 Okay. Welcome, everyone, to one of the last sessions during the last day in this summit. Today I'm going to present the Magma related topic, another topic for Magma, but this one is a little bit different. It basically tells you how to build an inexpensive carrier Wi-Fi network on your laptop with Magma. For most of the deployments, you need servers, you need infrastructure. But I got inspired by my company, by Mirantis, which deployed carrier Wi-Fi to the customer. I decided to do the same just on my laptop. My name is Wojciech Navrot. I work for Mirantis for four years. I'm currently network architect. I used to be a network engineer and I work on Magma partially out of my working hours at West, you know, hobbyistic, hobbyistic topic. I know I'm happy and proud and can share it with you today. The background, what is carrier Wi-Fi? It's a deployment of a big number of Wi-Fi access points by the mobile operator in dense geographic areas to decongest the LTE network, right? The user, the subscriber, authenticates with the using card, the same using card used for LTE and the user doesn't have to provide password to connect the network, right? What was the purpose of, what is the purpose of this lab? First of all, I wanted, because you got lots of terms, lots of technologies, protocols. I wanted to learn all of them because I didn't have clue on diameter or IPCAN, on 3GPP recommendations, PCRF, and so on and so forth. They wanted to understand it and to learn how the services I'm provided from my mobile operator work, how to define data plans, for instance, right? So all of this functionality is provided by my lab. That is not only the basic connectivity for the UE, for the mobile phone, but this is also the policies which are basically disconnecting the user equipment when a specific amount of data is consumed or the user's internet slows down to two megabits per second, for instance, if the entire data is consumed. The challenges, actually everything was a challenge for me in the beginning. I needed to find an access point, a Wi-Fi access point, which would be suitable for the lab. I needed something like enterprise class. I had a basic access point at home, which didn't support G-Retailing or sophisticated authentication methods. So I've made a research and found the Cisco access point on the internet. I'll show you later which one. Also, I initially bought some test using cards with preconfigured or bird-in confidential keys, but it turned out that this using cards used XOR algorithm rather than milling edge and authentication failed. So I needed to buy the using card reader and some blank using, get to know which parameters are relevant, burn them in the using cards, and it took several weeks until I had it worked. The supplementary part of this talk today is the documentation, which is available here. Just scan the QR code, you'll get 200 pages of documentation containing the guidelines, how to build the lab, how to interconnect physical peripherals, how to configure services, how to configure data plans. It's basically fully functional environment, production-like environment with all the elements. What is missing is online charging system. Well, I didn't find actually the free software I could use in this lab, but I'm convinced if I found something like that, I could make use of it. But this is not super critical for the lab. Okay, the hardware. What do you need? First of all, the access point. This one, Cisco Aeronet 1140 series is just fine for the lab. You can have it even for less than 20 bucks at ebay. So even sometimes the power supply is more expensive at the access point. What you usually have to do is perform the firmware upgrade because most of the access points available on ebay are supplied as thin clients. You need a standalone client, which works without the wireless controller, right? The other item you need to purchase is the using card reader and writer. This is absolutely a must because you need to burn in some confidential parameters in the using cards in order to make them work. The using cards are used only for authentication. I'm not deploying the LT part in this lab, but the EAP-Aka uses the using card for authenticating the subscriber, right? So this device can be purchased on one of the Chinese portals for around 50 bucks. And five blank using cards are included. So you can define five different data plans for every single subscriber, right? And 70 bucks is what I spent for the hardware. The rest of peripherals and devices are existing ones. I found some old Android and iOS phones. Okay. Actually, the most expensive part you need, but you probably already have, is a notebook. I used my MacBook Pro with 16 gigs of RAM with quad-core processor. And it's just fine. This Mac has no built-in Ethernet port, so I needed two adapters. You need two adapters, two internet adapters, because with the first one, you interconnect the access point. The other one is helping to the internet. And this router is my home router. Actually, okay, this one is like a little bit advanced, but can be any wired router with configured DHCP software. Okay. Of course, on top of the Mac OS operating system, I'm having virtual box, Docker desktop, Python, and Vagrant, right? On the top of it, we've got Magma. And it's for components, orchestrator, network management system, federation gateway, carrier Wi-Fi access gateway. Carrier Wi-Fi access gateway is specific to the carrier Wi-Fi setup. In the LTE EPC setup, you've got the access gateway here, right? And one of the most important components in the lab is the PCRF component, policy charging role function, where the data plans are sitting. I will show you later on an example data plan. I configured here, and we'll explain how it works. I'm using pretty old Magma commit around July 2021, because, well, I've been working on this lab for the last two years. So this commit worked for me, and sometimes when I upgraded Magma, basically some functionality stopped working. So this one was stable for me, so I didn't touch it as it worked. Right? And here we've got high-level physical connectivity. It looks simple, really. So one