WO2018182604A1 - Wifi protected access 2 (wpa2) pass-through virtualization - Google Patents

Abstract

A service provider (SP) network device or system can operate to enable a WiFi protected access 2 (WPA2) pass-through with a user equipment (UE) and further define various partitions between a physical access point (pAP) and a virtual AP (vAP) according to one or more VNFs based on one or more communication link parameters (e.g., latency). The WPA2 pass-through can be an interface connection that passes through a computer premise equipment (CPE) or wireless residential gateway (GW) without the CPE or GW modifying or affecting the data traffic such as by authentication or security protocol. The SP network device can receive traffic data from a UE through or via the WPA 2 pass-through from a UE of a community Wi-Fi network at a home, residence, or entity network.

Description

WiFi PROTECTED ACCESS 2 (WPA2) PASS-THROUGH VIRTUALIZATION

FIELD

[0001] The present disclosure is in the field of security, and more specifically, pertains to a WiFi Protected Access 2 (WPA2) pass-through interface and techniques for virtualization related to the WPA2 pass-through.

BACKGROUND

[0002] Network Function Virtualization (NFV) involves the replacement of physical network nodes with Virtual Network Functions (VNFs) implemented via Virtualization Resources (VRs) that perform the same function as the physical node, or the physical Access Point (pAP). Community Wi-Fi service provides a guest Internet access over residential gateways (GWs) (e.g., a customer premise equipment (CPE), an access point (AP) of a CPE, a residential Access Node, residential gateway (GW), or the like) for customers of communication services provider (CoSP) when they are out of their home and within range of the residential gateway. Community Wi-Fi is enabled as an additional Wi-Fi network, which can be on top-of or in addition to other networks such as a residential home network for Internet access at the home, which can be provisioned over the residential gateway by the CoSP or service provider (SP) network.

BRIEF DESCRIPTION OF THE DRAWINGS

[0003] FIG. 1 is a diagram illustrating components of a network in accordance with one or more aspects or embodiments described herein.

[0004] FIG. 2 is a block diagram illustrating components, according to some example embodiments, able to read instructions from a machine-readable or computer-readable medium (e.g., a machine-readable storage medium) and perform any one or more of the methodologies discussed herein.

[0005] FIG. 3 is a block diagram of a network system that facilitates / enables operations in connection with a virtualized network function (VNF) related networking components and WPA2 pass-through operations, according to various aspects or embodiments described herein.

[0006] FIG. 4 a block diagram of a process flow for a SP network WPA2 pass- through according to various aspects described.

[0007] FIG. 5 is another network system that facilitates / enables operations in connection with a VNF related networking components and WPA2 pass-through operations for dynamic partition configuration, according to various aspects or embodiments described herein.

[0008] FIG. 6 another block diagram of a process flow for a SP network WPA2 pass- through and associated partition configurations according to various aspects described.

[0009] FIG. 7 is another network system that facilitates / enables operations in connection with a VNF related networking components and WPA2 pass-through operations for dynamic partition configuration, according to various aspects or embodiments described herein.

[0010] FIG. 8 is an example network device, either as a UE or SP network device in accordance with aspects or embodiments herein.

[0011] FIG. 9 is a diagram illustrating components of a network in accordance with one or more aspects or embodiments described herein.

[0012] FIG. 10 illustrates an example data flow from a CPE perspective in accordance with one or more aspects or embodiments described herein.

[0013] FIG. 11 illustrates an example data flow from a SP network component perspective in accordance with one or more aspects or embodiments described herein.

[0014] FIG. 12 illustrates packets structures in accordance with one or more aspects or embodiments described herein.

[0015] FIG. 13 illustrates a control flow for an initiation sequence or association between the CPE and SP provider network in accordance with one or more aspects or embodiments described herein.

[0016] FIG. 14 illustrates a control flow for provisioning one or more parameters between the CPE and SP provider network in accordance with one or more aspects or embodiments described herein.

[0017] FIG. 15 illustrates a control flow for a client UE connection between the CPE and SP provider network in accordance with one or more aspects or embodiments described herein.

[0018] FIG. 16 illustrates a control flow for securing a client UE connection establishment between the CPE and SP provider network in accordance with one or more aspects or embodiments described herein.

[0019] FIG. 17 illustrates a control flow for a client UE disconnection between the CPE and SP provider network in accordance with one or more aspects or embodiments described herein. [0020] FIG. 18 illustrates a control flow for a client UE disconnection between the CPE and SP provider network when a link there-between is no longer functional in accordance with one or more aspects or embodiments described herein.

[0021] FIG. 19 a block diagram of a process flow for a SP network WPA2 pass- through according to various aspects described.

DETAILED DESCRIPTION

[0022] The present disclosure will now be described with reference to the attached drawing figures, wherein like reference numerals are used to refer to like elements throughout, and wherein the illustrated structures and devices are not necessarily drawn to scale. As utilized herein, terms "component," "system," "interface," and the like are intended to refer to a computer-related entity, hardware, software (e.g., in execution), and/or firmware. For example, a component can be a processor, a process running on a processor, a controller, an object, an executable, a program, a storage device, and/or a computer with a processing device. By way of illustration, an application running on a server and the server can also be a component. One or more components can reside within a process, and a component can be localized on one computer and/or distributed between two or more computers. A set of elements or a set of other components can be described herein, in which the term "set" can be interpreted as "one or more."

[0023] Further, these components can execute from various computer readable storage media having various data structures stored thereon such as with a module, for example. The components can communicate via local and/or remote processes such as in accordance with a signal having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, and/or across a network, such as, the Internet, a local area network, a wide area network, or similar network with other systems via the signal).

[0024] As another example, a component can be an apparatus with specific functionality provided by mechanical parts operated by electric or electronic circuitry, in which the electric or electronic circuitry can be operated by a software application or a firmware application executed by one or more processors. The one or more processors can be internal or external to the apparatus and can execute at least a part of the software or firmware application. As yet another example, a component can be an apparatus that provides specific functionality through electronic components without mechanical parts; the electronic components can include one or more processors therein to execute software and/or firmware that confer(s), at least in part, the functionality of the electronic components.

[0025] Use of the word exemplary is intended to present concepts in a concrete fashion. As used in this application, the term "or" is intended to mean an inclusive "or" rather than an exclusive "or". That is, unless specified otherwise, or clear from context, "X employs A or B" is intended to mean any of the natural inclusive permutations. That is, if X employs A; X employs B; or X employs both A and B, then "X employs A or B" is satisfied under any of the foregoing instances. In addition, the articles "a" and "an" as used in this application and the appended claims should generally be construed to mean "one or more" unless specified otherwise or clear from context to be directed to a singular form. Furthermore, to the extent that the terms "including", "includes", "having", "has", "with", or variants thereof are used in either the detailed description and the claims, such terms are intended to be inclusive in a manner similar to the term

"comprising".

