi and 3GPP-based broadband data services. Mobile network operators can already today offer automatic, clientless, and convenient seamless Wi-Fi services to smartphones and other SIM-enabled devices with EAP-SIM. The solution allows MNOs to profit quickly from carrier-class Wi-Fi by building a new class of always-on data connectivity addressing smartphone users. Carrier-class Wi-Fi with intelligent service provisioning lets MNOs profit from a range of services based on new business models. MNOs can choose to deploy their own Wi-Fi networks or to partner with existing Wi-Fi service providers for national or international seamless Wi-Fi coverage. In either case proven EAP-SIM authentication and Wi-Fi core service management solutions are available to support a variety of partnership models, deployment schemes, authentication methods and service types. Aptilo Networks has seen offload rates of up to 50% on individual sites saving CAPEX on 3G or LTE equipment while reducing the need for expensive licensed mobile spectrum. Carrier-class Wi-Fi offers quality offload services while spare capacity can be used to serve ad-hoc consumer or B2B customers such as other service providers, venue owners, communities and more. Many options for integration of Wi-Fi into MNO core networks exist today including tunneling of smartphone Wi-Fi traffic back to the mobile core. A variety of network architectures allow MNOs to optimize traffic flows and service policy control while receiving the commercial benefit of seamless Wi-Fi offload. Even more sophisticated means of network selection, traffic optimization, and service control will develop over the next few years (2013-2015). Because many practical requirements for Wi-Fi service deployments are not standardized, MNOs need to adopt service management systems and strategies that address a new reality: Carrierclass Wi-Fi networks are nearly always multi-purpose intended to serve many device and client types. To build combined Wi-Fi / 3G / LTE services as well as services for non-SIM users service management flexibility is required.

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

SEAMLESS WI-FI: A NEW PARADIGM IN UNIFIED COMMUNICATIONS

There is no question that Wi-Fi offload is one of the mobile industrys most hotly debated business opportunities right now. Many of the worlds largest mobile operators already recognize Wi-Fi as a business-critical technology and some are in the early phases of deploying seamless Wi-Fi offload. A few progressive new operators entering the mobile arena today even consider Wi-Fi their primary technology and use mobile services as a secondary network layer only. The drivers for Wi-Fi offload are well known: Wi-Fi-capable devices are everywhere and more than a billion are equipped with SIM cards. For many users of tablets, smartphones, and laptops, Wi-Fi has become the preferred means of connectivity. Razor-sharp competition is forcing many mobile carriers to cut spending while looking for new ways to stand out in the market. Seamless Wi-Fi services for SIM-enabled users may well be the differentiator that the mobile industry has been looking for. So how can mobile operators turn the vision of seamless Wi-Fi into reality? Aptilo has for more than 10 years been instrumental in transforming the potential of Wi-Fi technology into successful commercial data services serving millions of satisfied Wi-Fi users worldwide through close to 100 service provider customers. The next step is using seamless Wi-Fi offload to satisfy the millions of smartphone and tablet users demanding still more data. Many view the unification of the widely successful world of mobile broadband with the equally successful world of Wi-Fi as a paradigm shift for both. This White Paper examines how to build the right solutions and services to achieve the goal of making carrier-class Wi-Fi seamlessly accessible to SIM-enabled users while efficiently supporting a growing base of non-SIM devices. Contrary to common belief seamless Wi-Fi offload is already available today. The evolution of seamless Wi-Fi will within a few years empower mobile operators to manage and control Wi-Fi networks as fully integrated extensions of their mobile 3G / LTE infrastructure and services.

WHAT IS SEAMLESS WI-FI AUTHENTICATION?

Seamless Wi-Fi authentication allows SIM-enabled smartphones and tablets to access Wi-Fi networks without any user interaction. An iPhone will for example automatically connect to a Wi-Fi network once inside the carriers Wi-Fi coverage area and following authentication based on information stored on his or her SIM. This does not otherwise restrict the use of any 3G or LTE network because Wi-Fi and mobile transceivers operate independently on devices1. A number of carriers and vendors today offer seamless Wi-Fi services for SIM-enabled devices using a device client in the form of a downloaded or preloaded application. An important aspect of nearly all the seamless Wi-Fi solutions examined in this paper is that they do not require thirdparty clients in devices2. Solutions that require the user to take an active role in provisioning his or her cellular device for a service have historically gained only a few subscribers despite the promise of convenience and lower costs.

In the current version of iOS the smartphone or tablet will automatically prefer Wi-Fi to mobile broadband carriers. Over the next couple of years seamless Wi-Fi solutions will evolve to allow the device and the network to interactively control the preferred carrier depending on number of parameters. The evolution of seamless Wi-Fi is discussed later in this paper. Clients may be a requirement e.g. for CDMA operators. Clients can be pre-provisioned in the factory for specific MNOs or provisioned over-the-air although this will introduce an additional administrative process for MNOs.

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

Even offers of Free Wi-Fi or Free VoIP suffer from this difficulty. From experience it seems that relying on user self-provisioning reduces the addressable market to no more than a few percent. Seamless Wi-Fi offload with EAP-SIM authentication carries with it the potential for global massmarket adoption because smartphone users need to do precisely nothing to enable the service. This is one of the reasons why many industry experts expect EAP-SIM to be a game-changing enabler of new Wi-Fi business opportunities for service providers in the Wi-Fi space.

FROM SIM-BASED AUTHENTICATION TO FULL SERVICE CONTINUITY

EAP-SIM authentication for Wi-Fi offload is the first step on a defined path towards full service continuity across Wi-Fi and mobile networks. A great deal of standardization and industry consensus work is being carried out within the 3GPP and Wi-Fi communities in order that both industries receive the full commercial benefit of offering unified Wi-Fi / 3GPP broadband data services. The unification of Wi-Fi and 3GPP-based networks and services can be broken down into three phases. This evolutionary path will almost certainly be realized over the coming years as it is supported by all major vendors, standardization bodies, and industry organizations. MNOs will be able to choose from a variety of options over the coming years as technologies mature.

