February 21, 2014

Can Wi-Fi be made easier to use than cellular?

Wright Floating-wi-fi-guy"Making Wi-Fi as easy as cellular” is a popular maxim when engineers, marketeers, and journalists talk about Hotspot 2.0. And it’s not hard to understand why. The cellular connectivity experience is well understood in virtually every culture, while, except to those involved with its development and testing, Hotspot 2.0 remains a big unknown. Therefore to say Hotspot 2.0 makes Wi-Fi connectivity like cellular puts it in terms that most people can understand. In fact, if you look back, you’ll find a few Ruckus press releases and presentations that use this very analogy.

However, as we approach the launch of production Hotspot 2.0 networks and begin using this technology in our daily lives, it is important to have a more precise understanding of what it is and how it works.

 It’s at this point that the comparison with cellular connectivity and roaming falls short of conveying what people need to know. For context, it’s best to start examining some of the similarities and differences between cellular and Wi-Fi with Hotspot 2.0 relative to connecting automatically, authentication, and roaming. Airlink encryption aside, users can be assured that robust security is given for both cellular and Wi-Fi (wih Hotspot 2.0) connections.

Connect Me.

To connect to any type of network, a client device must support the same physical interface and medium access mechanisms (Layers 1 and 2) as the access network.

Sometimes the compatibility cues are obvious. For example, plugging a token ring hermaphroditic connector into a 10BASE-T hub would have been quite an accomplishment, even if futile in terms of passing data. But in the wireless world, there are no visible cables or connectors and the end users need to have a fuller understanding in order to ensure that her device will connect to an available network.

The first consideration is the frequency band. Does the device “talk” on the same frequency that the network is operating. Wi-Fi currently operates in swaths of unlicensed 2.4 GHz and 5 GHz spectrum that are largely harmonized globally. The first 11 channels (3 non-overlapping) in the 2.4GHz band are de facto “world bands” as they are approved in virtually all regulatory domains. The picture in 5 GHz is currently less uniform, but there are sections (5.15-5.25 and 5.725-5.85 especially) that have been, or soon will be, adopted for unlicensed use in most parts of the world. 5 GHz is the current focus of regulatory bodies since 802.11ac requires it, and commissioners are endeavoring to open more common frequencies there.

So for Wi-Fi at least, a dual-band (2.4 GHz and 5 GHz) device bought in the US today will definitely connect to a 2.4 GHz Wi-Fi network in Europe, Africa, or Asia, and can connect to 5 GHz Wi-Fi networks in most areas of the world.


In the cellular world, the situation with device support is not nearly as straightforward. 


Because licensed spectrum is exclusively allocated in much ‘thinner’ slices to individual mobile operators at the national or regional level. And because the 2G, 3G, and LTE bands vary from country to country, it is impractical to implement a single radio access front end that can support all of the possible RF bands.

One aspect of this is the so-called LTE “band fragmentation” issue. This means that even the most sophisticated handsets have to be produced in a large range of models, which are often specific to a region, country, and/or operator. Even the “international” models can’t hope to support all of the possible operating bands for each generation of technology. At last glance there were 19 different models of the Samsung Galaxy S4s in production to support this collection of different cellular bands. 

The difference between Wi-Fi’s harmonized bands and cellular’s fragmented bands is underscored by the fact that all of the 19 different models of the Galaxy S4 use the same Broadcom BCM4335 Wi-Fi chipset.

 Meanwhile cellular chipset manufacturers are hard at work creating advanced chipsets and RF frontend solutions that can support large numbers of licensed bands, such as the Qualcomm RF360. As Qualcomm SVP of Product Management, Alex Katouzian, recently pointed out, "The wide range of radio frequencies used to implement 2G, 3G and 4G LTE networks globally presents an ongoing challenge for mobile device designers.

This severe band fragmentation issue doesn’t exist for Wi-Fi connectivity.

Another challenge that the cellular industry faces with ubiquitous device support is technology schisms. With 2G, 2.5G, and 3G most of the world settled on GSM/UMTS based coding and modulation, but big (and globally significant) operators in the US and Korea chose CDMA solutions. A similar split is occurring with LTE.  In LTE land, the world is standardizing on the Frequency Division Duplexing (FDD) implementation.  Meanwhile China is deploying a version based on Time Division Duplexing (TDD).

The bottom line being that a 3G CDMA handset can’t connect to a UMTS Node B, nor can an FDD LTE handset connect to a TDD LTE eNB.

In contrast to the technology factions that exist within the cellular industry, Wi-Fi modulation and coding implementations have effectively remained uniform as standardized by the IEEE and certified by the Wi-Fi Alliance.

The reality is that Wi-Fi devices are able to connect to just about any Wi-Fi network in the world (and Hotspot 2.0 makes it even easier), while cellular band and technology fragmentation has led to a complex mix of often incompatible devices and networks, especially when traveling outside of the home operator’s coverage area.

Authenticate Me.

Where the cellular user experience truly excels, is in the automatic authentication of the device to the network. Each device is provisioned with a unique identifier that is known, and can be verified, by its home operator’s subscriber database (Home Location Register or Home Subscriber Server – HLR / HSS). The identifier is known as an International Mobile Subscriber Identity or IMSI, and can be embedded in a SIM, USIM, or sometimes in the device itself. 

The IMSI contains the Mobile Country Code (MCC) and Mobile Network Code (MNC) for the home mobile operator, which together comprise the Public Land Mobile Network (PLMN) ID. A device capable of communicating with a cellular access network can examine the PLMN ID(s) being advertised by the network, and if they match its IMSI, be assured that authentication is possible.

Wi-Fi authentication historically has been quite fragmented primarily due to the diversity of its use (residential, enterprise, hotspot, etc.) and the resulting need for different security requirements. With 802.11, authentication can be open system, based on a static shared code (WEP, WPA-PSK, and WPA2-PSK), or on more sophisticated mechanisms like 802.1X and the Extensible Authentication Protocol (WPA-Enterprise and WPA2 Enterprise). Also, portal-based authentication is often the method of choice for public access Wi-Fi networks, usually in conjunction with 802.11 open auth. These various authentication options are also related to the type of encryption, if any that is used over the air.

Hotspot 2.0 fixes this by standardizing Public Wi-Fi authentication and security.

With Hotspot 2.0, 802.1X is mandated with EAP-SIM/AKA, EAP-TLS, or EAP-TTLS and AES 256-bit encryption required. The authentication credential can be a cellular IMSI, an X.509 client certificate, or a username/password pair.

The inclusion of non-cellular credentials opens up Hotspot 2.0 services to Wi-Fi only devices like tablets, iPod Touches, laptop computers, and even client devices within the worldwide Internet of Things. Supporting a wide range of credential types also provides for a much broader pool of authentication providers, including mobile operators, cable operators, social media companies, hotel chains, and corporations.

Through the use of the 802.11u protocol, a Hotspot 2.0 Access Point (AP) advertises the PLMN IDs, network access identifier (NAI) Realms (think domain name), and Roaming Consortiums (a 3 or 5-byte hexadecimal identifier issued by the IEEE) for which it can authenticate credentials. 

The client device examines these various markers being advertised by the AP, and if there is a match with one of its provisioned credentials, it knows that automatic authentication is possible, and proceeds to connect and begin the EAP process.

Let's Roam.

Cellular network roaming is often portrayed as a successful model that Hotspot 2.0 should attempt to emulate. But is it really?

Legere-tweetEven when consumers have devices that are compatible with a visited cellular network, it turns out they are quite hesitant to connect. Rightly or wrongly, cellular roaming has become synonymous with “bill shock”,“highway robbery”, and “OMG” in the minds of the general public and especially CEOs.