[0026] As used herein, the term "circuitry" may refer to, be part of, or include an Application Specific Integrated Circuit (ASIC), an electronic circuit, a processor (shared, dedicated, or group), and/or memory (shared, dedicated, or group) that execute one or more software or firmware programs, a combinational logic circuit, and/or other suitable hardware components that provide the described functionality. In some embodiments, the circuitry may be implemented in, or functions associated with the circuitry may be implemented by, one or more software or firmware modules. In some embodiments, circuitry may include logic, at least partially operable in hardware. INTRODUCTION

[0027] In consideration of described deficiencies of radio frequency communications and authentication operations, various aspects for enabling a community Wi-Fi AP virtualized network function (VNF) with WiFi protected access 2 (WPA2) pass-through from a service provider (SP) network to a client device (e.g., a user equipment (UE), a mobile device, a wireless device, such as a wireless laptop or other wireless device, or other network device) are disclosed. Data traffic over a community Wi-Fi network can pass between mobile devices (or UEs) of a guest subscriber to an SP (e.g., a network provider of a cable, digital subscriber line (DSL), passive optic network (PON), or satellite network service) and to the SP network (a wide area network (WAN), or access to a WAN such as for an access to the Internet) via the community Wi-Fi pass-through, which means through or by the community Wi-Fi network at a home or residential gateway device (e.g., a customer premise equipment (CPE), physical AP, home / residential / business entity access node). The residential gateway (GW) can transparently pass data traffic of the community Wi-Fi network from the UE / wireless client to the SP network device of an SP network by means of, via, through, or by the WPA2 pass-through. The passage of data can be referred to as transparent in this case because the data traffic can be passed by the hosting wireless residential GW without modification, alteration, decryption or change by the associated home / residential GW to the SP network at an SP access point or virtual AP of the SP network, for example. In this sense the data traffic can pass transparently through (or via) a secured WPA2 pass-through as a connection interface (or WPA2 pass-through interface) from the UE to the SP network without the residential GW (or CPE) device / component being enabled to change, decrypt or modify the data traffic of the community WiFi network. The data traffic can be sent or received by the UE or by the SP network device of an SP network as authenticated, protected and secure, using a Wi-Fi protected access 2 (WPA2) security in a secure connection, as the WPA2 pass-through.

[0028] Presently, when connected to the residential gateway, the clear text or unsecured traffic community Wi-Fi traffic can be tunneled and forwarded to the SP network over the WAN after an authenticated and secured connection is established with the residential GW. However, this can represent a vulnerability where a hosting user (or owner) of the residential GW could tap into the community Wi-Fi traffic and spoof communications from a guest subscriber using a UE or client of the SP network with the residential GW as a Hotspot, for example, or a pass-point in accordance with Wi-Fi Alliance standards. This vulnerability can be aggravated when a hosting home has a home network range extender connected to the residential GW using Ethernet or an Ethernet connection there-between. In this case, the data traffic could be sent in clear text over the Ethernet to the home residential GW and become even easier to spoof, even after authentication or security protocols are established between the range extender and the UE, for example.

[0029] In one example, an apparatus or system (e.g., an SP network device / component) of the SP network can be configured to be employed in / with a service provider (SP) network device / component (e.g., a processing device of a network server / a rack server or the like network device) with one or more processors, coupled to a memory that includes instructions to execute operations of the one or more processors. The SP network device, for example, can be configured to generate a WPA2 pass-through from the SP network to the UE or mobile device (user) without providing an opportunity for external breach or tampering at the ranger extender or the wireless residential GW at a home / entity hot spot or other CPE.

[0030] The SP network device, for example, can initiate (or instantiate) the WPA2 pass-through as an interface that tunnels or flows from the SP network, through the CPE, and to a UE, as an end-to-end interface between the UE and the SP network device. As such, the SP network device can receive, via the WPA2 pass-through, a set of traffic data from the UE, wherein the set of traffic data is unmodified by the CPE, unmodified referring to not being decrypted, changed, or initially altered by the CPE / residential GW. The data traffic can be associated, in particular, with a community WiFi network of the CPE, which is separate from a residential network of the home or home owner that could be operational with other UEs at the wireless residential GW with a different basic service set identifier (BSSID) for example.

[0031] In particular, some aspects / embodiments disclosed herein are directed to particular data protocol details, data flows, how or when we re-partition one or more VNFS from the physical AP to a virtual AP, or leave functions at the physical AP, and related functionality with respect to a data plane, a control plane, and related

provisioning / orchestration of the services or functions in these processes. Additional aspects, embodiments or details of the disclosure are further described below with detail in reference to figures.

[0032] FIG. 1 is a block diagram illustrating components of a system or network device 100, according to some example embodiments, able to read instructions from a machine-readable or computer-readable medium (e.g., a machine-readable storage medium) and perform any one or more of the functions, operations, processes or methodologies discussed herein. One or more components of the system or device 100 can be employed or utilized with, in or as a part of a user equipment (UE) (e.g., a mobile device, wireless device, or the like), a server provider network device / component (e.g., a network access node, network orchestrator, network server, rack server, network controller / processor, network data base, or the like), a computer premise equipment (CPE) (e.g., a router, residential / entity GW, access node, AP, basestation, evolved NodeB (eNB), or the like). Specifically, FIG. 1 illustrates a diagrammatic representation of hardware resources 101 that can be configured for use within the network device or system 1 00 including one or more processors (or processor cores) 1 10, one or more memory/storage devices 1 10, and one or more communication resources 130, each of which can be communicatively coupled via a communication link (e.g., a bus 140) or other connection (e.g., an optical link, wireless connection, wired connection, or other like communication connection).

[0033] For embodiments where node virtualization (can be utilized, as in a network function virtualization (NFV)) operation, a hypervisor 102 can be executed to provide an execution environment for one or more network slices / sub-slices to utilize the hardware resources 101 . Such hypervisor 102, for example, can comprise a virtual machine monitor (VMM) that comprises a computer software, firmware or hardware resources, which create or execute on virtual machines to operate on a computer / processing device. Virtualization, as referred to herein, can be referred to as the removal of a function from a device (e.g., a CPE) and assigning or relocating the function to another device on a network either as software, firmware, specialized hardware or a combination thereof on the SP network for performing the similar or same function instead.

[0034] The processors 1 10 (e.g., a central processing unit (CPU), a reduced instruction set computing (RISC) processor, a complex instruction set computing (CISC) processor, a graphics processing unit (GPU), a digital signal processor (DSP) such as a baseband processor, an application specific integrated circuit (ASIC), a radio-frequency integrated circuit (RFIC), another processor, or any suitable combination thereof) can include, for example, a processor 1 12 and a processor 1 14. The memory/storage devices 1 10 can include main memory, disk storage, or any combination thereof.