The evolution of seamless Wi-Fi for mobile carriers

Figure 1: The evolution of seamless carrier-class Wi-Fi authentication and interworking. Todays solutions are all currently available from Aptilo as are a selection of the integration options of Phase 2 including GTP traffic routing.

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

SEAMLESS WI-FI OFFLOAD TODAY

The 3GPP and Wi-Fi communities have been working together for years to agree on how mobile and Wi-Fi should interwork. One of the most important items agreed upon is the acceptance of EAP-SIM and EAP-AKA methods for authentication of SIM-enabled devices on Wi-Fi networks. Seamless and automatic Wi-Fi authentication offers great convenience to the smartphone or tablet user. It relies on a signaling exchange between the SIM-enabled device, the Wi-Fi network (including the Wi-Fi service management platform), and the core network of the mobile operator. EAP-SIM Wi-Fi authentication can be implemented between a Wi-Fi network and a mobile 3G / LTE network as shown in the diagram below. All of the parts of the solution are currently available and are fully tested allowing mobile carriers to implement the first phase of seamless Wi-Fi today.

Figure 2: Seamless Wi-Fi offload using EAP-SIM (EAP-AKA) and local WLAN traffic breakout. The device authenticates on the mobile network HLR (or HSS) through the Wi-Fi service management platform including a SIM authentication server.

The interaction-free authentication starts with an EAP-SIM or EAP-AKA message from the smartphone or tablet. The Wi-Fi AP encapsulates the message using a secure 802.1X link and RADIUS. A Wi-Fi access gateway (AG) and service management platform signals toward the HLR (or HSS in the case of LTE) MNO core network using standard SS7 / MAP. The IP-based SIGTRAN protocol can also be used for this signaling, which is especially useful in the case of hosted authentication services. Most vendors use a SIM authentication server to manage the authentication toward the HLR or HSS. Some vendors including Aptilo also have this function pre-integrated in the service management platform. Once SIM-authentication is complete, the device is free to use the Wi-Fi network for data services subject to service policies. Today, device traffic is usually passed to the local Internet with local WLAN breakout, i.e. traffic is routed from the Wi-Fi access gateway to the local Internet thus saving backhaul transmission resources. One of the important benefits of EAP-SIM authentication is that it complies with the known and trusted 3GPP method of using authentication vectors. The method is known for its high level of access security and has played an important role in the global success of GSM and 3G. Wi-Fi network access with EAP-SIM is therefore as secure as todays mobile network access.

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

TECHNICAL REQUIREMENTS FOR TODAYS SEAMLESS WI-FI

The evolution of Wi-Fi and mobile interworking in the coming years will allow for much sophistication above and beyond the current approach. But already today many MNOs are realizing that seamless Wi-Fi services are achievable through proven means with significant economic benefits. The technical requirements for the first phase of seamless Wi-Fi offload are relatively light: Smartphone and tablet devices need to support EAP-SIM authentication Although EAP-SIM authentication is clientless in the sense that no app or other third-party client is needed, devices still need to support EAP-SIM. Today most leading smartphone operating systems support EAP-SIM including Apples iOS, Android 4.0 or above, Blackberry, Nokia (Symbian) and Windows 8. With a typical replacement cycle for smartphones of two years or less, the global installed base of EAP-SIM and EAP-AKA capable devices is expected to grow quickly. Wi-Fi Access Points need to support 802.1X While EAP-SIM and EAP-AKA define authentication messages, the 802.1X protocol encapsulates messages for delivery. As a consequence Wi-Fi Access Points used for EAPSIM authentication need to support the 802.1x protocol. This is a light requirement because current carrier-class Wi-Fi APs are 802.1X-compliant. SIM authentication services in the Wi-Fi core network Seamless Wi-Fi authentication needs support from the Wi-Fi core network in order to interwork with the HLR or HSS to which the user is subscribed. To complete this part of the process a EAP-SIM / AKA authentication service is needed for example in the form of the Aptilo SIM Authentication Server (SAS). This server forms a part of the Wi-Fi core together with the Wi-Fi service management platform. In Aptilos case the SIM authentication functionality is included as an option in the Aptilo Service Management Platform (SMP). All of the above components are available today and the amount of investment and technical deployment required is minimal compared to the cost and complexity of deploying for example LTE or 3G-based solutions. This is one of many reasons why seamless Wi-Fi offload is gaining momentum as a complement to building mobile broadband capacity with LTE or 3G small cells. Non-SIM users can also be authenticated with EAP-TLS and EAP-TTLS although this is less common today. These methods are mostly used for authentication of devices in enterprise or mobile CDMA networks but can also be used for secure access of non-SIM-enabled Wi-Fi subscribers through certification of devices (EAP-TLS) and authentication servers (EAP-TTLS). The Aptilo solution offers the flexibility of including EAP-TLS and EAP-TTLS in order that MNOs may address the largest possible subscriber base3.

For more on authentication types and methods see chapter 6 of this paper.