This issue was highlighted
 by the European Commission in a recent survey report showing that a large percentage of Europeans either disable cellular roaming, turn off their mobiles altogether, or
drastically curtail their usage when traveling abroad within the region. 

Cellular roaming charges are perceived to be such an issue that some upstart carriers are seeking to gain market share by promoting low, or no, cost roaming plans, seeing this as a significant differentiator from the status quo.

Another symptom is the growing abundance of airport vending machines and kiosks waiting to provide local SIMs and prepaid plans to arriving visitors with unlocked devices. The calculation for the consumer is simple.

Bubbly-tweetOption 1: spend $20-30, and perhaps a little time hassling with APN settings, to get a generous amount of voice/text/data from a local operator, or

 Option 2: roam at will using your home IMSI, make a call or two, but be sure you don’t let GMail, Facebook, or Twitter use any cellular data for the duration of your trip, risking the potential $1,000+ bill you can’t seem to expense.

Harbingers for Hotspot 2.0?

Admittedly still in its infancy, Hotspot 2.0 may create radically different models for roaming, or authentication peering. Some precursor services like Eduroam and the Cable Wi-Fi alliance provide some indication as to how it may likely evolve. 

Eduroam, like Hotspot 2.0, is an 802.1X-based automatic connection and authentication network that has come from the higher education community. It started in Europe and Asia, but increasingly has a global presence. Individual institutions join Eduroam in order for their users (students and faculty) to automatically connect at any other Eduroam college or university, and so that visiting users can likewise automatically connect to the locally hosted network. It’s a reciprocally beneficial arrangement, and each institution that joins broadens the reach for the other participants. Even retail and hospitality businesses near Eduroam campuses are starting to offer the service as an enhanced benefit to their student customers. It’s common to see a social media post from an Eduroam user surprised to see that their device has connected in some unexpected venue or location.

In the U.S., the Cable WiFi alliance is a consortium of 5 of the largest MSOs (cable operators). Each company had independently deployed large-scale Wi-Fi hotspot networks in their coverage areas as a service to their residential broadband subscribers. They then decided to join together and advertise a single “CableWiFi” SSID across their combined footprint (between 200,000 and 250,000 hotspots across the country), which can be accessed by any of their subscribers. Again, another mutually beneficial arrangement.

Both Eduroam and the Cable WiFi alliance currently utilize SSID-based solutions, but they are also actively investigating Hotspot 2.0 as the next logical development for their service.

 Looking Ahead.

So, while it has been helpful up till now to describe Hotspot 2.0 in terms of making Wi-Fi work like cellular, a fuller understanding of the nuances and differences between the technologies and models shows that Wi-Fi can effectively be made easier to use and more pervasive than today’s cellular technologies.

 Hotspot 2.0 enabled Public Wi-Fi will offer a service that will be available to all Wi-Fi devices, allow authentication by a number of types of providers, and support roaming consortiums with diverse business arrangements and models. Hotspot 2.0, wherever you may roam.  And roam you will.

February 10, 2014

Will 802.11ac Stab You in the Back(haul)?



Marcus-burton Stabbing-3Stressing about the new 802.11ac standard seems to be the industry’s new pastime.

Now that Wave-1 of 802.11ac is here with vendors promising 1.3 Gbps in 5 GHz, 1.75 Gbps aggregate per AP, and world peace, suddenly the industry has focused in the potential bottleneck of AP backhaul links. In other words, is a single Gigabit Ethernet uplink enough for each AP?

The answer is just plain “yes,” and applies not only to Wave-1, but also to Wave-2 11ac. Here’s why:

Theoretical maximums do not happen in real-world conditions.

Even though 11ac Wave-1 promises a combined 1.75 Gbps theoretical rate, it’s hard to see how real-world conditions will live up to theoretical maximums. They won’t.

1.75 Gbps is a data rate. Real TCP throughput, however, (what the client experiences), has historically been somewhere near 50% of the data rate. With 11n/ac frame aggregation and other enhancements, 65% is becoming more realistic in best-case scenarios (usually for single-client tests only). So let’s say for the sake of argument that 65% of theoretical is possible—1.15-ish Gbps. Ac-chart2

So yes, if you have:

  • 3x3:3 client devices only, one on 2.4 GHz and one on 5 GHz,
  • Very good RF conditions with no neighbors and no RF interference,
  • TCP applications that can produce and sustain 700 Mbps, and
  • TCP applications that are 100% uplink or downlink,

then you might be able to tap out a gigabit backhaul, or so the argument goes.

 But, that just won’t happen in the real world.

 Client mixtures do not support the maximum capabilities.

If a network is comprised of client devices that all support 80 MHz channels (in 5 GHz) and 3 spatial streams, then there’s an outside chance of the stars aligning…barely.

But reality says:

  1. You’ll have some single-stream client devices, like mobile phones and tablets.
  2. You’ll have some two-stream client devices, like tablets and many laptops.
  3. You’ll have some 11a/g/n devices that don’t support 11ac maximums.
  4. You’ll have some clients in the service area that aren’t 3 meters from the AP—and thus subject to lower data rates.

So if your network has any of these client types (and it does!), then you can kiss your nightmares of gigabit saturation goodbye. Every lower-capability client on your network will reduce the average airtime efficiency,
making gig-stressing conditions impossible.

Don’t Forget: Ethernet is full duplex.

When comparing Wi-Fi speeds to Ethernet speeds, we must remember that Wi-Fi is half-duplex. All airtime is shared for uplink and downlink. So when you start with a theoretical maximum channel capacity, you have to divide it between uplink and downlink. Conversely, Ethernet is full duplex with a 1 Gbps uplink and 1 Gbps downlink simultaneously. So to really stress that gigabit link, you need to push either ALL uplink or ALL downlink traffic from Wi-Fi clients. Again, if we consult reality, this just won’t happen.

Application requirements will not stress 1 Gbps backhaul links.

In combination with the limitations of client capabilities, there are very few client applications and services that can generate even bursty—let alone consistent—load above 700 Mbps. But again, the issue isn’t the potential of a single client device, but the potential of all combined client devices passing traffic and sharing airtime.

High density does not stress 1 Gbps.

At first glance, high-density networks seem cause for gig stress, and thus more likely to tax network maximums. However, if anything, high-density scenarios are MORE likely to have single-stream mobile devices that don’t support protocol maximums—as well as airtime challenges that increase retries and non-data overhead—thus bringing aggregate network potential down.

Most of today’s networks can’t deliver it anyway.

How many networks are there that provide more than 1 Gbps WAN links—and web-based services/applications that can deliver that kind of speed? There’s this thing called cloud (you may have heard of it), and most client-based applications now use it.

Local LAN applications/servers are more likely to be able to handle 1 Gbps sustained. Are there many cases where these applications REQUIRE more than 1 Gbps in a specific direction AND operate in a silo where no other clients are present and moving some traffic? The answer is a bit self-evident. No.

Cost is always king.

Getting business-minded for a minute, it’s hard to believe that anyone will want to pay for 10 GbE at the edge for all APs, and no one wants to pay for higher-grade Cat7 cabling (true that Cat6 may be reasonable today) either. And of course, running multiple copper cables for each AP with link aggregation is cost prohibitive and, in most cases, superfluous. Just show the budgeteers the real-world likelihood of saturating a single, lower-cost 1 Gbps link and the budget czar will trump that decision as fast as a politician will lie. If sound technical reasoning doesn’t win, money always will.

What about 802.11ac Wave-2?

All signs point to Wave-2 11ac APs being either 3-stream (still) or—more likely—4x4:4-stream (at 1733 Mbps on 5 GHz). These boxes will also support 160 MHz channels with higher data rates. So the reasoning for the sufficiency of gigabit backhaul for Wave-2 goes something like this:

160 MHz channels are really best suited for SOHO environments. Accommodating them in enterprise products is simply not practical. Even if you wanted to, most enterprise client devices are unlikely to support 160 MHz-wide Wi-Fi channels.