[0035] The communication resources 130 can include interconnection and/or network interface components or other suitable devices to communicate with one or more peripheral devices 104 or one or more databases 106 via a network 108. For example, the communication resources 130 can include wired communication components (e.g., for coupling via a Universal Serial Bus (USB)), cellular

communication components, Near Field Communication (NFC) components,

Bluetooth® components (e.g., Bluetooth® Low Energy), Wi-Fi® (Wi-Fi / WiFi) components, and other communication components.

[0036] Instructions 150 can comprise software, a program, an application, an applet, an app, or other executable code for causing at least any of the processors 1 10 to perform any one or more of the methodologies discussed herein. The instructions 150 can reside, completely or partially, within at least one of the processors 1 10 (e.g., within the processor's cache memory), the memory/storage devices 1 10, or any suitable combination thereof. Furthermore, any portion of the instructions 150 can be

transferred to the hardware resources 101 from any combination of the peripheral devices 104 and/or the databases 106. Accordingly, the memory of processors 1 1 0, the memory/storage devices 1 10, the peripheral devices 104, and the databases 106 are examples of computer-readable and machine-readable media.

[0037] In various embodiments, techniques / processes described herein can be employed to create, delete, or determine threshold(s) or parameters (e.g., latency, power, load, etc.) in connection with a VNF related virtualization resource (VR) performance measurement (PM), or to generate a notification of a crossing of such threshold(s) by one or more related parameters (e.g., latency, power, load, or other related parameters of a Wi-Fi standard such as an IEEE standard, Wi-Fi Alliance standard, 3GPP, or other standard). To enable security for UEs, provide flexibility for SP subscribers (UEs or users paying for SP internet or WAN access) operating among different Wi-Fi networks, including a community Wi-Fi network (e.g., a hotspot, hotspot 2.0, Wi-Fi passpoint, or other public community WiFi network) throughout residential or business entities, eliminate vulnerabilities, and optimize load balancing, between a residential (home / business / or other entity) gateway (GW) and an SP network, a WPA2 pass-through can be generated or enabled by an SP network device or SP network component with various components or elements as described herein. The WPA2 pass-through can be a communication link, interface, tunnel or other connection that passes through the wireless residential GW or CPE to a UE or wireless subscriber device with WPA2 encryption security and as an end-to-end point connection, for example.

[0038] In various embodiments discussed herein, an SP network component (e.g., the SP network device / component 200 of FIG. 2) of a service provider (e.g., a cable provider, DSL, PON or other network provider operable to provide a network or network service to a WAN / the Internet) can enable different / various home networks of a residential / entity GW or CPE, for example, including a community WiFi network with data traffic associated with a particular Basic Service Set (BSS) with layer 2 privacy through (via or by) the GW or CPE. In addition, the networks configured at the CPE, for example, can comprise different types / classes of networks enabling users access to the Internet. These networks that can be configured or enabled at the CPE (e.g., with a network router, ranger extender or other associated network devices / components in a home) and include networks such as a home access network (e.g., a personal area network (PAN)), a community Wi-Fi network that is managed by the SP (e.g., a hot spot (1 .0 / 2.0) or passpoint with a wireless local area network (WLAN)), a local area network (LAN) or the like, in which each network can be associated with or correspond to a different BSSID, for example. Each network, for example, can comprise a pAP or a CPE (e.g., residential GW 240 of FIG. 2) dedicated to the residential / entity location for providing one or more networks at a single location / CPE / wireless residential GW or physical AP. One or more SP network devices or components (e.g., SP network device 202) can enable or facilitate virtualization of the Wi-Fi AP or the pAP, in which virtualization can be performed by means of NFV, which can refer to or mean taking a function typically associated with the hardware residential GW, CPE or pAP and moving this functionality away from the hardware to another location (e.g., away from the residential GW to the SP network). This affords an advantage of being able to provide better security and broader usage for users.

[0039] In one embodiment, an SP network device / component, for example, can virtualize the encryption for WPA2 security from the pAP to an SP network component of the SP network and enable the WPA2 pass-through to one or more UEs. Each UE, for example can be independently established with a connection / access at the home pAP as part of or independently with the SP network as a guest of the home pAP. For example, a home / residential network can be different from a community Wi-Fi network or hot spot at the pAP. Both network can be access by the UE, but the community WiFi network can be independently accessed from the pAP to the SP network over a secure WPA2 pass-through from the UE to the SP network, in which the SP network operates a WAN that can further access the Internet, for example, and the home a network that access a network at the home to the SP network and to the Internet, for example.

[0040] Additionally, one or more SP network components can operate to partition or configure partitions as a partition configuration for NFV in a virtual access point (vAP) at the SP network from the pAP of the CPE. Various partitions can include different functionalities or VNFs that operate in the CPE and are virtualized to a point in the SP network so this point or vAP controls, manages and takes over these functions, as will be described in more detail below.

[0041] Referring to FIG. 2, illustrated is a block diagram of a network system 200 or network environment with an SP network device 202 that can facilitate / enable generation, management, processing or termination of a WPA2 pass-through with a VNF based vAP of a community Wi-Fi network as a virtual WPA2, according to various aspects described herein. Depending on the embodiment, the SP network device 202 can be employed in connection with or comprise one or more of a network manager (NM), an element manager (EM), a virtual network function orchestrator (VNFO), a virtual network function manager (VNFM), a Virtualized Infrastructure Manager (VIM), a WiFi access point management (WAPM), a Radius Client, an authenticator, a Basic Service Set (BSS) management component, a Home Subscriber Server (HSS) / a Mobility Management Entity (MME) / a Serving GateWay (SGW) / a Packet Data Network (PDN) GateWay (PGW) / a Policy and Charging Rules Function (PCRF), which can be associated with a Third Generation Partnership Project (3GPP) standard, a WiFi Alliance standard, a European Telecommunication Standards Institute (ETSI) standard (such as NVF Management and Orchestration (MANO) standard), or other such standard, for example.

[0042] In one or more embodiments, the networks herein (e.g., network system 200) could operate in compliance with a 3GPP standard to provide a 3GPP management framework or with European Telecommunication Standards Institute (ETSI) standard such as NVF Management and Orchestration (MANO) standard to support lifecycle management to instantiate, terminate, scale in, scale out, scale up, or scale down one or more VNF instances dynamically according to demand, security or load balancing. As discussed herein, an "instance", instantiating or an instantiation can refer to starting (initiating) or executing (running) a virtual machine that is capable of implementing a VNF such as a VNF related to establishing (generating) or managing (controlling) a WPA2 pass-through of an SP network 280 that extends from an SP network device / component of the SP network to a UE (e.g., a mobile phone, laptop, personal computer, personal digital assistant, or other wireless device capable of connection to the SP network or the Internet). Termination can refer to closing or stopping the execution / running such a virtual machine / component.