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

EXAMINING THE ROLE OF HOTSPOT 2.0

The Hotspot 2.0 technical specification was created by the Wi-Fi Alliance in 2012 and has since been supported and harmonized with the Wireless Broadband Alliance (WBA) Next Generation Hotspot initiative. Hotspot 2.0 is understood by many to be a prerequisite for seamless Wi-Fi offload. Although Hotspot 2.0 will introduce new valuable tools into the Wi-Fi service provider toolbox, compliance with the full Hotspot 2.0 specification is not a requirement for seamless WiFi offload today. Hotspot 2.0 is a suite of specifications and features intended to render Wi-Fi technology similar to cellular technology plus a number of improvements in security of which most are already in use. The components of Hotspot 2.0 and their relevance to seamless Wi-Fi offload are: IEEE 802.11u: Network discovery and selection Todays devices access Wi-Fi services by using an SSID name to identify the Wi-Fi network. As an improvement 802.11u defines a method for automated access to Wi-Fi networks not defined in the SSID list stored on the device. It also allows the device to react to other useful information such as network and venue type, list of roaming partners, and types of authentication available. Although 802.11u will allow access to more Wi-Fi networks and make Wi-Fi roaming more efficient, carrier-class Wi-Fi offloading -including roaming - can be deployed already today without the use of 802.11u. Secure authentication using EAP methods Hotspot 2.0 includes the EAP-SIM and EAP-AKA methods for authenticating SIM-based mobile broadband devices. This is precisely the method already described as a technical requirement for the seamless Wi-Fi offload solution that can be deployed today. For non-SIM enabled devices the EAP-TLS and EAP-TTLS methods can be used. Enhanced security with WPA2 (802.11i-2004) WPA2 is a part of the Hotspot 2.0 requirement but has been in existence since 2004. WPA2 has for a number of years been a Wi-Fi Alliance certification requirement for Wi-Fi products. This is an important component of Wi-Fi security but is included as standard in all carrier-class Wi-Fi products today. The Aptilo Service Management Platform (SMP) is ready to support the full Hotspot 2.0 suite of standards from day one as soon as 802.11u-compliant solutions become available on the market. The Wi-Fi alliance launched the Passpoint certification program for Hotspot 2.0-capable equipment in June 2012.

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

HOW DOES CARRIER-CLASS WI-FI MEASURE UP TO 3G & LTE?

Wi-Fi is a best effort and shared resource data service - as are 3G and LTE but there are distinct differences. Comparing Wi-Fi to mobile broadband is a bit like comparing apples to oranges because the two were designed and conceived differently although they often serve the identical purpose of providing wireless broadband connectivity. Wi-Fi is a capacity and not a coverage solution. The range of a Wi-Fi AP is 200 meters at best and is in practice often less than 100 meters. The limited range is governed in part by the fact that Wi-Fi APs by regulation only are allowed to operate at 100 mW of emitted power (in the EU) with devices typically operating at 20 or 30 mW. On the other hand capacity constraints are precisely what many MNOs are facing as a result of the surge in data consumption. Todays carrier-class Wi-Fi solutions use state-of-the-art radio technology to provide an order of magnitude better performance than the sluggish data rates often experienced by users on private home or office Wi-Fi networks. A number of advancements in Wi-Fi radio technology have taken place over the past few years based on the IEEE 802.11n standard and many of them have been achieved by Aptilo partners. The table below indicates performance levels for Wi-Fi, 3G, and LTE. While peak rates are well defined, the user rates in the table are based on typical average conditions. The user rate for carrier-class Wi-Fi assumes dual-band 2.4 GHz and 5 GHz operation. The rates will vary according to distances from the AP, device capabilities, and deployment schemes. Carrier-class Wi-Fi using 802.11n typically performs better than 3G / HSPA+ and will in some cases be comparable in performance to LTE. O2 of the U.K. has openly announced that their outdoor and street-level carrier-class Wi-Fi service provides speeds up to ten times faster than a normal mobile connection.4

Comparing Wi-Fi and 3G/LTE performance:

Figure 3: Typical carrier-class Wi-Fi networks using 802.11n offer better performance than 3G/HSPA+. In some cases 802.11n will perform at levels comparable to LTE depending on device capabilities and Wi-Fi deployment schemes. The table above is indicative only as assumptions beyond the scope of this paper have been applied in deriving the values. For more information on the assumptions contact Aptilo.

The 600 MHz of unlicensed Wi-Fi band is typically not used in a single block but should be viewed as a pool of available frequencies from which Wi-Fi service providers select a number of sub-bands also known as Wi-Fi channels. In the 2.4 GHz band carrier-class Wi-Fi deployments typically use 3-4 channels of 20 MHz bandwidth each. In the 5 GHz band most service providers today will use up to a maximum 9 channels of 20 MHz. These channels are then arranged into a frequency reuse pattern. By selecting from a large pool of available channels, Wi-Fi service providers can keep interference low to achieve high service quality and throughput.

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

BUILD OPTIONS FOR REALIZING SEAMLESS WI-FI SERVICES

A number of build options exist for MNOs wanting to deploy seamless Wi-Fi services. In many ways the inclusion of Wi-Fi into the mainstream of MNO technologies is a departure from the tried-and-true site acquisition and deployment processes of MNOs that have been in existence since the beginning of mobile.

Figure 4: Build options for monetizing the MNO Wi-Fi offload opportunity. Any or all of the above can be pursued in parallel based on similar technical approaches to EAP-SIM authentication. All of the above require flexible service management to accommodate a variety of services including ad-hoc users and MNO subscribers.

MNOs are faced with a number of options: Building their own Wi-Fi networks to complement 3G / LTE networks, partnering with Wireless ISPs (or cable operators, hotel owners, etc.) or a combination of the two. MNOs may also choose to partner with Wi-Fi hotspot aggregators such as iPass or Boingo. Some MNOs own Wi-Fi hotspot networks that can be used to provide seamless Wi-Fi offload and a number of MNOs are already doing this successfully. A fourth option is for MNOs to acquire existing WISP businesses. Finally, MNOs can choose to offer international SIM-enabled Wi-Fi roaming through partnerships with foreign WISPs. In all cases EAP-SIM seamless Wi-Fi authentication will apply although the details of the Wi-Fi services, Wi-Fi core network support, and mobile core interworking may differ widely.

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

Any seamless Wi-Fi solution requires not only compliance with 3GPP standards but also flexibility in service management including multiple means of authentication, policy control, and billing. Wi-Fi networks are nearly always multi-purpose serving not only MNO subscribers but also adhoc users and roaming users through other service providers on the same or on parallel physical Wi-Fi networks.