That 4th stream won’t change real-world throughput tax.

Taking all the previous arguments regarding client mixtures, application demands, backhaul problems, and high density into consideration, an additional spatial stream on the AP will have little to no impact on backhaul links. Few clients, if any, will support four spatial streams in the first place. Aggregate throughput for each AP will still be constrained by the low and mid-performing clients. Even high-performing clients will struggle to generate nearly 1 Gbps of unidirectional TCP traffic.  

Multi-User MIMO does not increase maximum backhaul load either.

Now you might be thinking that MU-MIMO, or the ability for an AP to concurrently communicate with multiple clients, has a chance to change all this. Uh, no.

 There’s no doubt that MU-MIMO should improve airtime efficiency where there are many single-stream client devices and mostly downlink traffic. But, the AP still only has four spatial streams, and MU-MIMO will not be used for every transmission. In many cases, MU-MIMO transmissions will still go to only two single-stream clients simultaneously, which will not come close to the gigabit ceiling.  

Everyone has neighbors.

Wi-Fi performance is almost always dependent on RF conditions. While it’s true that maximum data transfer in a clean lab environment may get up close and personal to a gigabit ceiling more often in Wave-2, the problem is that these same high-performance networks must share airtime with neighbors.  Looking forward, it’s inevitable that there will still be a lot of 802.11n networks everywhere, and we will just have to cope with the realities of backward compatibility.

Stop gig stressing.

The moral of the story is this: While theoretical scenarios could strain a single gigabit backhaul, there’s just no way that real-world client mixtures, RF environments, application requirements, and network infrastructures are going to saturate the full capacity of a high-performing full-duplex gigabit link. So don’t be fooled by vendors wanting you to upgrade your wired networks based on theoretical scenarios and arguments. In the words of Nancy Reagan, “just say no.”

November 17, 2013

Cashing in on Hotspot 2.0

Hratko CASH-GRAPHICNothing is hotter right now in the networked world than Hotspot 2.0.

While most of the attention on Hotspot 2.0 has centered on the technology and how it works, the really compelling “feature”(that has received nearly no attention) is the ability for the technology to generate money, and lots of it.

 What’s Hotspot 2.0 All About?

Hotspot_2.0 is a specification developed by Wi-Fi Alliance (WFA) members (watch this) to radically simplify the user process of securely connecting to a Wi-Fi network and roaming between different Wi-Fi networks by effectively duplicating the cellular phone experience through secure connectivivity that  can be automated while conforming to user and operator policy. The development has considerable multi-industry muscle behind it from the Wi-Fi Alliance for certification under the Passpoint™ program and organizations such as the Wireless Broadband Alliance (WBA) for interoperability.

Simply put, Hotspot 2.0 is focused on enabling Hotspot 2.0-capable mobile devices to automatically “discover” Hotspot 2.0-capable  access points (APs) connected to wireless LANs (WLANs) and their owners that have roaming arrangements with or a path to the user’s home network. After that, the technology securely connects the user to that WLAN with no human intervention.

With Hotspot 2.0, a massive network of Wi-Fi access points is made possible through a web of interconnections. Consequently, users enjoy a seamless experience as they move between Wi-Fi networks from almost any location. It achieves this through an overhaul of the Wi-Fi connection procedure.  Hotspot 2.0 automates the connection process and it provides airlink encryption using the Advanced Encryption Standard (AES).

Hotspot-20-graphicHotspot 2.0 (so called Passpoint-certified) access points and controllers have now been shipping for over a year from all the major infrastructure vendors. Coupled with new Hotspot 2.0-capable smartphones recently introduced by Samsung, Apple, and many others, the proverbial planets are now aligned for monetization– directly addressing the concerns many operators have had about how to actually make money with Wi-Fi when so many networks are free.

Given that approximately 90 percent of all tablets in the U.S. relied on Wi-Fi over 3G mobile broadband last year, according to industry analyst Chetan Sharma, there’s some major money to be made by establishing Hotspot roaming consortiums that bring together what is today disparate high-speed Wi-Fi data access into a unified high-speed network that people would be willing to pay for. Hotspot 2.0 is the key to making this happen.

Hotspot 2.0 Brings Together Unlikely Roaming Partners

Enabling Wi-Fi roaming and roaming consortiums looks to be every bit as financially lucrative for service providers as cellular roaming. But unlike cellular roaming, Wi-Fi roaming can be done between hotels and MSOs (cable), convention centers, department stores and mobile network operators (MNOs), football stadiums, coffee shops, and basically anyone else with a Wi-Fi infrastructure.  

With these roaming consortiums in place, users will be able to easily roam across the street, across town, or on the other side of the world. Because the potential exists for a huge number of possible roaming partners both domestically and internationally, it is possible to build roaming consortiums with thousands of partners and millions of access points.  

The larger the Wi-Fi footprint, the greater the utility of the service offering, and the greater the utility of an offering the more that people will pay for such a service. Just look at the history of cellular services as a valid and useful proof point.

The formation of roaming consortiums opens up tremendous new wireless revenue opportunities for first movers and should make for some interesting and unusual partnerships to say the least. Ironically, these first movers can include a myriad of service providers that don’t even offer a pervasive wireless service today such as over the top (OTT) providers like Google or Facebook, cable TV companies (MSOs), credit card companies, and anyone else with identity information.   

One of the first to establish a Hotspot 2.0 roaming consortium, AT&T's international roaming program for its mobile subscribers has been viewed as the first to automatically connect customers to Wi-Fi Hotspots authenticating users roaming abroad using the SIM card in their phones.  This has set the stage for future business models based on Hotspot 2.0, Passpoint, and Next Generation Hotspots (NGH).

AT&T is using ACCURIS, a roaming hub, and its AccuRoam technology authenticates Wi-Fi roamers in a manner similar to the authentication process that enables mobile users roam to a new cellular network. These new roaming hub companies such as Accuris and Syniverse can make money with Hotspot 2.0 by routing authentication requests to hotspot 2.0 operators as well by facilitating the cumbersome billing and settlement process.

Hotspot 2.0 roaming consortiums are the beginning of a big trend of mobile operators leveraging Wi-Fi not just for domestic offload to ease congestion but to also give end users give better roaming rate along with a simpler and more secure experience when connecting to different Wi-Fi networks.

Meanwhile OTT providers will be particularly interested in this Hotspot 2.0 opportunity because it lets them get location information on users by authenticating the user to a coffee shop in Seattle or at a train station in Frankfurt. This is something that is of great value in today's ad driven mobile world.

Keys To Hotspot 2.0 Monetization: Automating Connectivity and Secure Roaming

With Hotspot 2.0, operators can make money by developing a huge web of business relationships, despite the fact that many of the underlying Wi-Fi networks that will be part of any roaming consortium may actually be "free.”

Also, users will no longer always be required to navigate through a landing page at an airport to get to the "free" service. User security concerns are also diminished in public places because Hotspot 2.0 connections support airlink encryption. This is required by the standard and is supported on all Hotspot 2.0-capable devices and access points.

 When traveling, the user no longer needs to involve themselves in the tedious process of selecting from available APs when they, for instance, get off a plane, as it is all automatic. Some of the roaming partners will be operating networks for which payment is expected and the Hotspot 2.0 operator will need to work out settlements with those partners. For enterprises, the Hotspot 2.0 monetization puzzle is a little harder to put together.

 The most popular example here are hotels, which often charge for Internet access, but most of the roaming partners will operate “free” networks. In these cases, the network is being put in for some reason having nothing to do with the direct monetization of the service. Instead, they are using it sell their guests more lattes or in-room movies while wholesaling much desired Wi-Fi capacity under their control to the highest bidder. How much can be made remains an open question but there’s no debate that wireless capacity in whatever form is a desired and valuable asset, no matter if you are a university, hotel, hospital, or train station.