[0043] System 200 can comprise the SP network device / component 202 that can operate to instantiate or generate a WPA2 pass-through that virtualizes the security (e.g., authentication and security / privacy) of the wireless residential GW 240. The SP network device 202 can further enable an SP network that can provide WAN access (e.g., Internet access) to one or more subscribers / clients / client devices / UEs, for example. The SP network device 202 can include one or more processors 21 0 (e.g., processors 1 1 2, 1 14 or other examples herein), communication circuitry 220 (which can facilitate communication of data via / by / through one or more reference points, networks, APs, nodes, etc., and can comprise communication resource(s) 130, etc., of FIG. 1 ), and memory 230 (which can comprise any of a variety of storage mediums and can store instructions and/or data associated with at least one of the one or more processors 21 0 or communication circuitry 220, and can comprise memory/storage device(s) and/or cache memory of processor(s) 21 0, etc.). [0044] In some aspects, the one or more processors 210, the communication circuitry 220, and the memory 230 can be included in a single device, (e.g., the SP network device 202) being collocated or non-collocated, for example, while in other aspects, they can be included in different devices, such as part of a distributed network architecture / environment. As described in greater detail below, system 200 can enable the generation of a WPA2 pass-through 270 as an interface, tunnel or link between one or more UEs 250 and a vAP of an SP network component 202 of an SP network 280. The vAP, for example, can be an instantiated partition or proportion of resources located on the SP network 280 that is configured to perform one or more functions of the wireless residential GW / CPE 240 or a component thereof in lieu of or instead of the CPE 240.

[0045] The WPA2 pass-through 270, as generated by the SP network component 202, can virtualize the authentication or encryption that is associated with WPA2 security from the residential GW / CPE 240 to the SP network component 202, and further enable the WPA2 pass-through secure communications to one or more UEs through the residential GW 240 without modification of the associated data traffic by the wireless residential GW 240. Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. The Wi-Fi Alliance and standard body defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP). WPA2 became available in 2004 and can be a shorthand for the full IEEE 802.1 1 i (or IEEE 802.1 1 i-2004) standard. WPA2 replaced WPA. WPA2, which demands testing and certification by the Wi-Fi Alliance, implements the mandatory elements of IEEE 802.1 1 i. In particular, it includes mandatory support for Counter mode with cipher block chaining message authentication code (CBC-MAC) protocol (CCMP), an advanced encryption standard (AES)-based encryption mode with strong security.

[0046] A WPA2 pass-through 270 can be an interface or connection through or via the CPE 240 from the SP network to a UE detected by the CPE 240 that is a secure connection / tunnel based on WPA2 security. The WPA2 pass-through can enable / manage an authentication or security protocol with the UE 250 based on a VNF of a physical access point (pAP) associated with the community WiFi network for a virtual access point (vAP) of the SP network 280 of the SP network device / component 202. An access point can be a Service Access Point (SAP), which can be an identifying label for network endpoints used in Open Systems Interconnection (OSI) networking. The SAP can be a conceptual / physical location at which one OSI layer can request the services of another OSI layer at different "endpoints". As an example, PD-SAP or PLME-SAP in IEEE 802.1 5.4 can be mentioned, where the Media Access

Control (MAC) layer requests certain services from the Physical Layer. Service access points are also used in IEEE 802.2 Logical Link Control in Ethernet and similar Data Link Layer protocols, for example. When using the OSI Network Layer (connection- oriented network service (CONS) or connection-mode network service (CLNS)), the base for constructing an address for a network element can be a network service access point (NSAP) address, similar in concept to an IP address. OSI Application Layer protocols as well as Asynchronous Transfer Mode (ATM) can use Transport (TSAP), Session (SSAP) or Presentation (PSAP) Service Access Points to specify a destination address for a connection. These SAPs consist of NSAP addresses combined with optional transport, session and presentation selectors, which can differentiate at any of the three layers between multiple services at that layer provided by a network element.

[0047] A physical AP, or pAP can be established within a CPE, and be a part of the CPE/ GW 240, for example. A VNF of a pAP associated with a community WiFi network can be a function that is associated normally with the physical AP (e.g., a physical SAP or physical location of an SAP / AP) and the community WiFi network (e.g., a hot spot network or passpoint), and further replaced or taken over in lieu thereof by another component; in one case, for example, this can be at the SP network 280 outside of the CPE 240 or home network environment, for example. For example, security,

authentication or initiation of an instance of a WPA2 pass-through or a partition can be associated with the community WiFi network over other networks that could be generate simultaneously or concurrently through the CPE 240.

[0048] A partition can be referred to as a process that divides network functions by a partition configuration between the CPE 240 and the SP network component 202 of an SP network 280. A partition configuration of VNFs can be a division of functions between two components such as a pAP and a vAP, in which the vAP is associated with the functions of the pAP at a different location, such as on or a part of the SP network device / component 202 in the SP network 280. In one example, a server chip or processing device at a server or other network device of the SP network 280 can be comprise operations, instructions or software associated with the function that is replacing or being re-located from the pAP and the community WiFi network associated. [0049] As such, the WPA2 pass-through 270 can enable / manage an authentication or security protocol with the UE 250 based on a VNF of a pAP associated with the community WiFi network for (e.g., the creation of) a vAP of the SP network 280 of the SP network device / component 202. The vAP, thus, can be a creation or instance of a set of functions that have been virtualized from the pAP in relation to a community WiFi network. The community WiFi network can be a hot spot, or other pass point or network configured to be enabled at the CPE 240 for guest, subscribers of the SP (e.g., Com cast), or the home with a UE 250 that recognizes the community WiFi network by a BSSID, for example, and initiates connection with it. In return, an authentication / security protocol can be exchanged without interference, tampering, modification or concern of breach by or through the CPE 240.

[0050] The residential GW or CPE 240 in conjunction with the SP network system 200 can operate to support different types of authentication of wireless clients 250, or authentication standard protocols that can dictate how the client / UE 250 or mobile phone connects to the community WiFi network and how it authenticates to the SP network 280. For example, Wireless Internet Service Provider version 1 .0, or WISPr 1 .0, could be one such authentication protocol found in the airplane portal, or in public spaces when a public WiFi network without security could connect a UE 250 to the GW or CPE 240 according to one or more credentials (email, address, etc.) that could be similarly associated with an SP, for example, to further enable a WAN or Internet access based on browser-based login at a captive portal hotspot. Another example authentication protocol can be 802.1 x or other IEEE standard 802.1 , where a specific procedure / protocol with (e.g., .1 x) can be with / without extensions such as EAP-TTLs, PEAP, EAP-SIM, EAP-AKA, for example, which are associated with different

mechanisms that use different credentials / processes. Once access to a network such as the SP network 280 establishes connection to the internet or other network, for example, data traffic is encrypted (e.g., via WPA2) for security / privacy, or is left unencrypted. The WPA2 pass-through operates to provide such security as an end-to- end connection through a CPE 240 without modification by the CPE 240, as such the WPA2 pass-through can be said to be transparent to the CPE 240.