Figure 5: Serving SIM-enabled subscribers seamlessly across Wi-Fi and 3GPP-based networks and serving non-SIM devices on a single combined Wi-Fi network.

WHERE TO BUILD MNO CARRIER-CLASS WI-FI NETWORKS

Seamless Wi-Fi gives MNOs the opportunity to offload mobile traffic to their own Wi-Fi networks for relief of traffic congestion and to offer high-quality Wi-Fi services to both SIM-enabled and non-SIM subscribers. Wi-Fi offload also reduces the need for licensed spectrum. Many 3G / LTE radio equipment vendors offer a Wi-Fi AP option for small cell base stations although Wi-Fi offload networks can be built independently of 3G / LTE networks using standard indoor or outdoor Wi-Fi APs. MNOs need to decide not only how but also where to deploy Wi-Fi. Some parts of the industry are promoting seamless Wi-Fi as part of a hetnet solution for providing service to a few high-density places of congregation, such as sports stadiums and transport hubs. Although such deployment scenarios are attractive, Wi-Fi offload allows operators to benefit from Wi-Fi in a more general sense.

10

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

Typical traffic distribution for mobile broadband

Figure 6: The typical distribution of traffic on a mobile broadband network. The few mobile sites carrying a large proportion of the total traffic can be offloaded by up to 50% with seamless Wi-Fi offload.

The figure above shows the typical data traffic distribution experienced by many MNOs. The distribution is highly uneven as most of the traffic comes from a few sites. The 80% / 20% rule often applies and some distributions can be even more skewed. This applies not only to cities but also to suburban and rural areas. Seamless Wi-Fi offload can be used effectively in any area where mobile sites are heavily loaded.

CAPACITY GAINS AND SPECTRUM SAVINGS WITH WI-FI OFFLOAD

Carrier-class Wi-Fi has been designed to provide enormous amounts of capacity in small areas. For indoor applications it is typical to deploy about 100 Wi-Fi APs for example in an airport building of 100.000 m2. With 802.11n APs comfortably delivering 50 Mbps each the result is 5 Gbps of capacity5. In the case of outdoor Wi-Fi the AP density is typically lower6 reaching capacities of 1-2 Gbps per km2. Compare this to a single LTE macrosite capable of delivering around 100-120 Mbps. Seamless Wi-Fi solutions today typically offload 20-30% of mobile traffic to Wi-Fi with some Aptilo c reporting up to 50% offload of individual sites. Because the relation between the licensed spectrum need and the peak traffic load is linear, MNOs can today reduce their peak spectrum needs by an equivalent 20-30% or more if mobile traffic can be offloaded during the busy hour in the right high-traffic areas. A practical restriction today is that networks and devices offer little intelligence in controlling where and when mobile traffic is offloaded. The evolution of Wi-Fi offload includes the ANDSF and Hotspot 2.0 functions and device intelligence features addressing this issue.

5 6

According to Ruckus Wireless, U.S.A. See the Aptilo White Paper: Seamless Wi-Fi Offload for MNOs A real business opportunity today

11

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

MNO CARRIER-CLASS WI-FI CHALLENGES

Carrier-class Wi-Fi is an opportunity but also a challenge. Some of the most important issues are: Lack of deployment opportunities Many attractive indoor locations malls, hotels, airports, retail outlets, sports arenas etc. are already being served by a number of WISPs and it may be difficult for MNOs to negotiate access to such sites in order to install equipment. Access to outdoor installation sites on street furniture such as lampposts and billboards is occasionally possible as local governments realize the growing importance of Wi-Fi connectivity to everyone in the community. The mobile carrier O2 of the U.K. (owned by Telefonica of Spain) in the summer of 2012 deployed a Wi-Fi network on lamppost in the Central London area. O2 smartphone users are today using this Wi-Fi service. Backhaul of traffic from Wi-Fi APs Traffic from indoor Wi-Fi APs can be backhauled through LAN cabling and local switches inside the buildings but identifying suitable backhaul solutions for a grid of densely deployed outdoor Wi-Fi APs is more challenging. Current options include the use of unlicensed 5 GHz mesh Wi-Fi networks for transmission and new forms of non-line-of-sight, point-to-multipoint microwave systems. Dealing with new venue types MNOs with much experience in acquiring and operating base station sites may not fully realize the organizational and sales skills needed to partner with Wi-Fi venue owners. The nature of the Wi-Fi business is such that venue owners must have a vested interest in allowing MNOs to access facilities. This is in sharp contrast to the case where MNOs have full authority over their own base station sites. MNOs thus need to change mindsets from ownership to partnership. Managing multiple authentication types, service packages, and payments If MNOs choose to build hotspots in traditional Wi-Fi venues such as hotels, retail outlets, transport hubs, etc. venue owners will typically require that Wi-Fi networks also serve clients that are not SIM-enabled or existing subscribers of the MNO. Multiple means of authentication and payment are needed. This accentuates the need for a Wi-Fi core network capable not only of seamless Wi-Fi authentication but a range of both standard and new service provisioning options. Part of the solution to dealing with new venue types lies in using the right Wi-Fi service management platforms with features specifically designed to meet a variety of consumer and B2B needs. These include guest Internet services for the hospitality industry that integrate with hotel billing systems, bring-your-own-device (BYOD) Wi-Fi access, customized portals, and more. Aptilo has for years been serving the full range of venues from airports and hospitals to retail chains and stadiums.

PARTNERING WITH WISPS OR CABLE OPERATORS

Partnering with WISPs or cable operators with Wi-Fi networks may be the best option for MNOs with limited access to the right indoor locations. Using the flexibility of for example the Aptilo Service Management Platform (SMP) a range of practical and field-proven solutions is available. A partnering strategy allows MNOs to obtain large seamless Wi-Fi coverage footprints without making their own Wi-Fi investments except for Wi-Fi core and management systems. MNOs also avoid having to refocus their businesses on the unfamiliar processes of building and managing Wi-Fi radio infrastructure and can concentrate efforts on operating mobile infrastructure.

