Deployment of New Wireless Network
Wireless access points are operated in OSI layer 2. Impacts on lower layers are significantly fewer for the change in IP layer. But for various management purposes and packet handling scenarios in access points urges the support for IPv6 in wireless networks. Some major wireless devices are capable of handling upper layer traffic based on layer 3 and layer 4 parameters. So IPv6 packet handling and packet data management need to be ensured.
Both IPv4 and IPv6 packets can be secured (authenticated and encrypted) with IP Security (IPsec) extensions. Today, IPsec is heavily used with IPv4 to meet wireless security needs where WEP is insufficient or impractical. So we can expect the IPsec usage to continue with IPv6 much as we have seen with IPv4.
Isolated Wireless networks in Office are used to provide LAN access and internet services to the various user groups. Most of the departments maintain their own wireless networks and keep the complete control over them. So there are multi-vender isolated access points distributed throughout the Office.
- Dept of Sales – 3COM
- Dept. of Accounts - Linksys
- Dept. of Engineering - EdiMax
Redesigning the existing wireless network has come in to the picture with the decision of migration of the university network to IPv6. So the exiting standalone access point based wireless network will be replaced with a new centrally managed single unified wireless network for the whole university. It will also be IPv6 capable.
Single Wireless Network for the Whole Office
Currently the Office is having stand alone access points in different administrative divisions and departments. Each wireless network is having subnets based on the address block assigned to the department. Each of them is managed by the respective division.
Having a single wireless network for the whole university has its own pros and cons. It offers central management for the authentication and radio management for the whole wireless network. Similarly someone can see the centralized wireless network is susceptible for attacks and that kind of attack may much more hazardous than a standalone access point based wireless network. As well controller based wireless access points which are used in are much higher in cost.
Controller based access points
In order to have a single wireless network for the whole office there should be a mechanism for centrally manage the entire authentication kind of functions. As well it should be IPv6 capable. (Wireless controllers are considered as layer 3 devices)
So the solution for all these requirements is to deploy an IPv6 capable controller based wireless network for the university.
Required features of new wireless controller base design
Centralized Authentication
With a controller based wireless system, MAC authentications and 802.1 x authentications should be done with a central Radious server or an AD. It can be a username / password based system for whole Office. MAC address filtering and certificate / shared key based authentication need to be done centrally.
Centralized Radio Management
1. Since all the access points are managed centrally interference from the nearby access points can be avoided easily. Otherwise they need to manually configure to use non-overlapping channels for adjacent access points.
2. It need to be capable of shifting the users to adjacent access points if the load on one access point is high and the neighboring access point is lesser.
3. Users can be automatically shifted to neighboring access points if any access point suddenly fails, thereby introducing redundancy in the network.
Group wise customized management
Wireless users can be further segregated in to sub-groups and each group can be given separate network access policies. If we consider the university environment, users may be categorized as departments; students, non-technical staff and lecturers so on. Sometimes temporary needs are come out for testing kind of purposes. Access restrictions needs to be defined. Users may be able to block based on the MAC address or such parameter. There will be different bandwidth requirements for different user groups based on the Office policies.
So the controller should be able to define policies for different groups.
Security
Security is the major consideration in centralized controller based wireless network. Since the network is dual-stack both IPv4 and IPv6 hosts will be there. IF the controller is able to associate with IPSec features to provide the security it will be an added advantage in future IPv6 migration steps.
Wireless controller can dedicate a radio (or whole access points) for wireless intrusion detection and monitor the network for wireless threats like MAC spoofing, honey pot attacks, Denial of Service attacks, Ad-hoc networks etc.
RF visualization
It should be able to visualize the user level and signal coverage related data associating with the floor plan of the network. This option is highly valuable for troubleshooting and monitoring purposes. It should be able to locate any client once the MAC address is entered.
Reasoning
- Existing separately managed isolated multi-vender access points cannot be easily migrated to a centralized solution.
- Lack of support for IPv6 configuration and operation in the current wireless setup.
- Cisco solution fulfills all the above mentioned requirements for a centralized wireless network management.
- Adequate IPv6 support in WCS based Cisco wireless solution.
- Value added features and expandability.
Basic key considerations in selecting a new wireless solution are the centralized manageability and IPv6 support. Since this is a major investment for the Office the cost of the migration, configuration and management should also be minimized.
Since most of the existing access points are not IPv6 capable and software upgrades are not sufficient to provide the requirement, physical device replacement is recommended.
There are various venders who provide controller based wireless solutions such as Cisco and Nortel. But they have different approaches in adjusting to IPv6 and having various rates of adaptation of IPv6 for their products.
CISCO Controller Base Wireless Solutions
Cisco Wireless LAN controller
Cisco wireless LAN controllers deliver system-wide wireless LAN services such as security policies, intrusion prevention, radio frequency (RF) management, quality of service (QoS), and mobility. Cisco wireless LAN controllers work in conjunction with Cisco Aironet light weight access points and Cisco WCS to deliver real-time mobility and network access to endpoint devices and users.