Ethernet port of the laptop is used for interconnecting the access point, while the other one is the uplink to the internet. Okay. This is the entire setup, software and hardware, regarding functions of respective components. What we've got here, we've got an orchestrator, as the control plane for Magma networks and gateways. It exposes Nordbald REST API used for configuring networks, gateways, and for getting metrics. And also it's equipped in a soldbound interface used for configuring gateways, streaming configuration to gateways, and for collecting metrics. Orchestrator acts as a relay between carrier Wi-Fi access gateway and federation gateway, so the connectivity between gateways passes through the orchestrator. We've got the network management system, which is optional component. It's not really needed for the lab. But it simplifies admin's life because it allows you to add some configuration items like networks, like gateways through the graphical interface, and it also exposes metrics, events, logs. So it was discussed yesterday during the presentation on Magma as well. Don't want to spend much time on it. Gateways. Carrier Wi-Fi access gateway. This is the Wi-Fi-specific component. It's the implementation of PCEF. It has OBS open V-switch in it, which is connected to two interfaces of the SWAC VM, and there is a number of containerized services in it. So we've got the A service. This is the component which is used for UE authentication. It interacts with the access point. We've got also a radius server, which is actually a part of A service. It's a separate service here, but they both interact with each other. We've got session D, the component responsible for management of the IP-con session, pipeline D, which installs flows into OBS, and policy DB, which stores static PCC rules. The federation gateway. This is another VM. So actually, okay, we've got three VMs here. We've got SWAC, Carrier Wi-Fi access gateway, federation gateway, also placed in the VM and free PCRF. Orchestrated NMS are sitting directly in containers on the top of macOS operating system, right? So federation gateway is used for as a proxy, as a relay between the GRPC and diameter interfaces. SWX and GX. SWX, diameter interface, interconnects, well, interconnects maybe SWAC with the HSS, and the session proxy component here interconnects the session D in SWAC with PCRF, police and charging rules function. We use mainly, actually only virtual box networking to interconnect components, virtual box nut interfaces, virtual box nut network, and two bridge adapters. So all the required functionality is doable with virtual box. I got the new notebook from my company, which is MacBook Pro M1, but unfortunately, there is no virtual box released for this platform. So still using my old Intel-based MacBook Pro. This is more or less everything about the lab setup, so briefly how it works, right? Okay, we've got the Android or iOS phone with the using card with some confidential parameters burned in the using card, right? And this UI is configured with the Wi-Fi profile. So first of all, the UI joins the SSID configured here on this access point, let's say magma. It gets associated and after that it starts the EAP, aka authentication process by exchanging EAP messages with the AAA server placed here. So on this radio layer, we got EAP over LAN and here between the access point AA service, we got EAP over radius, right? So EAP, aka is authentication method for mutual network and using authentication, meaning that the UI authenticates the network and the network authenticates the UI. So during the authentication, both the UI and the AA server make use of some confidential information, burned in the using card and configured on the HSS here, home subscriber server. These are so-called input parameters, which enter the millinage algorithm and produce some output. This output is partially exchanged between the UI and the AA server and as a result, we get successful or unsuccessful authentication. The AA service performs a look up into AHS to check if the mobile phone is allowed to use that non-3GPP access method, which in our case is Wi-Fi. If this is explicitly allowed in the config file, the UI gets authenticated and authorized from HSS. After that, a look up into PCRF takes place for the PCC rule and for the service units, right? So in general, from PCRF, the CWAC downloads the PCC rule or flows to be installed in an obvious data path and also the CWAC gets the quota granted for the user. So if the authorization from PCRF is completed, right, the user is EAP associated and the UI starts the DHCP Dora process, meaning that here the radio transmission is protected or encrypted with AES and through the gretunnel between the access point and CWAC, the DHCP messages are exchanged between the UI and the router here. When the IP address is obtained, the user starts sending or receiving data with the internet and the usage and the data usage is periodically reported to PCRF. If the entire data pack for the user is consumed for a validity period, like for instance one hour, this is the value I configured just for the lab purpose, the UI gets disconnected and authenticated and disassociated from the access point. I've got four data plans for different data plans and for using cards. This, every data plan is different. The first one is like if the user exceeds 100 megabytes in total within one hour, he gets automatically disconnected until the new validity period begins. The other data plan is the user gets 200 megabytes for one week and if this limit is reached, the internet slows down to two megabits per second and this rate limit is done here on CWAC. The packets are marked here in OVS, in OpenVswitch and the rate limiting is realized on physical interfaces with Linux DC. Access point config essentials, for those who know Cisco, it looks familiar. What do we have here? Of course, we need to configure radius. Radius server is sitting inside the CWAC gateway. Then we configure lists for authentication and accounting and we point out, you know, the radius server groups. We configured over here. Then we go to SSID configuration. All