12

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

Not all WISP partners may fulfill the technical requirement for EAP-SIM authentication, as older Wi-Fi access points may not be 802.1X-enabled. MNOs need to ensure that WISP partners comply with such requirements or select partners that own and operate fully EAP-SIM-capable networks. It is also important wherever possible for MNOs to select partners providing the right Wi-Fi service quality using for example 802.11n-based systems as opposed to legacy APs. Various WISP partners may request a multitude of service policies and roaming payment options as individual WISP expectations and business models can vary widely. The MNO needs to have the right business processes and service platforms in place to manage in the worst case dozens of tariffs and policies across its partnering footprint. Aptilo has years of experience in configuring Wi-Fi service platforms to manage such scenarios effectively.

INTERNATIONAL SEAMLESS WI-FI ROAMING

International seamless data roaming using EAP-SIM and Wi-Fi is perhaps one of the largest untapped business opportunities in the mobile industry today. With mobile roaming tariffs at 1 EUR per megabyte (within the EU) only very few subscribers currently use mobile data roaming. One reason for the high tariffs is that mobile roaming traffic is backhauled to the home network of the MNO through costly international transmission links. Not only is Wi-Fi generally less CAPEX -intensive, it also allows routing of traffic to the local Internet of the Wi-Fi roaming partner. There are few technical and business differences between national seamless Wi-Fi offload and international SIM-enabled Wi-Fi roaming although partnering with foreign WISPs requires careful service management and policy coordination. Any Wi-Fi roaming business case also needs to strike the right balance between sharing revenues with roaming partners and benefitting from better customer retention. AT&T of the USA began offering SIM-based international roaming for smartphone clients in November 2012 as one of only a few active cases. In the AT&T case the smartphone needs a third-party client in the form of an app. This is not technically necessary if the Wi-Fi network of the roaming partner supports 802.1X.

13

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

MONETIZING NON-SIM WI-FI USERS

The greater installed base of Wi-Fi devices are not SIM-enabled and do not qualify for EAP-SIM authentication. This segment includes large-screen devices such as laptops and tablets used by both consumers and professionals. With a high-quality Wi-Fi network MNOs may benefit from offering ad-hoc or subscription-based Wi-Fi through a service management platform handling both SIM and non-SIM services. Various managed services, wholesale and direct-to-consumer business models are possible: Managed carrier-class Wi-Fi services Business and organizations need quality Wi-Fi connectivity. These may include hotels, retail chains, and branch offices of small or medium-sized businesses without the budget or organization to deploy or maintain their own Wi-Fi systems. The managed services business model can be extended to include any kind of public venue including hospitals and airports. Wholesale of excess Wi-Fi capacity With carrier-class Wi-Fi delivering several Gbps per km2, MNOs with their own Wi-Fi networks will have capacity to spare. Wholesale customers may include other MNOs, WISPS, enterprises, communities or any other business or organization in need of high-quality Wi-Fi services. Multiple virtual Wi-Fi networks (virtual SSIDs) can be configured on the same Wi-Fi infrastructure. Ad-hoc Wi-Fi services direct to the consumer: The market for ad-hoc Wi-Fi services can be a new source of revenue for MNOs. Multiple authentication and payment schemes are possible including SIM-authentication, SMS loops, credit card payment, prepaid vouchers, direct subscription services and more. Providing carrier-class Wi-Fi services also to non-subscribers can be an effective new way for MNOs to attract new mobile subscribers. One service for all devices Many MNO subscribers own multiple Wi-Fi capable devices including a laptop and a tablet. A combined EAP-SIM authenticated Wi-Fi and mobile broadband service bundle for all devices even for those without SIM cards will boost subscriber loyalty as well as data service revenues. New Wi-Fi business models Wi-Fi services can be configured to support specific applications such as premium video streaming or gaming based on subscriptions, prepaid vouchers, or ad-hoc. Free services can be offered for example by asking the user to pick from a variety of commercial downloadable apps or advertisements. Similar business models may be offered by for example retailshopping chains.

14

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

FLEXIBILITY: PROVISIONING A RANGE OF MOBILE / WI-FI SERVICES

The worlds of Wi-Fi and mobile are merging but the evolution of seamless Wi-Fi will be gradual and will require continued core network support on the Wi-Fi side. EAP-SIM is an indispensable enabling technology for seamlessness but further to authentication, Wi-Fi services for MNO subscribers also need to be authorized, accounted for, and service policies need to be enforced. This is the combined role of the AAA and PCRF7 (PCEF8) functions in the Wi-Fi and 3G / LTE core networks. As seamless Wi-Fi services and policies vary according to carrier preferences the key feature of any Wi-Fi core network and service management platform is adaptability of configuration and interfaces. Examples of combined mobile and Wi-Fi data services may include the following use cases: Mobile data (limited or unlimited) & unlimited Wi-Fi data bundle The Wi-Fi service management platform authenticates the user through the SIM Authentication Server toward the mobile network HLR and interfaces with the billing and CRM system of the mobile network. MNOs can choose to apply service policies if smartphone traffic for example is routed to the mobile core. Combined capped 3G & Wi-Fi data bundles In extension of the solution above the Wi-Fi service management platform interfaces with the PCRF of the 3G mobile core to enforce the cap on the combined 3G and Wi-Fi data volume. If data caps are exceeded the user is redirected to a portal to confirm and authorize additional charging. Casual Wi-Fi with or without SIM Subscribers with Wi-Fi capability but belonging to another MNO (or subscribers roaming internationally) with or without SIM can be routed to a portal via the service management platform for pay-as-you-go casual Wi-Fi services. This service can also be extended to include EAP-SIM authentication toward the mobile HLR for casual SIM-enabled Wi-Fi. Wi-Fi for 3G subscribers without a 3G data plan Smartphone users without a 3G data plan may be offered ad-hoc, SIM-authenticated Wi-Fi services on a daily or hourly basis using multiple payment options. The user is directed to a portal for payment via the Wi-Fi service management platform or the payment can be detracted from the users prepaid account via the MNOs billing system. This type of service may give MNOs an opportunity to reach a new segment of users looking for more affordable data services for example in emerging markets.