Cisco Wireless Control system
Cisco WCS provides a powerful foundation that allows network managers to design, control, and monitor the wireless network from a centralized location. Cisco WCS includes a robust, easy to use GUI that supports centralized RF prediction, policy provisioning, troubleshooting, user tracking, security monitoring, and wireless LAN systems management. Cisco WCS makes wireless LAN deployment and operations simple and cost-effective.
Cisco WCS also supports real-time spectrum intelligence to detect, classify, and locate devices that are causing RF interference. Quick detection of interfering devices improves network performance, coverage and security.
Benefits
- Cost
With the centralized management, the total cost of ownership will be lowered although the initial cost is high. With the simplified management mechanism via GUI technical, training and operational costs also get reduced.
- Security
It provides Real-time detecting, locating and containing of unauthorized access points and client devices.
- Performance
Robust coverage with 802.11a/b/g and unprecedented reliability using 802.11n. The system is able to extend the connectivity to hard-to-wire locations via wireless meshes. With the spectrum intelligence feature, system can automatically detect overlaps and interferences.
Migration Procedure
Step 1:
All the isolated access points should be replaced with Cisco based products. Its recommended to replace with the Cisco Aironet 1250 Series access point to enjoy the enhanced reliability, throughput, and predictability of 802.11n.
Step 2:
Add one or more Cisco wireless LAN controllers to the network.
Step 3:
Transition your wireless LAN management system to the unified architecture by adding the Cisco Wireless Control System (WCS).
Step 4:
Adapting mobility services for the Cisco unified wireless system.
Step 5:
Adapting wireless security enhancements to for the Cisco unified wireless system.
Nortel Wireless Solutions
Nortel Inc. also provides a unified wireless solution which satisfies the above given requirements. Nortel WLAN 800 is a parallel wireless solution as Cisco WCS based system which provides both controller-based wireless experience and IPv6 support in the related products. Nortel WLAN controller combines the functionalities in both Cisco LAN controller and WCS.
3RD Generation WiFi – Carrier Class Secure Mobility
This section describes one of the research areas which related to wireless networking and IPv6. Purpose of this part is to get some idea about the current trends and future of wireless networking in the IPv6 world
Today IPv6 and Wi-Fi is unified to provide a new and enhanced experience to the user. With the introduction of IPv6, various improvements and fresh features have been added to the IP layer functions. Autoconfiguration, network level security and enhanced mobility in IPv6 being u
One of the major features of 3rd generation Wi-Fi network is intelligent access points are able to discover adjacent nodes and dynamically determine their optimal routing topology. Apart from that the 3rd generation network is able to dynamically provision wireless trunks to adjacent nodes in order to improve load balancing and redundancy.
When IPv6 features like stateless node discovery are embedded into 3rd generation access points, adjacent clusters of access points can autonomously determine their optimal connectivity, load balancing and redundancy scheme without any operator configuration.
In the arena of wireless security, WEP is getting obsolete. WEP protocol transmitted the key along with every packet enabling simple monitoring programs like Air Snort to de-encrypt user traffic by breaking the relatively short key. This issue has been addressed with AES within the 802.11i standard. AES also having a problem of not providing a network level security. That’s where IPv6 comes in to the picture. By combining AES 802.11i with IPv6 layer 3 security it will enhance the security to the network level by providing trusted end to end connectivity between mobile users.
The third important component of how v6 is able to facilitate a 3rd generation Wi-Fi solution is through enabling seamless mobility for users. This feature has the benefit of enabling adjacent access points to maintain sessions by switching traffic amongst themselves without the need of a separate switch. By enhancing embedded VLAN switching in access points with v6 we are able to extend the benefits of local mobility to a network level by Mobile IPv6. MIPv6 enables the seamless of IP sessions so that users can travel from their home to their office to a hot spot without having to restart an application.
Summary
1. Intelligent access points leverage v6 stateless node discovery to determine the local topology and work in conjunction with other access points to define the best connectivity, load balancing and redundancy plan.
2. Users can now authenticate themselves using 802.11i to set up a secure link to their local access point which in turn contacts an AAA server to verify accessibility.
3. Once authenticated, the access point contacts the home agent for the user with their new care of address. This enables the user to re-join active IP sessions that he may have been previously using.
4. As users roam within a local cluster of access points VLAN switching is used to maintain connectivity across wired and wireless trunks.
5. For users who move outside an access point cluster into a new group, Mobile IPv6 re-establishes active sessions without the need for application re-starts.
A customized and well improved version 3rd generation Wi-Fi will not be available for a long time. It’s still under research level and relevant protocols are not yet developed.
© 2012 Prasanna Marlin