Wireless
RadSec, Securing RADIUS Message Exchange
With the ever-increasing use of mobile devices for data-rich activities, mobile networks have felt the burden of handling larger amounts of data. To gain relief, mobile operators have turned to offloading data onto Wi-Fi networks that are locally available—not only their own networks but Wi-Fi networks owned by their roaming partners. If the roaming partner’s Wi-Fi network is secured, then the subscriber’s credentials are exchanged between the roaming partner and the home operator, typically over the Internet. These credentials need to be secured while traversing the Internet, and the most common method is to use IPSec secure tunnels. Although IPSec secures and encrypts this critical information over the Internet, IPSec is not without issues and risks.
One issue is that the information is encrypted only from firewall to firewall, leaving the data unencrypted within both operator networks. In addition, setting up IPSec can be cumbersome because of the amount of work typically involved and the number of individuals, which can include the server administrator, network administrator, firewall administrator and security individuals. There’s also the issue of performing key exchanges and testing the connections; the entire process is repeated if either end of the connection needs to be altered, resulting in downtime.
A Solution to These Issues Is RADIUS Security (RadSec)
Although RadSec is still a draft specification within the IEEE (RadSec profile for RADIUS), it’s based on TLS RFC 6614 “Transport Layer Security (TLS) Encryption for RADIUS,” which enables the securing and encrypting of RADIUS messages between the RADIUS client and server. RadSec ensures that all RADIUS messages are secured and encrypted not only when they’re sent over the Internet but also when they’re deeper within each operator’s network, starting with the client and server. Because RadSec is based on TLS, the client and server are mutually authenticated at connection time, ensuring a trusted connection by chaining the certificates to a trusted Root Certificate. By using certificates, the revocation of certificates can be used to eliminate unauthorized connections. In addition, TLS offers encryption of the RADIUS exchange. Encrypting the exchange prevents the exposure of sensitive subscriber information at all points between client and server—within the roaming partner’s network, over the Internet and within the mobile operator’s network—making the entire path secure.
RadSec is flexible and scalable. With RadSec, the client or server IP addresses can be altered without having to reconfigure the secure tunnel settings, as is the case with IPSec. The number of peering clients and servers can also be increased as needed based on operational requirements—without requiring additional work to establish new secure tunnels. This flexibility contributes to RadSec’s scalability. With traditional secure tunnels, if additional roaming partnerships formed, firewalls need to be set up to support the new tunnels. With RadSec, at the most, firewall access control lists (ACLs) would need to be updated to allow traffic from and to the new partner; the same certificate can be used for all roaming partnership connections.
Based on the benefits of RadSec, CableLabs has led the work in Wireless Broadband Alliance (WBA) to introduce RadSec to the WBA Wireless Roaming intermediary eXchange (WRiX).
For more information about RadSec, please contact Luther Smith (l.smith@cablelabs.com).