 Where From Here?

 Though it’s impossible to definitively determine just how much money carriers will be able to make from Hotspot 2.0 roaming arrangements its fair to speculate that subscribers could be willing to spend anywhere from $1-5 per month on top of their existing wireless or broadband subscription plans for the ability to connect automatically via Wi-Fi, if the pervasiveness of the connectivity is compelling enough. Wi-Fi roaming, as a value-added service, will undoubtedly have the potential to increase carriers’ average revenue per user, so called ARPU.

The signing up of roaming partners should be fairly straightforward as most installed network infrastructure is capable of supporting Hotspot 2.0, and it is fairly easy to configure the more popular smartphones to work in an HS2.0 network. The main value for the roaming partner is that HS2.0 provides Wi-Fi security, which is really important in a public place. It could also enable the HS2.0 operator to, in some instances, feed information back to the roaming partner about who is in their building.  This is a side benefit of having identity information on the user.

The obvious focus area is to start by establishing roaming relationships with the most heavily trafficked Wi-Fi APs and then spread out from there. These include convention centers, airports, stadiums, shopping malls, etc. The roaming partners will need a AAA server to route authentication requests back to the HS2.0 operator that heads up the roaming consortium, but this can easily be outsourced to third party roaming hub partners.

 So what is it worth to the subscriber to have access to a network with several thousand roaming partners and several million access points, all capable of providing automatic and secure connectivity? The great value in cellular, and the reason we pay so much for service, is that we can get connected almost anywhere. Wi-Fi will never be quite that ubiquitous, but it certainly hits all the heavily trafficked areas like hotels, coffee shops, airports, etc. The average user doesn’t typically hesitate to pay $10 at a hotel or even $20 on an airplane so there is clearly great value here and those examples are one-off events with limited shelf lives.  And yes the underlying network is often free, but there is the hassle factor in getting connected.  A premium of 10 to 15% on the user's cellphone bill might work if the operator can plug into a million or more APs through roaming relationships. 

With Hotspot 2.0, now is the time is for operators to start moving down this path, with significant first mover advantages to those who do, as many venues will limit the number of roaming consortiums they join. Likewise, users will flock to those consortiums with the largest footprint, paying a premium to do so, which will only make them grow even larger and faster, forever changing the wireless world as we know it.

November 04, 2013

Avoiding Demo Fail

Gt EPIC-failHow would you like to be the CEO of a company like Apple or Dropbox? Money, fame and awesomeness surround you. But as cool as that sounds, it doesn’t prevent you from living through a failed live product demo in front of an audience of hundreds in addition to the thousands watching the live stream. No amount of money or fame can buy you out of that humiliation. YouTube remembers forever. This probably has become the most infamous Demo Fail in recent history.

Demos like these didn't fail because of buggy code but because of buggy Wi-Fi. A large audience is what a Wi-Fi designer would consider to be a textbook high-density deployment. As long as the speaker is moderately compelling the attendees probably aren’t using their mobile devices very often. But during a high-profile product demo, reporters, journalists, and bloggers are furiously uploading a play-by-play (with pictures and video) of the latest and greatest that your company has to offer.

Killing Conventional Wi-Fi: Lots of upstream traffic.

 Imagine that there are 10 dual-band access points (20 radios) serving an auditorium room of 500 Wi-Fi clients. If the users were merely browsing the Internet the traffic would be about 80% downstream and 20% upstream which is very reasonable and manageable.

But in a high-profile product demo it's probably close to 85% upstream traffic that will cause some major Wi-Fi issues if the wrong product and design are used. 

Since Wi-Fi’s access protocol is essentially a roll of the dice led by anarchy, the more devices that are transmitting the greater chance that collisions occur. More technically, before a Wi-Fi device transmits a frame it randomizes a number in an attempt to avoid collisions. Most modern devices randomize between zero and fifteen and once they choose a number, they begin counting down. When their counter gets to zero, they transmit. If they choose the same number, there is a collision.

To simplify an example, let’s look at a fictitious system where all traffic on a network is downstream. In that case, there are only 20 transmitters (the 10 dual band APs). Now, take that same amount of traffic and reverse it to upstream. Now there are 500 devices randomizing between zero and fifteen. Even if you skipped Statistics 101 it's apparent that 500 devices will choose the same number (collision!) considerably more often than 20. 

Expert Tips to Make your Live Demo Work with Wi-Fi

  1. Make sure your device is connected on the less congested 5 GHz band. If your device doesn’t have 5 GHz capability, cancel your demo, kick your hardware engineers in the shins and come back when it’s dual band. As an added precaution, you can even set up a special AP on a 5 GHz channel that isn’t used by the normal system. Hide the SSID so no one in the conference tries to connect to it.
  2. Encourage attendees to use your conference Wi-Fi and not their own 3G/4G/LTE hotspot. To help with that, don’t use a captive web portal and don’t enable security. Hotspots just create extra low data rate broadcast traffic and don’t work well in a high-density environment like a true enterprise system.
  3. Make sure your Internet backhaul doesn’t become your bottleneck. A great Wi-Fi network can be very, very fast -  moving 1 Gbps of aggregate data or more.  But if your backhaul to the Internet can't handle the load, it's a moot point.
  4. Start with a proper site survey and RF design. This is always a key component to any good Wi-Fi system. Too few APs or too many APs can cause some major headaches.
  5. Take extra care where you place access points. Proper placement of access points is essential in minimizing co-channel interference and gaining extra network throughput. 
  6. Get purpose-built Wi-Fi equipment designed for the task. You saw this coming. Nearly every Wi-Fi supplier will tell you that their boxes support hundreds of concurrent users. But that's not really the point.  The point is how they optimize network access in the face of high client counts. In these dense and noisy environments, getting users on and off the network as fast as possible at the fastest data rates is what works best. Simply put, not all Wi-Fi systems are created equal. Consumer level devices, for example, advertise very fast connection speeds but are ill equipped to handle a high number of concurrent connections. Even among enterprise products there are significant differences in high-density capabilities.

September 24, 2013

Apple's iOS 7 GETS HOT!

Apple-logoApple just announced that it has already sold 9 million 5s and 5c iPhones. B
uried in this news were reports that some 200 million existing iOS devices have already been updated to its new iOS 7.

Typical of any Apple product announcement,Tech writers, bloggers, and vendors have spilled copious amounts of ‘digital ink’ covering some of the new features that iOS 7 offers, but have missed the bigger story.

 Even if you only read the Wi-Fi-related coverage you would know that the new iPhone 5s and iPhone 5c do not have 802.11ac support, that Siri can now communicate with iOS devices using multipath TCP (pretty cool), and that Airdrop leverages Wi-Fi and Bluetooth for direct file transfers (just to name a few features).

 But you probably haven’t seen ANY coverage of what will likely prove to be the most significant new Wi-Fi feature in iOS 7, namely its support for 802.11u and Hotspot 2.0.

HS20-screenWhile not all of the 200 million Apple devices said to be updated to iOS 7 will support Hotspot 2.0 (older iPhones, iPads and iPods currently do not), it's certainly some obese number north of 50 or 60 million new Hotspot 2.0-capable mobile devices that have quickly appeared almost overnight. Wow.

 Samsung was the first put the Hotspot 2.0 ball in play back in April with the launch of the Galaxy S4. But Apple just gave it a Balotelli-esque kick towards the goal with the launch of iOS 7. It’s this growing momentum that’s behind some of the recent operator announcements of open trials of Hotspot 2.0 on their networks.

