WirelessMoves

Ever since I set up an Owncloud server at home, I've made my peace with cloud services, as my home has become my cloud and my data is where it belongs: With me, and with me only. While my personal needs for cloud services mainly focus on file sharing and calendar/address book synchronization there is a much wider spectrum of cloud applications that companies could benefit from such as secure communication with customers, project management and team interaction. And this is where Protonet comes in with their small on-site servers and cloud applications. I seldom plug companies and products on this blog but in this case I felt I had to make an exception. Even though their software doesn't seem to be open source their product makes the Internet and private data again what I think they should be: Decentralized and in the hands of those who own it. Best of luck to this startup, I wish you raving success! (via Heise news)

This is Protonet! from Protonet on Vimeo.

Two years ago I would not have speculated about UMTS being abandoned anytime soon. LTE was still relatively new and in Europe, UMTS was the main air interface technology for high speed mobile Internet access. But things have changed rapidly and LTE has taken over that role by storm. Today, most high-end and even mid-range smartphones come with LTE support and in many countries, LTE is deployed in a large coverage area and with bandwidths far surpassing UMTS. UMTS might still have the coverage edge for now but in some countries LTE is available in many rural areas where UMTS is not due to it's use of the 800 MHz digital dividend frequency band. All of this makes me wonder if the many new UMTS features that were standardized in 3GPP Release 8 to 12 will ever be used in live networks!?

Those that I can think of that would provide some value for example are a faster high speed uplink beyond the two to four Mbit/s that can be observed today, putting the slow FACH on a common E-DCH and lots of other small enhancements on the protocol layer to make the system more efficient and to have more users active per base station simultaneously. But with LTE going strong I have my doubts if the time and effort will be spent. After all, network traffic shifts towards LTE and UMTS is rapidly becoming the fallback solution in the areas where LTE is not (yet) available and of course for simultaneous voice and data during CS-Fallback while VoLTE keeps having teething problems.

So I wouldn't be surprised if in another two years LTE coverage might have reached the same coverage level as UMTS and the GSM/UMTS-only legacy device pool has shrunken considerably. Perhaps even VoLTE has made it into the real world by then and can really serve as a circuit switched voice replacement. But VoLTE has been in the making for so long, so I'd say this is the big unknown but a must have for any strategy to ramp down UMTS, as falling back to GSM for a voice call and then not having Internet access during the call is just out of the question.

It doesn't happen very often but every now and then I need to upload a really big file to my Owncloud server. And by really big I mean > 1 GB. That's a bit of an issue as the default Owncloud settings limit the file size to around 500 MB. In the past I tried a couple of times to increase the file size limitation with mixed success. When I recently had a bit more time on my hands, however, I investigated a bit further and managed to push the file size limit on my NUC based Owncloud beyond the biggest file I had at hand, 1.6 GB. So here are the values I changed:

In /var/www/owncloud/.htaccess:

php_value upload_max_filesize 3000M
php_value post_max_size 3000M
php_value memory_limit 3000M

In /etc/php5/apache2/php.ini:

max_input_time = 360   –> default value was 60 seconds which is too short to upload large files
post_max_size = 3000M  (might be overridden by the value in .htaccess)
upload_max_filesize = 3000M (might be overridden by the value in .htaccess)

And that's it, after a 'sudo service apache2 restart' large file uploads work as they should. For further details see this post on the Owncloud forum.

 

If you are in the business of analyzing UMTS network traces for development, debugging or operational reasons and ever wondered how to find out if a speech call was established as wideband or narrowband or if the codec was changed at some point during the call, I've got an interesting tip for you today that I was recently shown myself: Have a look at the

nas-Synchronisation-Indicator

information element in the RadioBearerSetup or RadioBearerReconfiguration messages of a call. It's quite at the top of the message in RabInfo section so it can be found quickly and the 4 bits of the IE describe the speech codec the MSC wants the mobile device to use for the call:

Narrowband: 1010 –> UMTS AMR-WB (see 3GPP 26.103, Table 4.2)
Wideband:     0110 –> UMTS AMR2 (i.e. narrowband)

Apart from the table in 3GPP 36.103, TS 24.008 gives some more details:

The ME shall activate the codec type received in the NAS Synchronisation Indicator IE.

