16.09.03 / ITG / Seite 1
Prof. Beat Stettler
Institute of Internet-Technologies and –Applications, University of Applied Sciences of Eastern Switzerland,
Rapperswil
• Short Introduction to ITA-HSR
• Problem Domain
• Separation of many WLAN user groups in a very densely
populated area
– On Layer 1
– On Layer 2
– On Layer 3
16.09.03 / ITG / Seite 3 ! " # $! % & ' " ( ) ( ( ' & * ) +, -. +/ ) (- 01 +2 ) 3 % ) - ) 45 ,6 * 2 ( )7 822 . 22 " 22 9 # &:: ; ; * 1 , . % / . , 7 . " 7. ; ' 4 ( : 1 ) ( & * ' ( 0 < . ) ( % ) ' ' ( , ' , % ) ' < ,7 ) 82 . % 9 * ' % ; 1 ) ) # &:: ; ; ' " 7 ' , 7 ) 8= ( > 9 ' 6 ) 7 ) 86 ,9 '
" ? (
@
A@ &
• Unique möchte seinen Passagieren, Handling Agents, SR Technics, SwissPort und Carcologics, Mietern und Mitarbeitern eine hoch verfügbare und möglichst flächendeckende WLAN 802.11b (oder evtl. schon 802.11g) Versorgung anbieten können
• Die Lösung soll so flexibel sein, dass folgende Dienste (teilweise parallel) angeboten werden können
– Internet für Passagiere (Indoor: Terminal A, B, Midfield etc.)
– Intranet Access für obengenannte Flughafenfirmen (vor allem Outdoor) – Wenn möglich IP Telephony für SwissPort
• Dabei muss eine saubere Trennung der verschiedenen Benutzerbereiche (Passagiere/ISP, Mieter,Unique) erreicht werden können
– Security
– Gegenseitige Beeinflussung (Quality of Service)
16.09.03 / ITG / Seite 5
"
) 0 )
1.
Complete Signal Coverage of all In- and Outdoor areas
- Gates, Terminals, Lounges etc.
- Airplane Parking Lots, Maintenance areas (Hangars etc.), Driving Lanes, Tunnels etc.
- Special End Systems (Handheld Scanner, IP Phones, Laptops in Cockpits etc.)
2.
Complete and secure separation of passengers surfing the
Internet and Airport staff using the WLAN for their operations.
3.
Ability to choose Internet Access from more than one ISP
(regulation issue)
; 2 )
,
<
• Ability to work everywhere: – Under and behind airplanes – Under the terminal buildings – On the entire airfield
16.09.03 / ITG / Seite 7
,
0 <
• „Leader-desks“ for the Maintenance staff in Hangars
• Swissport vehicles
• Equipped with Laptops, Printers etc. • Response time critical terminal applications • Seamless roaming up to 60km/h
• IP Dataphones für various Applications
• Barcode scanners to track baggage and containers
• Gate Gourmet Trolleys • Voice-over-IP
• Electronic Cabin Log (Laptop on Long-Distance Airplanes)
$; 2 )
,
,
<
Requirements:
• WLAN for passengers: Internet Access through various providers
• WLAN for outdoor operations: Aviation handling, Catering etc.
• WLAN for third parties: Shops, Post, Skymetro.
-> How can these networks be securely separated from each other
(logically or physically)
-> What security measurements are necessary?
-> How is it possible to protect mission critical applications from other
users and abusers (Quality of Service)
16.09.03 / ITG / Seite 9
"
1. Separation on the physical layer
•
Each user group installs it‘s own equipment
(Access Points, LANs, Gateways etc.)
•
Each user group uses it‘s own SSID and Security
measurements
•
Negative interference must be prevented by doing a
careful frequency planning and by using micro-cells
" 7
,
• How many independent Access Points can be operated on the given frequency band?
1 2 3 4 5 6 7 8 9 10 11 12 13
Kanal
2412 MHZ 2472 MHZ
22 MHZ
• According to 802.11 standard there is room for (only) three independent WLAN Access Points. (e.g by using channels 1, 6, 11).
• However, three channels are (by far) not enough
• What happens, if you try to use more than three channels? • Inpact on data throughput
16.09.03 / ITG / Seite 11
)
Effects of channel separation
0 1 2 3 4 5 6 0 1 2 3 4 5 6 7 Channel distance B W ( M b p s ) % ) 2 7 & 2,% :2 * 024 80 2 4 9
There is new data to send? No Is the PHY available? No yes
Send the data
yes
Did the ACK arrive?