 Ruckus has been working with the iOS 7 Hotspot 2.0 implementation for some time now and have successfully tested iOS devices using EAP-SIM, EAP-TLS, and EAP-TTLS with both our ZoneFlex and SmartCell architectures.

While the inner workings of 802.11u and Hotspot 2.0 are true technical artistry (Here's an informative technical deep dive on 802.11u and HS 2.0).  And the result is simply that devices just work – automatically selecting a network for which its credential(s) are valid, and then setting up a WPA2 encrypted connection to the network using the credential. (For more information of the details of Hotspot 2.0,  visit our Hotspot 2.0 TechTalk page). 

CLICK HERE to See Apple Configurator Utility

And, go figure, the most significant aspect of Apple’s Hotspot 2.0 solution doesn’t even involve the device. It’s the updated Apple Configurator Utility (ACU),which now can generate iOS Hotspot 2.0 mobile configuration profiles. And in all its elegance, you won’t find a radio button or slider anywhere in the iOS 7 Settings to enable Hotspot 2.0 or Passpoint™.

Instead Hotspot 2.0 is enabled, and the credential and its parameters provisioned, by loading a mobileconfig profile onto the device. For those familiar with iOS profile generation and distribution this will immediately give rise to some interesting possibilities. Once created, these profiles can be delivered to an iOS device via e-mail, HTTP or HTTPS.

One of the big issues with enabling devices for Hotspot 2.0 up until now has been the question of how to provision the credential to the device (with the exception of SIM credentials, which could be utilized with default parameters on the Galaxy S4 simply by turning on Passpoint).

With the ACU (click on the image above)and iOS 7, an operator, authentication provider, or enterprise could generate the Hotspot 2.0 profiles, digitally sign them, and then send them to the end users for installation. This architecture has been widely used to provision Apple BYOD devices in the enterprise, and can now be used by operators to provision their subscribers with Hotspot 2.0 credentials as well. The one thing that is missing is the ability to provision any type of policy or preference for how the credential is utilized. That is one area that The Wi-Fi Alliance is focusing on with Hotspot 2.0 (Release 2), along with a standardized architecture for Online Signup and OTA credential provisioning. And, yes, we’re quite involved in Release 2 as well.

So there you have it. News behind the news that you can actually use.

September 11, 2013


Plugging-in-ethernet-2Ever bought a new gadget, like an external hard-drive, plugged it into your computer only to find out that, for it to work properly, you need a new and better connector to drive the device?  And these connectors are NEVER cheap.

The same could happen in the Wi-Fi world if you’re not smart (we will help with that part, just keep reading).

Be Careful Moving to 802.11ac

As the market moves to the latest and greatest 802.11ac standard that promises potential gigabit Wi-Fi speeds (read this to be better prepared), what many Wi-Fi suppliers won’t tell you is that deploying this great new high-speed Wi-Fi standard will require upgrading your switching infrastructure to higher powered 802.3at PoE switches to realize the full benefits of these 802.11ac access points. More likely, they’ll tell you that their new 802.11ac gear will be supported by the commonly deployed  802.3af PoE standard. A closer look shows this to be misleading. Take Aruba’s recent BLOG on the topic that stated:



“Upgrades to 802.11ac access points are happening way faster than anyone expected. Why, you ask? Well, a few big factors…Wi-Fi Alliance certification, abundance of 802.11ac devices hitting the market, and up to 300% better performance for 802.11n mobile devices! These three reasons alone make a compelling case for the upgrade. The icing on the cake is that you get all this without having to upgrade your wired 802.3af infrastructure.


But hold on.The specifications on Aruba’s 802.11ac AP220 Series Access Points seem to tell a different story.  See for yourself. 





Effectively, you CAN run Aruba’s new AP on your existing 802.3af PoE switches, as long as you don’t mind being severely limited within the 2.4GHz environment or can live with limiting some of the physical connectivity functionality.

Why is More Power Needed?

With 802.11ac, the radio front end is very sophisticated, sporting sophisticated Wi-Fi chips,more components, more antennas transmitting more spatial streams. What’s more, Ethernet switch ports on the AP and dedicated onboard CPUs can easily push the power draw on these access points to well over 15.4 watts which is what 802.3af PoE switches deliver.

The original IEEE 802.3af standard version of PoE supplies up to 15.4 W of DC power (minimum 44 VDC and 350 mA) to each powered device. So if an access point is deemed to be compatible with an 802.3af PoE switch, it means that it needs less than 15.4 watts of power to operate (in fact, you need less than 12.95 watts as some power is lost over the length of cable). There is also a higher power PoE standard often referred as PoE+. The official name is 802.3at, and it supplies 25.5 watts of power over the cable to the powered device.

Now What?

So when you start thinking about upgrading to 802.11ac, be sure to check the PoE requirements of your preferred 802.11ac access point.  

In most cases you will find (as stated above) that either the requirement is for an 802.3at (PoE+) Ethernet switch or in some instances you might come away believing that the AP will run on lower powered 802.3af; but, this is only true when a number of functions on the AP are disabled (as shown in the Aruba example). If you are going to start turning off functionality to meet power requirements, this might draw into question why you “upgraded” your APs in the first place. If you decide you do need the full AP functionality, then your budget is going to have to stretch to a new PoE+ switch infrastructure as well, which will probably add anywhere from $100 to $200 per PoE+ port (at retail) to the network build, depending on the vendor.

Getting Smart About 802.11ac

At Ruckus we’ve been working hard to solve this power struggle to ensure our .11ac products will work seamlessly (with full functionality) with existing 802.3af PoE switch infrastructures.  

But going a step beyond, because 802.11ac requires different silicon, we understand that thereare painful capital costs involved in upgrading.

As a result, Ruckus has developed a unique and compelling 11ac Upgrade Program.  And here’s how it works:


Anyone who purchases one of our indoor ZoneFlex 802.11n Smart Wi-Fi access points can add a three-stream 802.11ac AP for only $499.00. When our 802.11ac smart Wi-Fi access point hits the market it will be shipped right to you. And guess what?  You can still keep the 802.11n AP. Finally, you won’t have to change your PoE switch infrastructure to use either. 


Now THAT’S more power to you!

August 19, 2013



Knowing where someone is is important. If you know where someone is, you are in a better position to do something for or with them. This is the basic concept behind location-based Wi-Fi services (so-called LBS).

Indoor location technologies have received a lot of attention in the mobile world recently, with Apple's acquisition of WiFiSLAM, Google's increasing support for indoor locations in Google Maps, and Microsoft’s expansion of indoor maps in Bing (source: Seeking Alpha)

By knowing where clients are, companies are able to help them get wherever they need to go, make the network experience better for them, use data from their location to optimize their experience, offer them stuff, and tell them something along the way.

As Smart Wi-Fi solves the capacity, reliability, and performance problems on Wi-Fi infrastructures, enterprises and carriers have become keenly interested in offering LBS services to their customers and their' clients.

Different Approaches to Using Wi-Fi to Determine Location

Think of Wi-Fi location as indoor GPS. Wi-Fi-based positioning systems are used where GPS is inadequate due to various causes including multipath and signal blockage indoors. Though the Wi-Fi protocol fundamentals haven’t changed much in the past few years, the ecology of Wi-Fi location services have completely flipped. Now that almost every human on the planet has multiple Wi-Fi-enabled devices—in pocket, on hip, in hand, on desk—businesses from retail and hospitality to healthcare and education are looking to capitalize. With that shift, new techniques to improve accuracy are emerging, user behavior and expectations are changing, and new location service models are being built.

Wi-Fi supports a number of different location approaches today, but signal strength localization based on signal strength (using multiple received signal measurements to calculate the source’s location) and RF fingerprinting (collecting on-site RF data to map signal measurements to locations) have been the most common. Most of the focus on location whas been asset tracking or locating clients and rogue APs.