the traffic from the magma SSID is well sent through the tunnel. The tunnel is configured here. It's the basic jury tunnel with the source IP being a BVI interface of the access point and the destination IP which is carrier Wi-Fi access gateway IP address. The authentication is open and EAP, meaning that we got null authentication. Initially, the UE accessed the access point without any authentication and after that the EAP message exchange starts, right? And we use the EAP methods list configured over here. What we got also is that, okay, the radio zero interface I'm using is 2.4 gigahertz interface is encrypted with AES and we place the SSID magma we configured here on the specific radio. The feature which is pretty desired for the setup is the radius dynamic authorization. It's used for PODs, for packets of disconnects. If the CWAC decides to disconnect user because the entire quota has been exhausted and the POD radius packet is sent to the access point and the access point authenticates and this associates the client. Okay, Wi-Fi profiles. This is what you have to configure on mobile phones in order to make them work with magma. Android is a piece of cake. You just go to network settings, you add a new network, you specify the name, you configure an access point and this security algorithm here. Dot 1x EAP with Aka. Unfortunately, iOS is a little bit tricky because you can't configure EAP method directly from the user interface. What you need to do is to create a profile. It's an XML file with some relevant parameters and this profile must be safe, must be submitted somewhere. For the drive, like Dropbox or Google Drive, it must be downloaded and installed from iPhone. Here you got the link. The link is also available in my documentation. If you ever decided to build a lab, you can use it as a reference. Subscriber config. This is pretty interesting part. This is related to using programming. I spent pretty much time trying to figure out which using parameters are relevant here. For EAP, Aka to work, you need to configure Imsy, subscriber key, OP key and also there is the AMF parameter. This for mentioned parameters must match at both sides, at the using card and at magma, more precisely on HSS. On HSS site and home subscriber server, you got HSS YAML file with the subscriber specified where you have Imsy numbers and authentication keys and also you've got the statement non-3GPP enabled, meaning that for this specific subscriber, Wi-Fi access is allowed. If you change it to false, this subscriber would be rejected during the authentication process because it would not be authorized by HSS. Also, the OP code here must be configured. This is the global value for all subscribers and you configure it through orchestrator API. The AMF code here, this is base 64 value. It is 800 in hex. I didn't find this parameter in the software I use for programming using card, but I believe this is the default value which is already burned in the using card and I didn't have to change anything. If you want to make sure that authentication will be completed successfully, make sure that these parameters are configured exactly the same at both sides. Data plans. Initially, I configured authentication, but the lab was not really spectacular because I had the omnipresent rule allowing for internet access for all subscribers and actually I made it work. The user authenticated and could access the internet, but I couldn't do any policy decision, like any conditions, any conditional access. So, I spent some time looking for free software I could use as PCRF component. This is for those who don't know what it is. This is like, it's not a part of magma. It's external component used by mobile network operators for creating policies for subscribers. We've got 100 megabytes per hour data plan defined in PCRF and in eight basic steps, I'll show you how to configure this data plan. This data plan is like when the user connects to the magma SSID, the usage reporting starts and if the entire 100 megabytes is consumed by the user, the user gets automatically disconnected, but after one hour, the accumulator which accumulates the data usage is reset and the subscriber can again access the network. So, what do we need to do to configure such a data plan? Okay, we've got two interfaces offered by free PCRF software. You can find more about the software in the documentation I'm providing, but what do you need to configure? You need, first of all, you need to add the subscriber. You basically add the IMSI number and the description. That's the definition of the subscriber. Then you create a service. Service itself, it's another ID and description. It doesn't have any configuration. It's just a label using in police selection process, which I will show you on the next slide. Here in step three, we assign service to subscriber. In step four, we define the accumulator schema. What is the accumulator schema? It's actually a kind of schema for accumulator, literally. It defines some levels for the accumulator, for instance, level full. This is 1 and 8 zeros, which is 100 million bytes, which is 100 megabytes. This is exactly what we have here in the title. We've got the reset period. This is the period of time for which the accumulator is valid and after which the accumulator is reset. Then we create the accumulator itself. Again, it has just an ID and it has reference to the accumulator schema. When we configure these two items, four and five, we assign accumulator to subscriber. All these configuration items can be observed here in a mini CRM. That's another graphical interface from the 3-PCRF. You can see here, okay, the subscriber itself defined by the MC number. Then we have the accumulator. We can see the validity period, 754 up to 854, meaning that it's valid for one hour and it resets every single hour. We've got the value. If we connect it to the Magma Wi-Fi network, we could see that the value gets increased every couple of seconds. If the value here reaches the level full 100 megabytes, I'll show you what happens on the next slide. Okay, the previous configuration items were configured using CLI