7 8

Policy and Charging Rules Function Policy and Charging Enforcement Function

15

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

Figure 7: Multiple authentication methods allow SIM-based and non-SIM devices to access carrier-class Wi-Fi networks through a flexible service management platform. The SMS & MAC method uses an SMS message from the users phone to authenticate the service after which the MAC address of the device is used for future logins.

THE NEED FOR MULTIPLE AUTHENTICATION METHODS

Regardless of whether an MNO deploys their own carrier-class Wi-Fi network or elects to partner with one or more WISPs, Wi-Fi services need to support a variety of user types, services, and devices in order for the MNO to receive the full return on investments in Wi-Fi. MNOs also face a variety of security concerns depending on the mix of authentication types. The most secure (and 3GPP-approved) form of authentication is EAP-SIM and 802.1X while the least secure employs usernames and passwords. A tradeoff exists between offering Wi-Fi services to address the broadest user base and reaching the highest level of access security using 3GPPbased methods. Individual MNOs will need to decide what may be the acceptable level of security.

16

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

Figure 8: The full matrix of authentication schemes supported by the Aptilo Service Management Platform. The most secure authentication is EAP-SIM using 802.1X encryption while the least secure uses manual login with a user ID and password. Any combination of the methods can be applied for any given Wi-Fi service provider.

There are many examples of the need for multiple methods and as MNOs develop new business models for combined Wi-Fi and 3G / LTE services more will emerge. Here are a few examples requiring the specialized support of the service management platform as well as mobile core and billing systems: EAP-SIM authentication with bill-shock prevention: When Wi-Fi services are capped (either in combination with 3G data quotas or independently) users need to be advised of and acknowledge the additional charge once the cap has been reached to prevent bill shock. The user is directed to a captive portal to confirm or reject the additional charge. Aptilo has already implemented such a scheme for a large MNO customer in Latin America. SMS-based authentication for devices not supporting EAP-SIM Users with devices not supporting EAP-SIM (such as legacy smartphones) can be authenticated for Wi-Fi based on their mobile subscription by sending a one-time password to the device via SMS. The identity of the user can be verified by lookup in the HLR or HSS of the MNO. It is also possible to use a client on the device to automatically connect using the SMS-transmitted password. WISPr 1.0-based authentication for non-SIM devices Some hotspot aggregators such as iPass and Boingo use WISPr-compatible clients in the devices to automatically authenticate the Wi-Fi user via home or visited AAA.

17

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

LOGIN THROUGH SOCIAL MEDIA

The popularity of social media such as Facebook, Twitter, and LinkedIn has created a new opportunity to authenticate Wi-Fi users via their social media accounts. Although such schemes are still in their infancy they hold the potential for future mass-market adoption because of their convenience. The Swedish start-up Instabridge is in the early phases of launching an app-based service that allows users to log on to a Wi-Fi network with Facebook. A user can then share his Wi-Fi connection by inviting Facebook friends to join. The user then also gets access to his or her friends Wi-Fi networks and in this way the use of Facebook authentication may gradually spread to a large subscriber base. The Instabridge app uses Facebooks own Connect API for authentication and is currently available for Android devices. Although Facebook-based login today is intended to make access to private Wi-Fi networks easy and convenient, such methods can be extended to work on carrier-class Wi-Fi networks using for example the flexibility of the Aptilo Service Management PlatformTM.

18

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

PHASE 2: INTERWORKING WITH 3G / LTE CORE NETWORKS

Phase 2 in the evolution of seamless Wi-Fi offload is about giving MNOs more sophisticated means of controlling the flow of Wi-Fi traffic and enforcing their own policies from inside the mobile core. An important part of this is the routing of Wi-Fi traffic from smartphones to the mobile core instead of only allowing local WLAN breakout of Wi-Fi traffic. A number of options exist for realizing the features of Phase 2. The figure below gives an overview of the many Wi-Fi / 3GPP integration options ranging from simple EAP-SIM authentication and local WLAN breakout to full service integration and traffic routing to the mobile core. Many alternatives are possible and Aptilo supports them all. Individual MNOs will need to decide what approach or combination of methods serves their specific business needs in the best manner.

Existing OSS /BSS

Mobile Core
Policy & Charging Integration

Prepaid
Policy & Charging

Billing
SWf CDR Gx

Integration with existing OSS/BSS

SWo

Database lookups
Service Management PlatformTM Carrier-Class Wi-Fi Service Management
RADIUS / http

CRM

PCRF

Aptilo Wi-Fi Offload Solution

XML / SOAP, LDAP, RADIUS

One-time-password

SMS-C

D/Gr

HLR HSS
Gx /Gy /Gz

SIM Authentication Server

TM

Wx /SWx

EAP-SIM/AKA

Wi-Fi Core
AP Controller

Wm/SWm EAP-SIM/AKA SWa/ Wa

S6b

Access TM Controller

IPSec to Device Wm/STa /Gxa

TTG ePDG

GTP /PMIP

WAG TWAG
or 3 party access GW Policy-based routing to DPI
rd

GTP /PMIP /MIP

GGSN P-GW DPI

SGSN S-GW

Local break-out of Wi-Fi

(Mobile RAN + Core offload)

Internet

Backhauling Wi-Fi to Mobile Core

(RAN offload)