Real-time location service (RTLS) tags, commonly called asset tags, were designed to track and monitor things, like shipping containers, medical assets, or even tag-toting people. The tags periodically collect AP signal data and report to a network-side server that does the calculating and tracking using RSSI-based localization and/or a previous RF fingerprint (a walkabout calibration). The server displays tag location on a map or uses geo-fencing concepts to trigger alerts. Despite being relatively easy to overlay on existing Wi-Fi infrastructures, asset-tracking solutions require network-side servers, and have not seen any major overhaul in the past few years.

Mobile Applications

As a second option, mobile device apps—focusing on indoor Wi-Fi, where GPS is inaccurate—are gaining traction. Like everything else in the mobile ecosystem of connected things, the breadth of appeal for phone-based apps is very wide, touching every industry and almost every user in some way.

The potent drawback to mobile location apps has been Apple’s notoriously limited Wi-Fi API access, which prevents developer access to RSSI metrics. For this reason, client-side location processing is a major challenge, and network-side sensors and engines are necessary for RSSI calculations. Client-side data engines also have a consequence for battery life. Without iOS support, any mobile app is constrained to a limited user group or device set, and no one wants to build a customer, guest, or user-focused app that excludes Apple. Riots follow.

But, WHILE some companies are retooling the client-side approach, mobile-focused companies are also rethinking location algorithms altogether using machine learning techniques to track indoor location. Some companies think of device location as a complex “DNA chain,” wherebyusing RSSI fingerprints, RSSI trilateration, and/or TDoA can provide initial location context; then, by pairing successive RF fingerprints (where is the user walking?) with inertial phone sensors (gyroscope, accelerometer, compass), location can be tracked with very high accuracy, down to 2-3 meter mark. If that isn’t good enough, other mechanisms are added to improve reliability; for example, map processing can also be used to improve accuracy by ruling out impossible paths on the map—also known as error cancellation. But again, one of the limitations to app-based approaches is that not all mobile devices have the same capabilities, so it is more challenging to build an all-inclusive app-based service for all device types (iOS, Android, Windows, etc.).

Wi-Fi Signal-Based Localization and RF Fingerprinting

RSSI-based localization and RF fingerprinting provide reasonable accuracy, hovering on the disappointing side of room- or aisle-level precision. Without aid from other technologies (exciters, chokepoints, external systems like video systems), 3-10 meter accuracy is about as good as it gets.

With RSSI trilateration, the key problem is that RF signal strength varies widely at a moment’s notice, causing unreliability in measurements. Minimally, three signal sources are necessary for each measurement, but with varying levels of RF attenuation (due to walls, doors, windows, elevators, etc.) between client and AP, the RSSI-to-distance correlation is somewhat shaky, reducing accuracy.

RF fingerprinting suffers from the same RF variation problems. If you take five “fingerprints” from a single location, the fingerprint will look different each time. Additionally, RF environments change over weeks and months, so an RF fingerprint taken today may not be valid for that building down the road. Calibration or fingerprinting becomes a repetitious process.

Time Difference of Arrival (TDOA)

Time difference of arrival (TDoA) is another technique to determine client location that takes advantage of the constant travelling speed of radio waves, using round-trip time (RTT) of frame exchanges to measure distance. Very fast chip clocks are required to measure nanosecond time granularity; as clock speed increases in Wi-Fi chips in the future, accuracy of TDoA will increase with it.

Wi-Fi products with dynamic, directional antenna systems have a unique opportunity to correlate antenna metrics to determine client location and further improve accuracy—collective techniques ultimately contribute to precision.

Crunching Location Data Improves Reliability


Wi-Fi-Based location services can provide valuable business aanalytics and data that can be used for optimizing the WLAN, such as how long clients dwell within a certain area (CLICK IMAGE ABOVE)

With mobile devices as the catalyst, a more user- and consumer-centric approach to location is taking form, where businesses seek to benefit indirectly by adding value to their customers, guests, or end-users. The breadth of appeal for mobile and the increasing use of Wi-Fi also enables businesses to justify the cost of application development (and the Wi-Fi network itself), because suddenly Wi-Fi is tied to revenue instead of expenses.

Borrowing a theme from the mobile ecosystem, location platforms are creating easy-to-use APIs and SDKs, simplifying the integration and customization issues. Instead of building a generic application tailored for some specific customers, location vendors build the location tools and then allow the customer to build their unique application.

Beyond the Infrastructure: Data is King

It's important to note that the biggest single benefit of LBS services is gathering data and analytics from users that can be used by organizations to improve the user experience and customer service. Almost always, when you hear pundits talk about location services, they cite the usefulness of location to push people advertisements and coupons. This is interesting and useful but users find it bothersome at best.

Naturally, a lot of focus has been on retail, where location and analytics are wed. As we’re already seeing, many solutions focus on higher-level analytics with rough RSSI data to evaluate customer traffic trends, capture rates, return rates, and similar. But with more information, retail centers can optimize stores based on typical customer traffic paths, or venue owners can charge more for premium storefront or high-view ad spots.

But look at verticals such as hospitality. They have elements of retail (bar, restaurant, spa/massage services). Then they have navigation challenges (where is the conference room, bar, my child, pool, fitness area, etc.), where a site mapping/navigation app could be helpful.

Then there’s the huge premium on customer service, where location services could be tied to customer service systems—personalized greetings for loyalty members, quicker in-app check-in on arrival, and you can dream up any number of ways to pamper guests with location-specific customer service enhancements. And the wheels are spinning in other industries, like transportation, manufacturing, healthcare, stadiums, and other venues. Expect Wi-Fi to provide much more than Internet access; as the trend matures, users will begin looking for site/venue-specific apps on arrival.

Beyond the enterprise, carriers have an even stronger interest in offering location services and analytics – not only to better tune their network but to also help monetize them. Smarter Wi-Fi services that add granular location details of users leveraging basic network information allows carriers and their customer to deliver much a higher quality experience to end users.

If it’s not already, put this topic on your radar. Location may be the next place to be.

July 10, 2013

Where's the Ruckus?

SomeecardFor years Gartner has been publishing a standalone enterprise wireless LAN magic quadrant. But in 2012, they made a fundamental change.

In their infinite wisdom, they decided to combine both wired and wireless network access into a single magic quadrant. So, if a wireless LAN vendor doesn't offer a wired solution, they are out. Period.  

Going forward, this change effectively excludes pure-play wireless companies, such as Ruckus, that specifically focus on best in class Wi-Fi systems. If a wireless supplier offers just one wired switch product, they can be included with no revenue requirements on the wired side (but given they meet the rest of Gartner’s criteria). 

Perhaps one of the most influential pieces of research published yearly, Gartner's Magic Quadrant study examines the positioning and capabilities of all the qualifying vendors within a given market segment, ranking suppliers within four "quadrants" - niche players, challengers, visionaries and leaders - based on two key criteria: 1) ability to execute and 2) completeness of vision.

Vendors love to hate Gartner's Magic Quadrants. If they aren’t ranked where they think they should be (in their own biased view), out comes the WHINE. And few are ever satisfied with how they are ranked and will give you an ear full behind closed doors.

But this situation is quite different.

This effectively excludes pure-play wireless companies, such as Ruckus, that specifically focus on best in class Wi-Fi systems. If a wireless supplier offers just one wired switch product, they can be included with no revenue requirements on the wired side (but given they meet the rest of Gartner’s criteria). 

The big question here seems to be “what’s the motivation behind the change?” 

We simply see this as a structural disconnect from the buying patterns of the bulk of the enterprise WLAN market. The vast majority of WLAN RFPs are independently focused on Wi-Fi technology. Customers aren’t asking for generic client access solutions in their RFPs (what the magic quadrant now evaluates); they’re specifically asking for the best Wi-Fi for their business (what the magic quadrant used to evaluate).