[0051] In one embodiment, the SP network component 202 can operate to virtualize authentication and encryption protocols over the WPA2 pass-through to ascertain one or more credentials to be filled in by the UE 250, or client by maintaining / controlling / operating functions that would otherwise be associated with the residential GW / CPE 240 at the SP network 280. The authentication protocols can include, for example, WISPr 1 .0, or 802.1 x protocol where a specific procedure / protocol with .1 x can be with / without extensions such as EAP-TTLs, PEAP, EAP-SIM, EAP-AKA, for example.

[0052] As such, the SP network component 202, for example, can create a virtual network function for a pAP to form an instance of a vAP based on one or more VNFs, depending on the partition configuration. A home gateway - the wireless residential GW - can be connected to the SP network 280 over a cable / digital subscriber line (DSL) / passive optical network (PON) 290 with the data traffic or packets flowing through a GRE tunnel to the Wireless Access GW 240. The UE 250 is then connected over a WiFi link 260 to the residential GW 240. Privacy can be ensured via WPA 2 privacy on the wireless link 260 between the UE 250 and the residential GW device 240 or CPE. As such, the encryption key for such privacy would normally reside in the GW 240 (or in the AP) and in the UE devices 250. As such, all the data traffic or packets can be encrypted using WPA 2 or WISPr link, between the UE 250 and the GW 240. However, opportunities for spoofing from the home can still exist within the connection between the CPE 240 or pAP, for example, and the SP network, in which the cable, DSL, PON or other connection is existing (as traffic data can be in clear text). This can be especially true where the CPE 240 includes a range extender. From the CPE, data can then be further encrypted over the broadband link / cable DSL / PON L2 privacy on a

communication link between the CPE 240 and the SP network 280 in the WLAN access GW network. As such, two links co-exist with different securities and in the middle there can be the opportunity for no security / privacy.

[0053] The WPA2 pass-through 270 from end-to-end ensures such security all the way through the CPE to the SP network and ensures that modification, tampering or breach of privacy does not provide opportunity otherwise, in association with a community WiFi network. The WPA2 pass-through 270 can be instantiated or generated by the SP network device 202 when there is a configuration at the CPE 240 where all the traffic for a specific network (e.g., community WiFi network) is passed transparently through the residential GW 240 without the residential GW 240 touching any of the bits on this traffic, and through the cable/ DSL/ PON access to the SP network 280 at one or more components / devices thereat (e.g. the SP network device 202).

[0054] Authentication or security protocol(s) can then be facilitated through the WPA2 pass-through 270 connection / interface. An encryption key is then

communicated (shared) between the UE 250 and some function or component in the SP network 280 as part of such protocol. In this situation, all the data traffic from the connecting UE 250 can flow transparently through the home network CPE 240, gets to the SP network 280, and there it is encrypted / decrypted. With this approach utilizing or generating the WPA2 pass-through 270 by the SP network device / component, there is no security at home or at a home CPE, in the middle between the UE and the SP network, where the traffic is not encrypted and someone can hack into this home GW 240 and get an access to it. This is the traffic that does not belong to the home network, it's the traffic of the community WiFi, and thus belongs to the SP, but happens to pass through the home network via the WPA2 pass-through.

[0055] Referring now to FIG. 3, illustrated is another example of an SP network that can configure a WPA2 pass-through 270 in accordance with various aspects or embodiments described in this disclosure. In order to generate or instantiate the WPA2 pass-through 270 from the SP network 280 to the UE 250, the WiFi access point as a pAP 302 of the CPE 240 can be configured to operate in the WPA2 pass-through mode where the WPA2 pass-through 270 is functionally active for a virtual community WiFi access point or vAP 340 of the SP network 280. The pCPE control 320 can configure the CPE 240 to not interfere with data traffic associated particularly with a community Wi-Fi network and over or in conjunction with any home network or other LAN configuration the CPE 240 could also be configured to manage independently / separately alongside the community Wi-Fi network. In a WPA2 pass-through mode, for example, the CPE 240 simply passes data traffic associated with the community WiFi network along or through it on a WPA2 pass-through 270 communication interface, link or tunnel, for example.

[0056] In another embodiment, once the pAP 302 of the CPE 240 is configured to bypass any function associated with initializing a network (e.g., authentication, security encryption / decryption, etc.), a WiFi access port function including the functionality to derive one or more of these functions with an encryption key can be instantiated or moved from the pAP 302 to the SP network 280 to the vAP 340. The vAP 340 could operate all functions partitioned from the pAP 302 and to the vAP 340 as part of communication through an access GW controller or pCPE controller 320 at the SP network 280. The SP network 280 then can include therefore the access GW or pCPE control / controller 320, where, for example, the broadband from a home / residence / entity GW 240 can be connected. The connection from the pCPE control 320 to the CPE or residential GW 240, for example, could be over top of cable, DSL or PON, wireless or other connection 290 as a communication link or as part of the WPA2 pass- through 270. [0057] Community WiFi Access GW or pCPE control 320 can be a component controls communication and flow of the BSS related to the community WiFi network and link VNFs with a corresponding instance of one or more vAPs 340, in which the data traffic for an associated BSS for community WiFi flows through. For example, the pCPE control / controller 320 could control the authentication protocol flow through the WPA2 pass-through 270 from the vAP 340 that initiates the flow per one or more request / inquiry / decryption operations, as well enable actions / operations related to virtualizing the functions, such as VNFs, from the pAP 302 to an instance of the vAP 340 associated with a community WiFi network. These devices or components can remain in the SP network.

[0058] In another embodiment, the manager component 310 and the orchestrator 330 can be a VNF orchestrator configured to enable virtualization of network functions from the CPE 240 based on a partition configuration of the VNFs. For example, the orchestrator 330 can be configured to facilitate / enable / control on-boarding of network services (NS) and VNF packages, NS lifecycle management, global resource management, validation and authorization of network functions virtualization

infrastructure (NFVI) resource requests, and the like. The orchestrator 330 can be coupled to the manger 31 0 as well as the vAP (or virtualized network element) 340 as a VNF manager that oversees or controls lifecycle management of VNF instances;

coordination and adaptation role for configuration and event reporting, for example. The pCPE can operate also as a virtualized infrastructure manager (VIM) as an entryway or portal to the SP network 280 and the SP network device(s) or components 202, for example, to control and manage the NFVI compute, storage, or network resources, including the WPA2 pass-through and WPA2 protocol process flows. Any one of the orchestrator 330, database or other server component (e.g., authentication,

authorization, accounting server, or the like) of a server system, which manages or enables the SP network 280 can further operate to open an access for a specific user/ UE 250 (e.g., service set identifier (SSID)) of the SP network 280 to the internet or other WAN.