The NAS Synchronisation Indicator IE shall be coded as the 4 least significant bits of the selected codec type (CoID) defined in 3GPP TS 26.103 [83], subclause 6.3.

 

A few days ago the German infrastructure regulator (BNetzA) has published its yearly report for 2013. Like every year it contains very interesting information that give a lot of insight, especially when comparing the numbers to previous years. For the moment I've only seen the German version but at some point I'm sure there'll also be an English translation. Here are some of the noteworthy things described in more detail in the report:

Voice and SMS

• The volume of mobile originated voice calls has reached 100 billion minutes in 2013, up by one billion from the year before.

• The volume of fixed line calls continues to decline. A total of 169 billion minutes were recorded and out of that, international voice calls accounted for 14%. That's actually surprisingly high for me but shows that the time when nations in Europe were islands is long gone. What I didn't find in the report was the number of international voice minutes from mobile. Due to ridiculously high pricing it's perhaps not even measurable in the percentage range!?

• For the first time ever, the number of SMS messages sent has fallen. Quite significantly, actually, from 58.9 billion down to 37.9 billion. Quite a steep decline and perhaps similar to what we've seen in Spain a year earlier. WhatsApp and Co. are showing a rather sudden effect.

Data Traffic Volumes

• The report contains information about fixed and mobile data volume over the year. In fixed line networks, 8 billion GB (8 million TB) of IP traffic was transported (not counting the incumbent's IPTV offer, see page 75 in the report). That amounts to an average of 22 GB per household per month. The 8 billion GB of 2013 compare to 4.3 billion GB in 2012 and 3.7 billion GB in 2011. Quite an incredible and sudden increase compared to the previous years.

• On the mobile side, 267 million GB (=0.267 billion GB) were transferred, i.e. only 1/30 of the fixed line data volume. The YoY rise was 70% and thus the rise was higher than the 56% and 53% in the previous two years. I wonder how much that has to do with network operators offering LTE as fixed line alternative in rural areas where ADSL is not available.

Revenues, Employment and Investment

• Revenues: There's been a slight decline, about 50/50 share between fixed and wireless in the order of 25 billion Euros each in 2013.

• Number of employees in the telecom sector: The downward trend continues, down by 3000 to 170.000 (compared to 230.000 ten years ago).

• Infrastructure Investments: 6.4 billion Euros, about the same as in the previous 5 years and somewhat less than the 7.1 and 7.2 billion Euros that were spend in 2007 and 2008. Keep this in mind next time you hear a telecom exec complain about rising or neck breaking investment costs.

 

After recently reporting about the current state of LTE carrier aggregation the technology circus has moved on again and hype is building up aground aggregating 3 component carriers in three different bands. Here's a report over at Lightreading that SK Telecom in Korea is undertaking first preparations on the network side for aggregating spectrum in three different bands (800 MHz (band ?), 1800 MHz (band 3), 2100 MHz (probably band 1)) for a total bandwidth of 40 MHz.

As there are only few devices and networks out in the wild so far that bundle two component carriers (such as AT&T aggregating 10 MHz and 5 MHz in two different bands) I don't expect to see devices soon that support reception on three different bands simultaneously.But in any case an interesting development to see. Apart from a higher theoretical maximum throughput, 3 band carrier aggregation with such diverse bands cold potentially bring interesting benefits in scenarios where a user frequently moves indoors and outdoors and thus is sometimes better served on a higher or on a lower band. Sure, inter-frequency handovers can also do the trick, but perhaps there's an advantage with carrier aggregation as fewer break and make handovers are required.