Truth is that many analysts get their information and ideas from vendors, scrutinize them and then create reports and forecasts that they sell to clients based on this information.


Wi-Fi has become a much more strategic technology for organizations that are being barragedwith smart mobile devices that simply don’t have an Ethernet port. 

For IT managers, the skill set between wired and wireless access is very different with few similarities between these access methods.  The management and interface between these two access technologies is also very different. And most IT managers now view switches as more of a backhaul technology for wireless access.  So why combine them?

LAN technologies are very mature, highly commoditized, and no longer the domain of much productivity-enhancing innovation, if any, as the bulk of enterprise access moves to the WLAN (witness the rapid demise of traditional PC sales and the equally rapid proliferation of devices with no Ethernet ports). Vendor selection and network planning in this environment are all about cost control and simplification to meet a well-known set of functional requirements.

WLAN, on the other hand, is at a much earlier development stage, with rapid changes in requirements over the past couple of years (e.g. BYOD, mobile device proliferation, etc.) and more to come (dramatic increases in mobile bandwidth consumption, continued mobilization of enterprise apps, the internet of things, location-based services, service-provider/enterprise convergence, etc.)  

This is fertile ground for innovation throughout the WLAN ecosystem — from chipset providers, devices, infrastructure, applications, to enterprise implementations and business models — and the space is moving quickly as a result. IT strategy considerations here are completely different — the key dimensions are performance headroom and supplier thinking about building flexible platforms for application/use-case innovation.

Some might argue that these two technology segments are closely linked — and we’d agree.  There are important points of intersection with wired and wireless that center on authentication and policy.These interfaces use well-defined and well-implemented industry standards.

Most organizations, we’d argue, follow a best-in-class solution approach of using commoditization to their advantage in LAN infrastructure while pursuing innovation from a different vendor for their WLAN.  Interoperability is no more difficult than with a nominally single-vendor approach.

By combining a stable, mature technology with a rapidly-evolving, innovation-rich segment, Gartner is masking important distinctions between the relevant buying thought processes — and excluding vendors that are focused exclusively on the center of enterprise access network innovation (i.e. WLANs).

The fact of the matter is that the majority of WLAN suppliers focus their efforts on managing Wi-Fi traffic AFTER users are connected to the network.  They do little or nothing to improve the airlink performance and reliability of Wi-Fi by delving into the wonderful world of radio frequencies - where all the MAGIC really happens. This is precisely what Wi-Fi is really all about: optimizing the “physical layer” – how to get bits through the air fast.

Enterprises also appreciate that their wired vendor probably isn’t a wireless expert. And a combined solution, while potentially attractive from a cost and/or architectural perspective, probably won’t solve their burning wireless issues.

For enterprise IT managers looking for a world-class WLAN to solve their capacity and performance problems, exclusion of pure-play Wi-Fi companies because they don’t offer a wired solution seems, well, non-sensical.


For Fortune 500 companies that often want to purchase wired and wireless gear from a single vendor to have a single throat to choke (hopefully metaphorically)—or because they get big wireless discounts after big wired spend—Gartner’s move sounds reasonable.

But where does it leave the un-Fortune 500,000 – such as schools, hotels, hospitals, warehouses, stadiums, and public venues – who must operate within an almost exclusively mobile user environment and see wired access simply as a passé means for hauling wireless traffic?

With the rising importance of wireless communications and smart mobile devices within the enterprise, Wi-Fi is now viewed more strategically than ever before. Wired access, while important, is viewed more as a commodity utility used to enable the wireless infrastructure.  

When organizations make wireless decisions, the vast majority of them (in our humble opinion) won’t settle for anything less than what delivers the fastest and most reliable connections to users.

In other words, Wi-Fi stands alone.

June 28, 2013

Cool New Technology Secures Open Hotspots

HackerHotspots are just that.

People everywhere now have an insatiable demand for constant connectivity. You’re probably one of those people. 

That’s why public hotspots are predicted to rise by 350% by 2015, and the number of private hotspots is expeced to hit over 640 million (according to Informa Media and Telecoms).

While global public and private hotspots are exploding so is identity theft, fraud and other criminal activities that can be made possible through access to unencrypted confidential information.

Informa-chartsSo despite this insatiable desire for connectivity, users are becoming more aware and fearful that their communications at open hotspots could be compromised.

Most businesses with a knowledgeable IT staff will take the time to secure their internal wireless infrastructure with suitable encryption techniques. But most public hotspots are not encrypted or protected in any way.

This means that users are potentially vulnerable to attacks or confidentiality breaches. This is also a major problem for enterprises with limited IT staff that want to offer safer guest access but don’t have the time or expertise to implement robust wireless security.

To provide a more secure hotspot experience authentication (i.e., the user’s identity) and encryption (data scrambling) are the two primary security items that should be addressed.

Security at the transport layer (e.g. HTTPS) does help by encrypting transmissions between the client and the destination server. However users want more assurances at the link layer (layer 2) as traffic goes flying through the air.

Security at Today’s Hotspots

Hotspot2Traditional approaches to link layer encryption require users to select an SSID and enter some sort of shared encryption key or passphrase to scramble their data flying through the air. Wi-Fi access at hotspots, your typical Starbucks or airport of choice, is generally provided over an open SSID that is easy to find - requiring users to simply accept general terms and conditions of use with no encryption of their data transmissions.

Because today's hotspots employ open connections, which don't offer any form of link-layer security users can be subject to the following attacks: 

  • Hi-jacking. This where an attacker impersonates the access point to which the user's device is associated, causing the device to disassociate from the Wi-Fi network. The attacker then assumes the user’s session, effectively stealing their service.
  • Cookie-cutting. In this case, the attacker snoops on unencrypted Wi-Fi communications and intercepts a user’s session cookie allowing the attacker to access private user content on Web pages.
  • Evil twin. In this attack, an attacker sets up a rogue access point whose SSID is set to the same name as that of an access point deployed by a legitimate hotspot provider. This attack can be used for identity theft.
  • Eavesdropping. This is where unencrypted Wi-Fi communications are intercepted by an attacker, compromising personal information such as passwords, credit card numbers, and email information.

Most enterprise networks don’t have these Wi-Fi security problems because they make use of the IEEE 802.11i security framework that leverages WPA2-Enterprise encryption and EAP authentication. In hotspots however, 802.1X communications are typically not offered.

As a result, users have no assurance their connection is secured and their data protected. In other words, the security setting in hotspots is typically “open.” So while users will be authenticated, there is no attempt to ensure that the on-going access provided is encrypted to prevent security breaches.

Finally, the use of WPA2-Enterprise can make it difficult for clients to roam among different Wi-Fi hotspots. If the mobile device's connection manager doesn't recognize the SSID for a roaming partner's network, it won't attempt to join that network. And most of the time, users don't know the SSID for a roaming partner's network.

What if there was a way to automatically provide encrypted access through an open SSID without users having to do anything other than click a box to select a more secure connection? That could be the holy grail of hotspots.


Cool Technology Behind Secure Hotspots

Secure-Hotsopts-in-actionAt a high level, secure hotspot technology pushes much of the Wi-Fi security process; typically a manual process performed by each user, into the network while providing new methods for configuring client devices without cumbersome keying of SSIDs and encryption keys. Doing this can completely transform and protect users’ hotspot experience with little to no effort.

At the heart of secure hotspot technology are two essential tasks:

  1. generating unique encryption keys for each user and
  2. automating the configuration of these keys and other Wi-Fi information within the user’s device.

Two exciting technologies either in progress or already available to solve these problems: Hotspot 2.0 and new secure hotspot technology.