[0059] A remote office or enterprise network such as with a VPN can be a

configuration where a residential gateway is changed or configured to connect to the SP network 280 as an intranet of a business or other entity, such as to a corporate network or corporate IT system. The UE 250 (e.g., laptop, PC or other similar processing device) connects to the home and connects to the corporate network. However, disadvantages and potential security issues exists with the encryption, or the secured communication between the UE 250 laptop and the CPE or residential GW 240 in the home, which may use WPA2 security protocols between the UE and the CPE 240, or the UE 250 and a range extender connecting the UE 250 to the residential GW / CPE 240 as an end-to- end connection. In one solution, a second device from an enterprise company like Cisco, for example, (the AP or VPN client) can be provided with the VPN tunnel to connect with or at the CPE. Further, the VPN client additionally creates secured tunnel from the laptop to my corporate network. On top of this VPN link or tunnel, the UE 250 is able to communicate to be in corporate intranet and get access to any corporate services. However, the data traffic of the private network or home network at the CPE 240 is also put onto the VPN link. Essentially, access is provided to the VPN tunnel, which is from the home on the PC and usually adds to the processing frustration of the user experience, resulting in slower UEs often that are putting all home network activity on top of the VPN connection as well usually.

[0060] In an aspect, the WPA2 pass-through and virtualization of related functions can be enabled to replace virtual private network (VPN) functions of an enterprise network as the SP network 280, which can also comprise in this case an intranet or WLAN that can further be connected to other networks or the SP network 280 enabling access beyond to the internet or other WAN. The WPA2 pass-through in this case provides the enterprise security and can add to the 802.1 x standard or related protocol connection.

[0061] For example, an authentication protocol can be 802.1 x or other IEEE standard 802.1 x, in which x is any integer or other undetermined variable, where a specific procedure / protocol with (e.g., .1 x) can be with / without extensions such as EAP-TTLs, PEAP, EAP-SIM, EAP-AKA, for example, which are associated with different mechanisms that use different credentials / processes. Once access to a network such as the SP network 280 establishes connection to the internet or other network, for example, data traffic can be encrypted (e.g., via WPA2) for security / privacy, or is left unencrypted. The WPA2 pass-through operates to provide such security as an end-to-end connection through a CPE 240 without modification by the CPE 240, as such the WPA2 pass-through can be said to be transparent to the CPE 240. As such, the WPA2 pass-through creates a tunnel with transparent

communication over the CPE 240 such that all the traffic between the UE 250 and the SP network 280 is unchanged and the end-points of the WPA2 pass-through can be fully secure end-points (e.g., layer 2 end-points) in the SP network 280 and in the UE 250. [0062] In another embodiment, the community WiFi network can be a hot spot, or other pass point or network configured to be enabled by the SP network device / system 202 at the CPE 240 so that UEs 250 can that are not necessarily residents or secured for access by other networks managed by the CPE 240 (e.g., a home network or the like) can transparently access a community WiFi network via the WPA2 pass-through connection. A vAP 280 can be instantiated by removing functions of the pAP 302 from the CPE 240, or the home with a UE 250 that recognizes the community WiFi network. In response to a successful authentication from the authentication protocol with the SP network, the PS network device can receive, via the WPA2 pass-through 270, data traffic associated with a particular BSS corresponding to the community WiFi network enabled by the CPE 240 and be transparently passed along to the SP network for a virtual community WiFi network over the WPA2 pass-through as an end-to-end WPA2 connection between the UE 250 and SP network device 202 or one of the

corresponding components thereat (e.g., the vAP 340). The BSS can identify or serve as a filter for UEs 250 not belonging or associated with the home network, which is managed by the CPE 240. The BSS of the community WiFi network can be from among multiple other BSSs for other networks managed by the home / residential CPE.

However, the community WiFi network over the WPA2 pass-through is managed by the SP network 280 or associated SP network device / component thereof alone with associated VNFs, depending upon a VNF partition configuration, for example. The BSS of the community WiFi network can be one basic service set (BSS) from among a plurality of BSSs with a layer 2 privacy through a residential GW 240, wherein the BSS is based on a BSS identification (BSSID) associated with the community WiFi network. The UE 250 can then receive or initiate with a BSSID, for example, connection or access. In return, an authentication / security protocol can be exchanged without interference, tampering, modification or concern of breach via, by or through the CPE 240 over the WPA2 pass-through 270.

[0063] BSS, for example, can provide the basic building-block of an 802.1 1 wireless LAN. In infrastructure mode, a single access point (AP) together with all associated stations (STAs) can be called a BSS; not to be confused with the coverage of an access point, known as the basic service area (BSA). Every BSS has an id called the BSSID, which is the MAC address of the AP servicing the BSS.

[0064] The SP network 280 of the SP network device 202 with the home network of the CPE 240 can be a layer-to-layer network, in which there are multiple BSSs that can be configured in the wireless GW 240, one BSS for home network and another for the community WiFi network, for example. As such, the WPA2 pass-through associated with a community WiFi network can be established with only a specific BSS to bypass associated data traffic without modification. Thus, the majority of home / residential / entity data traffic belonging to the home CPE 240 can remain managed thereat, such as communication between a UE (e.g., a television, phone, etc.) to a phone, or media center to the TV, as well as further to the internet, for example. However, the community WiFi network via the WPA2 pass-through traffic always belongs to the SP network 280 or associated server / device / system of the SP network 280, and this home network of the CPE 240 just provides a means to get the bits from the mobile device to the SP for an end-to-end pass-through interface, namely the WPA2 pass-through itself.

[0065] In another aspect / embodiment, there can also be multiple virtual APs 340 that can be defined over a single WiFi access point chip or processing device (e.g., processors 1 1 2, 1 14, or 210), such as the pAP 302. For example, the CPE 240 can define multiple APs through the one pAP, one for home and one for community WiFi. The UE 250, for example, could see / detect multiple WiFi networks, all of which can be enabled / configured in the same piece of hardware or CPE 240. The SP network device 202 of the SP network operates to virtualize one (e.g., the community WiFi network) by taking physical functions and removing them from the pAP 302 to the vAP 340 of SP network 280 as VNFs and leaves the home network with another BSS or BSSID untouched or remaining as configured already at the pAP 302, for example, for a virtualized community WiFi network to be created.