Cloud Services operated from home such as Owncloud for calendar and address book synchronization, filesharing, simultaneous work on documents, etc. are a great way to keep control over one's own private data. To say I'm a fan of Owncloud is an understatement. To me, having an Owncloud server at home has been an incredible enabler as I never wanted my private data to be stored, analyzed and exploited by Internet based companies.

While Owncloud is easy to use, it's unfortunately far from straight forward to install and maintain for the average person. A typical Owncloud installation at home requires the knowledge how to install Owncloud on a server, how to activate port forwarding in the DSL or cable router, how to register and configure a dynamic domain name and how to register and install an SSL certificate. Furthermore, it is not uncommon anymore that Internet service providers do not issue public IPv4 addresses to their customers anymore which requires additional measures to gain access to the Owncloud server at home from the Internet. As a consequence, people without technical background are excluded from its use.

To enable a broad audience to use an Owncloud server at home to regain control over their private data, the installation and maintenance of Owncloud must become much simpler. Over the past year I've thought a lot about this and have put together and tested the building blocks that are required to make installation and maintenance so straight forward that an average smartphone and PC user can finally have his own cloud server at home. Be warned, this is going to be a long blog post as I want to lay out my thoughts in detail.

Non-technical people don't build a server and put it into their home, they need to be able to buy it off-the-shelf. In other words, a company needs to build and sell an Owncloud@Home (o@h) box and offer the 'under-the-hood' services required such as getting a domain name, getting an SSL certificate, providing connectivity to the server at home from the outside, etc., in an as invisible  as possible way.

The Simple Order and Installation Procedure Overview

To appeal to the average non-technical user, obtaining the box and making it work it must be extremely simple, i.e. it must be no more complicated then the steps required when a user buys a new smartphone and registers for a Google/Apple/Microsoft account for the first time to use their cloud based services. Based on the building blocks I'll describe further below, the order process and installation scenario looks as follows:

• The user buys a ready to use o@h box.

• At home, installation is very simple: Connect the box to the DSL or cable router and power it up.

• The user accesses the web site of the o@h service company and types in the ID number that is printed on the o@h box.

• The user selects a domain name for the o@h box with which it will is accessible from home and from the Internet.

• The user is then forwarded to Paypal to authorize a monthly recurring fee for the services provided by the o@h company (such as domain registration, SSL certificate registration, tunneled access, data transfer charges and online backup, etc.)

• Once the payment process is finished, the o@h box setup is finalized and the web page displays a “ready” screen with a link to the user's o@h box. The link is also sent to the user by email.

• The user logs into his o@h server with an initial password that can also be found on the box.

• The installation process is finished and the user can use his Owncloud from the PC for himself and create additional accounts for family members if desired.

Cloud services are useful because they enable data sharing between the different devices of a user and for sharing data between different people. Therefore, it must also be very simple to configure smarpthones and tablets to securely connect to the o@h box. Here's how this could work, again based on the technical building blocks further described below:

The iPhone has native support for the protocols used by Owncloud for synchronizing calendars and address books. For Android, connector apps exist that add the functionality. Configuring the connectors is not difficult but not quite straight forward either and potentially simpler solutions for the Android platform could be created with little extra effort:

• The connector apps (for Android) could be extended to have a simpler configuration option by just typing in the code printed on the o@h box and in addition the username and password of the account.

As initial configuration of other services also require a similar number of well known and simple identifiers to be entered, most users today should be comfortable with this simplified approach.

The Technical Details

To ensure privacy and confidentiality the following conditions must be met by the o@h box:

• The fully open source Owncloud software running on Linux is used as the core of the solution.

• While the o@h box is commercially built and distributed by a company, all software on the box itself is open source, the user has full control and can even wipe the device and install other software. This way it is possible at any time to verify that no backdoors have been put in by the company offering the o@h box.

• The company's primary source of income to fund the work around the service is not primarily the hardware sale. Instead, the primary income comes from the service that is offered such as domain name registration, SSL certificate registration and services around secure off-site backups (e.g. encrypted backup and restore via Amazon Glacier or similar services).