Wi-Fi Offload

Wi-Fi RAN

Mobile RAN

19

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

DIRECTING SMARTPHONE WI-FI TRAFFIC TO THE MOBILE CORE EDGE (DPI)

Instead of directing the traffic from EAP-SIM-enabled devices and other services indiscriminately to the local Internet using local WLAN breakout the MNO can retain a first degree of control over smartphone traffic inside the 3GPP core by routing traffic to the edge of the core, i.e. to a DPI (Deep Packet Inspection) node. This scheme allows for non-SIM traffic to travel the usual route via local WLAN breakout while the DPI node takes care of policy enforcement for SIM-based traffic. As most MNOs use DPI nodes to control traffic this option may be attractive to many. There are multiple MNO benefits of using this approach in for example a second phase of seamless Wi-Fi integration: Non-SIM devices can be served for additional revenue but their traffic is routed outside the mobile core for security and backhaul transmission efficiency. The access gateway or Aptilo Access Controller directs non-SIM traffic to the local Internet based on policies configured in the Wi-Fi service management platform. SIM-enabled smartphone traffic is routed back to an existing DPI platform at the mobile core edge. The DPI node extracts policy information from the Wi-Fi service management systems PCRF-function and enforces service policies (acting as a 3GPP PCEF) on smartphone Wi-Fi traffic before routing the traffic to the Internet. DPI nodes function independently of their associated network and can also be used as a seamless Wi-Fi traffic policy control mechanism outside of the mobile network core. This gives MNOs more options for optimizing traffic flows and minimizing transmission costs.

BEST OF BOTH WORLDS: TRUSTED ACCESS USING YOUR WI-FI ACCESS GW AS A VIRTUAL SGSN / S-GW
Wi-Fi

AP

WAG TWAG

Tunnel
GTP/MIP/PMIP

GGSN P-GW

Internet

In 2G and 3G mobile broadband the radio access network connects to an SGSN network node before entering the mobile core GGSN. A Wi-Fi network can emulate this architecture by making Wi-Fi an integrated sub-network of the mobile core. As in the case above non-SIM Wi-Fi traffic breaks out locally, while the EAP-SIM-authenticated Wi-Fi traffic is tunneled (with GTP or PMIP) to the MNOs GGSN using a Wireless Access Gateway (WAG) emulating an SGSN. MNOs may be attracted to this option because it uses 3GPP specifications for interworking with Wi-Fi including in the Aptilo case a 3GPP-compliant AAA platform as a part of the service management platform or as a stand-alone server. This method also uses policy control functions (PCEF) already configured in the mobile core so that ideally less system integration is required. This option also supports all well-known management functions for general Wi-Fi services including open SSID for non-SIM-based Wi-Fi users for example with Web-based login. In many ways this solution represents a best of both worlds approach to combined Wi-Fi & 3G services.

20

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

In the case of Wi-Fi interworking with LTE core networks i.e. toward the EPC or Enhanced Packet Core differences in 3GPP architecture call for a new approach. Building on the 3G architecture above, SIM-authenticated Wi-Fi traffic is routed to the P-GW (Packet Data Network Gateway) using one of GTPv2, PMIPv6, or MIPv4 tunneling with multiple tunneling protocol support also available. As above non-SIM traffic is routed to the local Internet from the access gateway. A combined Access Gateway and TWAG (Trusted Wireless Access Gateway) allows for local WLAN breakout of non-SIM-authenticated traffic while the Wi-Fi service management platform serves the important functions of AAA and policy enforcement. One of the key benefits of this method is that the P-GW acts as an anchor for the mobility of the Wi-Fi subscriber.

UNTRUSTED 3GPP ACCESS: THE ROLE OF 3GPP I-WLAN AND IPSEC

Wi-Fi Tunnel AP
IPSec

TTG ePDG

Tunnel
GTP/PM IP

GGSN P-GW

Internet

The 3GPP standardized the first non-3GPP interworking architecture in Release 6 called I-WLAN (Interworking Wireless LAN). This early standard required the use of the IPSec protocol for socalled untrusted access of non-3GPP traffic including that of Wi-Fi to the mobile core. The I-WLAN option still exists today for 3G networks but requires a TTG (Tunnel Termination Gateway) inside the core network for terminating the IPSec connection from the device. The option of using IPSec as means of tunneling Wi-Fi data traffic into the core remains also for LTE networks that use an ePDG network node as the termination point for IPSec. Today the better part of the industry considers untrusted access less likely to be the solution preferred by MNOs. This is because the IPSec requires a resource-demanding client in the device as well as at network termination points. Aptilos seamless carrier Wi-Fi solutions support the untrusted architecture as required in both 3G and LTE versions.

21

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

PHASE 3: INTELLIGENT NETWORK SELECTION & SERVICE TRANSPARENCY

The target for the third phase of seamless Wi-Fi is full service continuity and device mobility across Wi-Fi and 3G / LTE networks. This involves not only the mobile and Wi-Fi network cores but also their interaction with the mobile device. As a result the 3GPP has defined a number of standards that are expected to enable intelligent offloading through interaction between the network and the device. Some of the functionalities below are expected to become commercially available during 2013-2015, but it will take some time before they are widely deployed.

ANDSF: INTELLIGENT NETWORK SELECTION ACROSS 3GPP AND WI-FI

Todays device operating systems (such as iOS and Android) automatically prefer Wi-Fi services to mobile broadband for example via EAP-SIM authentication. Applications on mobile devices use data buffering to preserve a form of mobility and are often robust in assigning new IP addresses and continuing to run. In this way the experience of seamlessness is to some degree preserved. But application-based switching of this kind is not ideal for MNOs wanting to control traffic flows. If MNOs are to benefit fully from Wi-Fi offload, network selection needs to be controlled intelligently. ANDSF Access Network Discovery and Selection Function defined in 3GPP Releases 8, 10 and 12 allows devices to know when, where and how to select a suitable Wi-Fi network connection. In practice ANDSF relies on interaction between the PCRF (policy control) server in the 3G / LTE core and an ANDSF client in the device. The further development of the ANDSF standard will mean that policies can for example allow the device to select a specific Wi-Fi network for preferred access based on time-of-day, location, subscriber type, application, and device type. Network selection based on radio network quality and backhaul bandwidth availability is left up to individual device vendors to implement, i.e. they are beyond the scope of the 3GPP specifications today. But they are still very much needed. Some vendors report that they already offer such solutions based on device measurements, although it remains to be seen if this will become part of a future ANDSF framework.