[0066] As such, multiple different virtual APs can be defined over a single WiFi access point (e.g., the pAP 302 of the CPE 240). A home AP or home network can operate in conjunction at the CPE, and over single WiFi AP, processing device or CPE, for example, multiple APs (e.g., pAP 302), one for a home network that manages UEs at a residence or entity, and another one for a community WiFi network. The UE 250, thus, would detect or observe the different WiFi networks available the same piece of hardware. However, the SP network device / component 202 could virtualize just the communication WiFi network at the vAP 340, and maintain the others with function at the CPE 240. As such, the home network could still control home traffic for traffic to the general internet as determined in the home at the CPE 240, which is not related to the SP, while control of removing such functions for access from the CPE 240 and to the SP network for the community WiFi network can be done by the network pAP controller 320 and to instantiate the vAP 340. [0067] In one example, two or more virtual APs 340 can be generated with a distinct network names and a MAC address. Additionally, two or more community WiFi networks virtual APs with a distinct network name and MAC address can also be formed / instantiated. As such, multiple virtual APs can be enabled over a single WiFi AP GW / CPE 240 to provide multiples VLANs supported by one or more processors, for example, to provide, for example, 4 to 64 different vAPs 340. One or more virtual APs can have a distinct L2 MAC address (e.g., a BSSID), a distinct network name (e.g., SSID) and maintain a separate protocol identify, for example. From the UE 250 's perspective, the virtual APs would appear as several APs that operate on the same radio frequency (RF) channel. WiFi AP firmware and software layers can be designed for common functions (e.g., channel selection, channel access, or the like) and per- virtual AP functions (e.g., data traffic segregation, L2 security or the like).

[0068] While the methods described within this disclosure are illustrated in and described herein as a series of acts or events, it will be appreciated that the illustrated ordering of such acts or events are not to be interpreted in a limiting sense. For example, some acts may occur in different orders and/or concurrently with other acts or events apart from those illustrated and/or described herein. In addition, not all illustrated acts may be required to implement one or more aspects or embodiments of the description herein. Further, one or more of the acts depicted herein may be carried out in one or more separate acts and/or phases.

[0069] Referring to FIG. 4, illustrated is a process flow 400 employed within a system or device for enabling a WPA2 pass-through from an SP network. An SP network component can execute one or more operations by a processing device with a memory having executable instructions.

[0070] At 402, the operations can include initiating a WiFi protected access 2 (WPA2) pass-through via a CPE 240 to a UE 250. The WPA pass-through 270 can be an end-to-end connection between the UE 250 and a component (e.g., vAP 340) of the SP network 280. The WPA2 pass-through 270 can be a link, tunnel or interface that is secured by a WPA2 security and further passes-through the physical components of a residential GW or CPE 240 to the UE 250 and to the vAP 340, for example, or other SP network component (e.g., pCPE control 320, manager 310, orchestrator 330 or other components of the SP network 280.

[0071] At 404, the process flow 400 includes receiving, via the WPA2 pass-through, a set of traffic data from the UE, wherein the set of traffic data is unmodified by the CPE and associated with a community WiFi network of the CPE. The UE 250 can detect a community WiFi network over a residential gateway or CPE 240. The UE 250 can then further initiate the WPA2 pass-through generation via a pAP 302 of the CPE 240 by connecting with the community WiFi network associated with an SP network at the vAP 340. The UE can then communicate transparently via the WPA2 pass-through a set of encrypted data to enable an authentication protocol at the vAP, in which the data is unmodified and decrypted at the vAP where it is received.

[0072] At 406, the SP network device can then receive data from the UE over the WPA2 pass-through and be configured to generate, by the wpa2 pass-through, an authentication protocol with encrypted data based on a VNF of the pAP associated with the community WiFi network for a vAP of the SP network. In other words, the vAP can become generated by a NVF of the pAP to the SP network by a virtualization of its functions that replaces them on the SP network.

[0073] The SP network device can comprise a WiFi access point management (WAPM) / a Radius Client / an authenticator / a BSS management, for example, that receives UE data over the WPA2 pass-through that is associated with one BSS form among different BSSs with Layer 2 privacy configured at the CPE. The BSS can be associated with the community WiFi network based on a BSS identification (BSSID) at a pAP, which passes any UE data traffic related through the WPA2 pass-through without modification, or transparently.

[0074] Referring to FIG. 5, illustrated are different partition configurations for virtualizing or generating VNFs from the residential GW to the SP network associated with a community WiFi network system 500 for enabling / supporting a WPA2 pass- through. Reference is also made to the above figures in the description. A partition configuration can refer to the resources, hardware, firmware or software and associated functions that are either removed from the pAP 302 and assigned to the vAP 340, or kept at the pAP 302 in the CPE 240, for example. Each feature or function associated with the community WiFi network at the CPE 240 can be enabled by a change in the partition (or partition configuration), which defines which functions are at the pAP 302 or removed / assigned for operation to the vAP 340. Some of the functions of the CPE 240 can be moved out and put in a data center, server component, or other SP network device / component 202, which further can change the protocol, how the different functions communicate in and out from one another through the WPA2 pass-through.

[0075] In one embodiment, a communication link 502 can be provided between the CPE and the vAP 340, which can be controlled by the orchestrator 330, for example, in order to control and measure communication parameters there-between. One such communication parameter, for example, can include a communication latency. Other communication parameters can also be monitored by the orchestrator 330 as well, such as power, signal strength, load, or other communication network parameters in order to dynamically determine the partition configuration of the APs for VNFs associated with the WPA2 pass-through.

[0076] The orchestrator 330 can operate in conjunction with the vAP 340 or the control 320 of the SP network in order to generate or configure partition configurations of the VNFs dynamically or on-the-fly based on a communication parameter(s) (e.g., latency) of the communication link 502. The partition configurations 504 can be virtualized (moved from the CPE 240 to the SP network device 202) to the vAP 340 so that any one partition 510-530 can be selected, enabled or dynamically modified from among these functions, which can be removed from the CPE 240 and executed / assigned by the SP network at the vAP 340 or other SP network component, for example, in relation to a community WiFi network.

[0077] The orchestrator 330, for example, can measure latency, and then decide by the latency which functions to virtualize or re-assigned from the pAP 302 to the vAP 340. Based on this decision, the orchestrator 330 configures (both the virtual network function(s) VNFs 504 and the physical AP 302 to instantiate this specific configuration (or partition configuration). Different configurations can be enabled based on latency. For example, partition configuration one 510 can be enabled as a first a partition configuration from among different VNFs when the latency of the link 502 (or 290) is within a first range (e.g., about 100 ms or greater than 1 00 ms). A second partition can be configured when the latency is determined as being within a second range that is different from the first. The second range can comprise, for example, a latency value that is less than about 100 ms and greater than about 10 ms. A third partition configuration that is different from the first and second partitions can be configured when the latency is in a third range different from the first and second ranges. For example, the third range can be a latency value that is less than about 10 ms.