and the basic API calls. These steps are more complex than previous steps, right? Because we get two configuration files, RolesXML and EngineLua. In the first file, we configure policy. This is what the policy contains. Policy contains the charging rule to be sent to CWAC, to carrier Wi-Fi access gateway, to PCEF. It contains the name, the flows to be installed in OVS, and also the monitoring key, right? This is the basic definition for the policy and for the charging rule. Here is how the policy is enforced. We've got GX select policy function with some basic ifs, right? So, first of all, we check if the service is active for a subscriber. We assign this specific server to the subscriber. So, this condition is met. This service is active for the subscriber. And then the function checks the accumulator level. If it's full within the validity period, the MC, the subscriber is rejected, meaning that the subscriber gets immediately disconnected. Or if the subscriber tries to connect to Magma network, this attempt will be rejected as well, right? In the other case, if the accumulator is not full, the policy we configured in step 7 is installed. That means that the PCC rule, the dynamic charging rule, as sent to the carrier Wi-Fi access gateway, the flows are installed. And the usage, data usage for the charging rule is reported with this monitoring key. So, this is more or less how configuration of data plans looks like in BCRF. Magma in action, I really regret I have not enough time to provide a demo, because I would need, definitely, like around one hour or even more. But few verification steps you should perform to make sure that Magma is working. Actually, the moment of throw is here. If you get a Magma connected message on your mobile phone, that means that authentication and authorization from HSS and PCRF was successful. You can also verify this on the access point by issuing the .11 associations command. You can observe the MAC address of the mobile phone, the IP address, it obtained the state, EAP associated, right? The key management type, encryption, actually, there are lots of other parameters, but I truncated the output because was not relevant. Also, this command is very useful on the carrier Wi-Fi access gateway. Namely, the TCP dump, yes, with port 1812, it's a radius port. The last message access sent by SIWAC to the access point says that the authentication and authorization from HSS and a PCRF was successful, right? And we've got also a nice tracing tool on PCRF, which allows you to follow all possible messages between the federation gateway and 3-PERS-PCRF VM. This is basically GX interface, GX diameter interface, so all the CCR, CCI's initial update, terminate can be observed here. This is a very useful tool for tracking the communication, which allows you to debug all problems. Sometimes there is a loss of connectivity between the PCRF and Magma, the user cannot connect, then from the packet tracer, you can see that that's basically no CCR messages are reaching these components. Okay, this is more or less from my side. It was probably a little bit longer, it should be, but it really took me two years to make this lab working. I'm encouraging you for trying to build the lab yourselves. Everything is documented. If you got any questions, feel free to ask right now. Thank you. Could you use the microphone, please, maybe? The one thing I don't really grok is the point of the lab. Is it so you understand how to build a carrier on a laptop? From one hand, yes. On the other hand, I wanted to make a production-like environment just for a couple of bucks, not using emulators, UE emulators, or any kind of emulators. I wanted to make it work with the real equipment, my mobile phone, so it really works. I can run a speed test, for instance, and observe that the internet slows down to two megabits per second, if specific threshold has exceeded, for instance. But there's no LTE in the picture at all. No, it's not. I thought of LTE, and maybe it'll be the next step. But for me, it was like, okay, the radio didn't matter. The E-Node would cost $500 a run. Then I needed a license spectrum for it. For Wi-Fi, I didn't need anything, actually. So it was also the reason for trying with Wi-Fi, rather than LTE. So it's a learning exercise. Yes, it is. And Magma is just an EPC, right? Yes. And do they have a 5Gc as well? What? A 5Gc, 5Gcore? A Magma, yes. I mean, okay. Siwak, this is... Siwak is actually focused... Siwak is implemented in a separate gateway, a carrier Wi-Fi access gateway. Access gateway, regular access gateway, which is being developed and maintained actively by Magma, is the implementation of Evolve Packet Core, right? Maybe as a next step, I'll try with the access gateway in LTE. But right now, I need a break, because it took me really much time. I mean, it's an amazing amount of work. It was just a lot of patience. Integration, integration work. I just had to find some components and to pull them together to make them work, right? And to use different protocols, debug lots of lots of problems, because, okay, there have been some bugs in software. There was some misconfiguration. It looks like a labor of love, right? I mean, you wanted to learn, right? Yes, exactly. That's very cool. Thank you. Thank you. So, first of all, that's great, really. I mean, I think you're the first one in the world who made this with open source. There, until now, I don't know. I'm searching for projects like this for years now. And there, like you said, they're demonstrators or simulators or anything, but the real thing you never could do. And I think this is the first time that someone was able to do the real thing, right, from end to end. And I think it's more than a demo, because actually, this is something in rural areas or in areas where you can't put a big tower or something in there, but you have probably some connection in other ways. You can provide there a means of internet and things like that. So I think it's really a good work. And wow, I'm really impressed. Congratulations for that. So no question just saying this. Thanks. There is no answer, actually. Okay, thank you.