• Encryption keys are never shared with the service provider and are under full control of the user.

Having said all of this it's now time to have a closer look at how all of this can be put into practice.

Start of the Installation Process

When an uninitialized o@h box is connected to the network it establishes an encrypted connection to the provisioning server on the Internet of the o@h service company and sends an identification number (ID). This ID is the same as the ID printed on the box. This gives the service company a channel to the user's o@h box to download all required configuration information once the user has selected a domain name and has provided payment details as described above.

When the user accesses the installation web page of the service provider and has typed in the ID, the service will check if it currently has a connection to a box with the same ID. This way the service can validate that the user has typed in the correct ID. A sufficiently long and random ID further ensures that only the physical owner of the box can bring it into service. Figure one one the left shows this setup.

Selection and Allocation of a Domain Name

Being able to access the o@h box from the Internet is key as mobile devices must be able to synchronize their calendars, address books and files from anywhere at anytime. To meet this goal, the box at home must be reachable from the Internet via a domain name that the user selects during the installation process via the web page of the o@h service provider company. The service provider company must either be a domain registrar himself or have an automated interface to a third party domain registar service. Whether the domain is bound to a fixed IP address or whether this binding can be updated by the o@h box later-on in case a dynamic IP address is used depends on the connectivity implementation that is further described below.

Creation of an SSL certificate

For confidentially and privacy reasons, all data exchange between the user's devices and the o@h box at home must use a secure http connection (https). This requires that the o@h box can provide a valid SSL certificate to a web browser and other applications such address book and calender synchronization software on mobile devices that has been signed by a trusted certificate authority.  Creating an SSL certification during the installation process without involving the user works as follows:

Once the user has selected a domain name and has entered payment information, the domain name is registered. The domain name is then sent to the o@h box over the connection that exists to the commissioning server as described above. The box then automatically generates an SSL certificate for that domain and returns the public key to the commissioning server. If the service provider is an authorized certificate authority, the SSL certificate can be created locally.

If a 3rd party SSL certificate authority is used, the certificate signing request containing the public key is forwarded over an automated interface. To get a basic SSL certificate for a domain name, the certificate authority usually validates the request by sending an email to the email address that is part of the domain name record in the DNS server. The email contains a URL that has to be accessed for validation. For automated processing that does not involve the user, the email address in the domain name record in the DNS server for the domain of the o@h box must point to an email account the service provider has access to.

Once the certificate is generated, it is sent to the o@h box over the connection that exists to the commissioning server. The box then installs the keys and the certificate and restarts its internal web server.

It's important to note at this point that the private key never leaves the o@h box. As a consequence, no information is handled by the service company that could be used later on to decrypt user traffic over an https connection that is secured with the generated SSL certificate lateron.  For details see here and here.

Creation of Port Forwarding to make the o@h box accessible from the Internet

A major hurdle for the average user is to enable access to a server at home from the Internet. Typically, DSL and cable routers provide private IP addresses for the home network which are mapped to a single IP address that is visible to the outside. This is called Network Address Translation (NAT). One of the benefits, which is at the same time a major shortcoming for the o@h box at home, is that NAT only allows traffic flows that are established from the home network. Traffic arriving at the DSL or cable router that has not originated from the home network such as a connection establishment request from a mobile device that wants to synchronize the address book is blocked. This because the NAT service does not know to which internal device to forward the incoming connection request. Most DSL and cable routers today allow the creation of rules to enable such a service via their web interface. The way this is done is not standardized, however, and typically beyond the capabilities of non-technical users. There are a number of possibilities to solve this issue without requiring interaction with the user:

Alternative 1: Many Internet Service Providers (ISPs) deliver DSL and cable modems with Universal Plug and Play (UPnP) capability. UPnP enables services running on devices in the home network, among other things, to create port forwarding rules in the gateway without interaction with the user. Skype, for example, uses this port forwarding feature for direct client to client communication. Security experts recommend to disable UPnP in home routers but if activated the o@h box could make use of it.