3GPP INITIATIVES TOWARDS A TRUE HETEROGENOUS RADIO NETWORK

A number of other 3GPP-defined functions are expected to further enhance the seamless WiFi user experience as well as network efficiency: DSMIP (Dual Stack Mobile IP of 3GPP Release 8) preserves the IP address of the device when the network changes so that applications can continue to run without executing their own switching routines, while IP Flow Mobility (3GPP Release 10) allows IP traffic flows to split between Wi-Fi and 3GPP networks based on for example application-specific criteria.

22

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

A BUSINESS-CRITICAL FUNCTION: SERVICE MANAGEMENT PLATFORM FLEXIBILITY

Regardless of the chosen build strategy and combination of business models, MNOs offering Wi-Fi services will be required to manage and operate a number of service types across multiple core networks enforcing multiple policy controls while using multiple means of authentication. At the same time flexible service management platforms need to interact with billing and other support systems. This complexity requires an approach that advances well beyond the methods and functionality defined in the 3GPP standards for interworking. In addition to the 3GPP standards which are fully supported by Aptilo MNOs with carrier-class Wi-Fi services will need service platforms that support the multi-dimensional business models and service scenarios of this new reality.

Partner Network Roaming

Home Wi-Fi
Policy & Charging

OSS / BSS Integration

Wi-Fi User Experience

Office Wi-Fi

Mobile Core Integration

Wi-Fi Service Control

Public Wi-Fi

Local Break-out

Small Cell Wi-Fi Backhaul to mobile core through tunnels Wi-Fi Gateway

3GPP Wi-Fi Access

Access Point

EAP-SIM / AKA non-SIM

23

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

THE APTILO SERVICEGLUETM CONCEPT

To meet any service logic requirement Aptilo has developed the Aptilo ServiceGlueTM functionality as an integral part of the Aptilo Service Management Platform. This is a logical framework for linking the Wi-Fi, 3G, and LTE access and gateway network on one side to any Mobile Core and OSS / BSS functions and databases on the other side. The Aptilo ServiceGlue can be configured to deliver the precise service logic required by individual MNOs or WISPS across multiple networks.

Aptilo ServiceGlue
Configurable Functions
100
Request Lookups & parameter mapping
SOAP/XML LDAP RADIUS Diameter

IDI
101 102
Lo ook kup up

OSS OSS

Action

103
Gateway
Request Action Action

104 105

BSS BS S
Action/Post

kup Loo Lookup kup Loo Lookup

HLR/HSS

Action

R Request t

PCRF

Diameter, RADIUS, BGP

Diameter, RADIUS

Aptilo ServiceGlue offers flexibility of service control beyond the capabilities of any ready-made service management platforms and it is especially valuable in the case of Wi-Fi offload: MNOs can look up policies from several mobile core sources and map these to corresponding functions in the Wi-Fi core network including vendor specific attributes (VSA).

CLOUD-BASED EAP-SIM AUTHENTICATION AND SERVICE MANAGEMENT

Cloud-based or hosted service management solutions may be an attractive option for MNOs on the fast track to Wi-Fi offload or for quick seamless Wi-Fi proof-of-concept testing. Some MNOs may even prefer to outsource operations indefinitely to obtain a better operational efficiency. The cloud-based alternative can be particularly attractive for MNOs that are not building their own Wi-Fi footprint. To this end Aptilo offers a fully managed cloud-based service, operating the Aptilo Service Management Platform from one of Aptilos Network Operation Centers (NOC) or from the MNOs NOC. The service ensures a very high availability and all the features and functionality of the Service Management Platform including EAP-SIM seamless authentication. Many configuration options are possible including remote or local access controllers for local WLAN breakout as well as interfacing to third-party access gateways.

24

SEAMLESS WI-FI OFFLOAD: FROM VISION TO REALITY

10

THE APTILO WI-FI OFFLOAD VISION

Aptilo believes that Wi-Fi and mobile industries are on a path of convergence enabled by advances in standards, technologies, and systems for seamless 3GPP / Wi-Fi interworking. Already today MNOs and carrier-class Wi-Fi services providers alike can benefit economically from technologies such as EAP-SIM authentication and Wi-Fi / 3GPP core integration. Over the next few years a new paradigm of unified Wi-Fi and mobile will emerge enabling MNOs to profit from combined Wi-Fi & mobile broadband services and new cross-industry partnerships. Unified Wi-Fi and mobile networks will meet the demand for wireless data connectivity worldwide well into the future.

Policy & Charging

90+ Wi-Fi Service Provider Deployments

ABOUT APTILO
Aptilo Networks has provided service management solutions to Wi-Fi 3G / LTE and WiMAX service providers since 2001 serving more than 90 Wi-Fi service providers in 60 countries. Today, Aptilo is a recognized industry leader in enabling the seamless service delivery across Wi-Fi and 3GPP-based network systems. Aptilo Networks routinely partners with leading carrier-class Wi-Fi and 3GPP equipment vendors to deliver end-to-end carrier-class solutions to the global wireless market. Aptilo Networks is headquartered in Stockholm, Sweden, with regional offices in Kuala Lumpur, Plano, Texas and Toledo, Ohio. Aptilo Networks is privately held with Norvestor Equity as the majority shareholder.

25