Hotspot 2.0 is a global initiative championed by the Wi-Fi Alliance (WFA) and Wireless Broadband Alliance (WBA) to address a myriad of Wi-Fi hotspot concerns ranging from automating the authentication and security of Wi-Fi connections to provisioning policy, establishing roaming agreements and ultimately the seamless transition between Wi-Fi and cellular networks. Hotspot 2.0 is an ideal way for carriers and enterprises to address some of these specific Wi-Fi hotspot security concerns when commercial Hotspot 2.0 network services become available in the future.

Beyond the larger Hotspot 2.0 framework, recent advances in Wi-Fi and Wi-Fi security now provide a way for public venues, enterprise and carrier to offer secure hotspots through an open Wi-Fi network. This has the advantage of requiring no new protocol or software support (Hotspot 2.0) and works across nearly all Wi-Fi enabled devices.

With secure hotspot technology, once a client associates to a open SSID from an access point, the wireless LAN (WLAN) controller sends the client device to a predetermined Web portal. The end user then asked if they want a secure or open connection.

After signing in, a unique 63-byte encryption key with a limited life span is generated and bound to the user device by the WLAN controller. Vendors often call this capability Dynamic Pre-Shared Keys (DPSK) or Private Pre-Shared Keys.

With secure hotspot technology there is no need for pre-defined user credentials whatsoever. The Web server simply instructs WLAN controller to create a unique encryption key based on whatever information that hotspot operator wants to use to track users such as an email address, name, or so on.

Once the key generation process is complete, the unique PSK and all the requisite WLAN information necessary to establish a secure connection is installed within the users’ device connection manager using a dissolvable provisioning file that it automatically created and pushed to the user’s devices without having to install any additional applications. The user device then automatically associates with the encrypted hotspot Wi-Fi network.

The end-user sees the option to connect more securely or not. There is no need on the part of the hotspot administrator to pre-configure any users, although they can log details on each user and usage within the hotspot. The Administrator’s set-up is very simple. They need only configure an “open” (provisioning) SSID and an encrypted hotspot SSID for devices to automatically connect to once the user has agreed to setup an encrypted connection.

Ultimately secure hotspot technology breaks the traditional paradigm between higher levels of security and higher complexity in implementing stronger security giving organizations a unique way to easily offer encrypted connections over open networks with little to no effort.

Hotspots will never be the same again.

June 09, 2013

Better Wi-Fi Coming in Waves

Test802.11ac is all the rage, and rightfully so. It represents another fundamental change in the innovation of the 802.11 protocol that promises to boost speeds into the gigabit world.

802.11ac gets this big leap in Wi-Fi performance using wider channels, more efficient modulation (the way in which bits are carried within RF waves), and multiple user connections (so-called multi-user MIMO). And it will come in waves.  Literally.


However, Wave 2 requires new silicon chips that are different from Wave 1 devices (read hardware upgrade).

Beware that not all 802.11ac access points will be created equal.  Many using the Broadcom chip will suffer from some limitations such as the inability to support more than 50 encrypted clients. And without an onboard CPU in the Broadcom .ac, all Wi-Fi functions are processed by the host's (AP) CPU. This is far less efficient because the offloading prevents the AP CPU from using low-power states.


As always, don’t actually believe that you’ll get any of the gigabit speeds that vendors are promising anytime soon because most of these features are dependent on how well Wi-Fi access points can manage the RF spectrum. The vast majority of enterprise APs today still use basic omni-directional antenna designs that have no control over RF signals.

Quite honestly, the single best benefit of 802.11ac is that it operates within the channel-rich 5GHz band – offering 500MHz of bandwidth from 25 non-overlapping channels (compared to 83.5MHz of bandwidth within the 2.4GHz band using 3 non-overlapping channels).

Wider channels are also compatible with 20 or 40 MHz 802.11a and 11n devices. 802.11ac uses an enhanced version of protection mechanisms (RTS/CTS) to dynamically determine whether all or only some (such as the primary 20, 40, or 80 MHz) of the wider channel is available for transmission.

Finally, a fundamental priority for the IEEE is to maintain backward compatibility with previous 802.11 protocols. As a 5GHz only technology, 802.11ac supports both 802.11a and 11n frame formats and protection mechanisms and is fully backward compatible with both.

So we’re all good, right?  Not so fast (get it?).

Spectral Efficiency: the Key to 802.11ac

What vendors WON’T tell you about 802.11ac is that spectral efficiency can easily be reduced in a Wi-Fi network whenever multiple APs are using wider channels.

Spectral efficiency relates to the information rate that can be transmitted over a given bandwidth in a specific communication system. It is a measure of how efficiently a limited frequency spectrum utilized by the physical layer protocol.

And they won’t tell you that the modulation techniques that allow faster communications will only benefit clients at close range with a very high signal-to-noise ratio (that the preponderance of enterprise access points can’t deliver). Range will also be an issue as 5GHz Wi-Fi signals have shorter useful range and do not penetrate obstructions as well as 2.4GHz signals. 

As a result, it’s important to look for 802.11ac products that focus RF signals, increasing gain and extending reach to enable higher data and modulation rates. The ability for Wi-Fi systems to adapt to changing environmental conditions and a myriad of different client types significantly increases the likelihood that all these capabilities (that make 802.11ac so attractive to enterprises) can actually be put to good use.

Finally, keep in mind that 802.11ac will come at a cost – a higher cost. This cost is not only for the access points but also for new PoE switches that will have to support the higher-power 802.3at standard that many of these new 802.11ac APs will require.

Signal Path Control Adds Big Value

For 802.11ac to work as advertised, it’s essential to have greater control over the signal paths within the RF spectrum.  

This proved to be the case as the industry moved from 802.11g to 802.11n, which introduced multiple Wi-Fi radio chains (MIMO), a whole bunch of new PHY rates, spatial multiplexing, and the aggregation of frames. The same is true as companies migrate from 802.11n to 802.11ac. 

For instance, with per-packet adaptive antenna control, polarization diversity, and active channel selection techniques, Smarter Wi-Fi APs maximize the potential of 256-QAM with 802.11. This means

  • Greater SNR/SINR increases the useful downlink range of 256-QAM
  • Adaptive polarization diversity with maximal ratio combining (PD-MRC) and higher uplink receive sensitivity increase uplink range of 256-QAM, and
  • APs that can select channels with more capacity and less noise and interference.

Also with the possibility of 20MHz, 40 MHz, 80MHz or 160MHz channel widths, it becomes increasingly difficult to determine what channel widths are optimal for each environment based on spectral reuse, the number of APs, transmit power, client device types and channel support, etc.

Predictive channel selection (i.e. ChannelFly) tackles these problems by determining the highest-capacity channel available by using statistical modeling of actual traffic over time. ChannelFly helps 802.11ac to

  • learn the channels best suited for bonding at any given time,
  • adaptively change channel as environmental conditions fluctuate,
  • discover the best channel settings for the environment, the client device types and count, channel width support, and the amount of traffic at each bandwidth setting.

Finally, when multi-user MIMO comes around, it will be imperative to have access points that can direct Wi-Fi signals to each client to better separate signals. This enables higher sustained data rates, and increased client capacities can be achieved because users can get on and off the Wi-Fi network faster and with less packet loss and retransmissions.

Adaptive or smart antennas will simply add unmatched value to any 802.11ac deployment.  Without explicit RF controls, 802.11ac performance will be severely limited.

Because adaptive antennas constantly focus Wi-Fi signals over the fastest possible path at any given time, this provides better spectral efficiency – enabling larger frames to be transmitted, advanced modulation techniques to be extended, and higher SNR/SINR levels to be achieved.

802.11ac is an optimistic protocol with impressive theoretical gains. But at the end of the day, the best approach to improve capacity and enable such high data rates with 802.11ac will require a more sophisticated approach to RF management. Without it, you just might be wasting your time and money.