Alternative 2: If the o@h service provider is also the user's ISP, the DSL and cable router could be configured to forward a selected incoming TCP port to the o@h box. This could be preconfigured or the router configuration could be dynamically updated during the o@h installation process in case the o@h service provider has maintenance access to the deployed DSL or cable router.

Alternative 3: In many cases, the previously discussed alternatives are not an option. This is especially the case when the Internet service provider does not assign a public IPv4 address to the user and uses a second NAT gateway at the border of his network to the Internet. This in effect prevents any externally initiated communication to the user's home network without exception.

An easy solution in this scenario is to establish an SSH tunnel to an external server over which the web server tcp port of the o@h box is tunneled. The domain name of the o@h box that was registered as described above is the linked to the public IP address of the server on the Internet. All connection requests to a specific tcp port on that server are then transparently forwarded over the SSH tunnel to the o@h box at home. An end to end secure https (HTTPS) connection is used between a client device and the o@h box at home so the server on the Internet that tunnels the connection back to the home network of the user only sees encrypted data packets it can't decode. This way confidentiality and privacy is assured. This scenario is shown in the second figure.

An o@h service provider without network infrastructure could use virtual servers offered by cloud based companies. An example is the Amazon EC2 service. By mapping o@h boxes of different users to different tcp ports, a single virtual server can become the end point for hundreds and perhaps even thousands of o@h boxes. In such a scenario the number of endpoints that can be provided by a single server is limited by the number of tcp ports (65535), network capacity the virtual server has available and processing power. While the user's data would in fact traverse a could based network center in this solution, all data is encrypted and can thus not be decrypted there or anywhere else in transit.

Creating an SSH tunnel to a virtual server on the Internet and then forwarding HTTPS traffic through it to a box in the home network might sound complicated at first. In practice, however, I was surprised how easy it was to set up. I haven't blogged about this before but there'll be a follow up post that describes of how to do this.

The main disadvantage of this approach is that when a user is at home and exchanges data with his o@h box at home, it is sent via his DSL or cable link to the external server and from there back to his o@h box at home over the SSH tunnel. For synchronization of calender and address books this is of little consequence as the amount of data transferred is very small. If the user wants to store large files on the o@h box, however, performance is only acceptable if the uplink speed of the DSL or cable connection is high enough. This is usually the case if the user's home network is connected to the Internet via VDSL, cable or fiber.

Automatic Software Updates

Another important requirement when running a cloud service at home is that the software is kept up to date to prevent the user from becoming a victim of security issues that are often exploited quickly. The o@h box should thus be able to check if an update is available and update itself without user interaction. The Owncloud service has an automated process for this that must at this point, however, still be triggered by the user. Other cloud services such as WordPress have fully automated this process and thus show that a similar fully automatic service can also be created for Owncloud, either by the Owncloud communality itself or as part of the overall software solution of the o@h service provider.

Backup and Restore Service

One thing non-technical users usually do not think about is how to back-up their data until it is too late. The o@h box should therefore come with a built in service to regularly backup an encrypted copy of all data stored on the box to data storage on the web. If a strong encryption algorithm and key is used, which remains only in the hands of the user, this can be done in an automated and secure way. If the o@h service provider does not have a backup solution of his own, cloud based services such as Amazon's Glacier service could be used. Should the o@h box fail, the user could then restore his data from the web by providing the ID of the new box and the ID of the old box to the service provider via a web interface. The domain name would then be linked to the new box and a new SSL certificate can be generated as described above. The user can then access his new box and restore his data from the backup in the network by supplying the backup key to his new o@h box and not to the service provider. This ensures that only the user has access to his data.

Summary

This must have been the longest post I ever had on my blog. But this is a topic I strongly care about and I wanted to show that all the building blocks exist to home-cloud enable everyone and not only technically savvy users. I'm looking forward to see how this develops. As always, let me know what you think.