No
yes
When a station has data to send:
• Observe if other station are sending over the PHY. If the medium is unused the station will begin to send else the transmission will be delayed according to an exponential back off.
• After sending the data, the station wait for a positive acknowledge from the receiver (virtual collision detection). The absence of an acknowledge indicates a packet loss and the data packet has to be send again.
Note: the interval a station wait for an acknowledge is critical for the use of WLAN over long distance.
* The random back off is chosen in [0,CW], where CW increase exponentially at each attempt till CW_max
T-ACK
Start
Wait a random Interval*
16.09.03 / ITG / Seite 13
5
"
)
AP1 AP2
Abdeckung AP1 Abdeckung AP2
Client
B 8
9
Effects of channel separation
0 0.5 1 1.5 2 2.5 3 3.5 4 0 1 2 3 4 5 6 7 Channel separation B a n d w id th ( M b p s )
16.09.03 / ITG / Seite 15
2
7
• Because many applications are mission critical to Zurich Airport, it would be dangerous to run more than 3-4 WLAN Access Points in parallel
• If more than 4 parallel networks are needed
– Quality of Service (e.g. for Voice) cannot be guaranteed anymore
• Operations of many parallel systems is very costly – N Access Points per cell
– Multiplication of LAN Equipment needed – Usage based billing not feasible anymore
– Support und Troubleshooting nearly impossible, since so many parties are involved
• Unique decided, that a separation of users on layer 1 would only be acceptable where a geographical separation is also possible
0
( %
• Windows are steamed with a film
of mercury (as a sun shield).
Therefore electromagnetic
signals are attenuated
significantly (>20dB)
• As a result, in- and outdoor area
can be designed independently
from each other
• Separation of in- and outdoor use
has therefore been implemented
on a physical level
16.09.03 / ITG / Seite 17
)
/
• Older terminal buildings do
not attenuate signals
enough
• Therefore signals cannot be
prevented from
entering/leaving the building
• Separation of user groups is
therefore only possible on a
logical level
,
C
2. Separation on Layer 2
–
Use a single WLAN infrastructure
and share it among all user groups
–
Only 1 Access Point per cell
(or more if additional Bandwidth is
needed)
–
Separation of user groups by
allocating unique (and hidden)
SSIDs to closed user groups
L1
L2
L3
EineInfrastruktur und Frequenzplanung
Cisco Access Points VLAN “Unique”
VLAN “SRTech”
WEP / EAP WEP / EAP WEP / EAP
VLAN “Internet”
16.09.03 / ITG / Seite 19
2
,
7
$
• Nice solution to separate users on a single infrastructure
– Individual security configurations per user group possible – VLANs to separate users on the fixed network side
• Disadvantages
– Proprietary Mechanisms
– No Quality of Service, because separation is only „virtual“ – Concerns to run public and mission critical traffic on the same
infrastructure
• Unique decided to use this mechanism only to separate Airport
associated companies (aviation handling, catering etc.) from each
other in the outdoor area.
D; ,
7
D
– Using a single WLAN and LAN
infrastructure for all users
– Only 1 Access Point per cell (or
more if additional Bandwidth is
needed)
– Separation of user groups by
using secure authentication and
IP routing policies
L1
L2
L3
Access Points Swisscom Monzoon Unique
Unique Portal Firma X
EineInfrastruktur und Frequenzplanung
16.09.03 / ITG / Seite 21
2
,
7
D
• Elegant solution to give surfing passengers a choice of Internet Service Provider • Captive Portal technology can be used to redirect passenger traffic to our portal • Free information (and commercial ads) can be made available on the portal • Private user groups can authenticate themselves and get routed to their VPN
gateway
• However, all private and public traffic is using the same infrastructure
– No hard quality of service possible
• Unique decided to use this separation technique for use in the gates areas only.
– To give passengers the freedom to choose between various ISPs – To give Unique Staff access to their intranet
Terminal B
Layer 3 Solution to give passengers
the choice of various providers
Multiprovider Portal Lösung (von Wlan-Partner.com)
Internal Networks (Staff, affiliated companies)
Terminal A Terminal E Midfield
16.09.03 / ITG / Seite 23
7E
• Outdoor WLAN operational since 1st of September 03
• Internet Access for passengers operational since 1st of
July 03
– Swisscom Mobile – Monzoon
• More providers coming soon
• Similar solutions are in discussion on other airports
A
E
If you would like to know more, drop me an email at [email protected]