[0078] In another embodiment, the first partition 510 can include the following components along with associated functions or VNFs as they can be referred to herein. For example, a WiFi AP management component 512 can be configured to operate one or more policy settings associated with the vAP 340, such as security policies, security extensions with WPA2 security, group settings of one or more UEs, permissions, relates quality of service parameters (QoS), or other network policies or settings, for example. The first partition 510 can further include a RADIUS client component 514 that is configured to operate one or more authentication processes with an authentication server component 506, such as an authentication, authorization, accounting server as well as an associated database 508, for example. The AAA server component 506 can operate to retrieve / compare / confirm / process one or more keys, or security credentials for authentication or decryption of data traffic, for example. The first partition 51 0 can further include an authenticator component 516 configured to authenticate a user equipment (UE) with the vAP 340 through the pAP 302 on the WPA2 pass-through 270 based on the one or more authentication processes / protocols. The first partition 51 0 can further include a basic service set (BSS) management component 518 configured to operate a channel selection associated with a BSS identification (BSSID) of the community WiFi network for a client authentication and a key derivation, for example. The BSS management component 518 can control L2 security (per SSID / BSSID), as well as client connection management, the RADIUS CLIENT, or robust security client / WPA2 authentication / authentication requests. Any one of these components / associated functions by which each is configured can reside within or be controlled by the SP network device 202 or any component (e.g., virtual AP 340) therein, for example, as VNFs associated with the SP network 280 from the pAP 302.

[0079] In another embodiment, the first partition configuration of VNFs, including the AP management component 512, the RADIUS client component 514, the authenticator 51 6, and the BSS management component 518 can be classified as non-real time functions, in which the functions do not necessarily occur immediately in time and even if the function is not successful / complete or fails to meet a parameter or time deadline, possibly more than one (e.g., with multiple requests), the network system 500 is not considered in failure. As such, in some instances the results are not worthless in value for a result after any deadline for requests of the associated function, or is not zero, rather it could degrade over time or be pre-configured without being modified immediately or dynamically upon any modification or change in parameters or partition configuration, for example. These functions (VNFs) can be considered non-real time function with a latency of greater than about 10 ms, for example.

[0080] Additionally, the second partition 520 can further include a radio resource control (RRC) component 519 configured to control per client (UE) functionalities and common functions among clients. The per client functionalities can include at least one of: setting a data path, transmit parameters (e.g., transmit power), one or more modulation coding schemes, a channel width, one or more beamforming groups, or client / UE received signal strength indicators, and the like. Common client functionalities can include at least one of: a dynamic frequency selection, a channel load or coexistence. Additionally, the second partition 520 can include an IPSec channeling / tunneling component 522 operations, GRE component 524 operations, as well as data path functions 526 and 528. These functions and components of the second partition configuration 520 can be based on a real-time operation (RRC 519, IPSec 522, GRE 524, data path 526, 528) and a non-real time operation (e.g., the components and related functions of the first partition configuration 510). Real-time operations can include those functions that have a latency (e.g., a round trip packet latency or time for the function to operate) or take between one to ten milliseconds to function, and non-real time functions can be those that have a latency of greater than 10 milliseconds, for example.

[0081] The third partition configuration 530 can include components / functions within the first partition configuration 510 and the second partition configuration 520, including related components and functions (or potential VNFs) that operate or demand hard real time operation. For example, the RRC 519 can include partially real-time and partially hard real time functions, in which the hard real time functions can be those functions of an associated component that are performed or utilized resources for any associated function for less than about 1 ms. A hard real time function can require a particular deadline, otherwise failure of the function can occur if success is not achieved on the first endeavor, for example.

[0082] The first partition configuration 51 0 of VNFs, including the AP management component 512, the RADIUS client component 514, the authenticator 516, and the BSS management component 51 8 can be classified as non-real time functions, in which the functions do not necessarily occur immediately in time and even if the function is not successful / complete or fails to meet a parameter or time deadline, possibly more than one (e.g., with multiple requests), the network system 500 is not considered in failure. As such, in some instances the results are not worthless in value for a result after any deadline for requests of the associated function, or is not zero, rather it could degrade over time or be pre-configured without being modified immediately or dynamically upon any modification or change in parameters or partition configuration, for example. These functions can be considered non-real time function comprising a latency of greater than about 10 ms, for example. The second partition configuration 520 further comprises real-time functions and associated components (RRC 519, IPSec 522, GRE 524, data path 526, 528), in which even if the component or function of the component fails to meet the deadline / time frame, possibly more than once (i.e. for multiple requests), the system is not considered to have failed. The real time functions operate with a latency of between about 1 to 10 ms, for example, while the third partition configuration includes hard real time functions operational at a latency of less than 1 ms.

[0083] In another embodiment, a configuration can be based on the type of interface between the CPE 240 and the SP network 280. For example, a cable network access can be selected to operate with the second partition configuration 520, while DSL or PON can differ in partition configuration in order to further enable / support / manage the WPA2 pass-through. The partition configurations however can be modified at any time during communication packet transfer between the UE, through the CPE and to the SP network based on the latency detected. Other parameters can instantiate other partition configurations as well, and the disclosure is not limited to latency as the only

parameter(s) that can be used for dynamically enabling / generating a partition configuration from among various different potential partition configurations with or based on one or more VNFs. Further, the first, second, and third partitions 510-530 can be selected with different functions described herein as VNFs in different partitions 51 0- 530. However, these example partition configurations 510-530 are not fixed or static to the given example embodiments described herein for supporting the WPA2 pass- through.

[0084] The data path components 526 and 528 can include functionality that at least partially can be moved out, or virtualized from the CPE 240 to the SP network 280 or device 202 as VNFs as well. The data paths or planes 526, 528 can be demonstrated as multiple network interfaces (interfaces per VLAN). Essentially, the network that is particularly being virtualized (i.e., the community WiFi network from the home CPE 240 with one or more related VNFs). One interface can be for the home network that is not virtualized, and the other one can be for the network that is virtualized. The functions managed by each here can include WPA2 privacy WPA2 privacy (e.g.,

encryption/decryption of the packet). For the non-virtualized network, the privacy encryption/decryption can stay here in the data path locally at the CPE 240, but the other one, for example, can be virtualized to the SP network where the encryption / decryption can be moved out to the SP network as well.

[0085] These partition configurations, for example, 510-530 demonstrate what VNFs can stay at the home and what can move out. Thus, each partition configuration with associated components or functions of the components can be virtualized and moved to the SP network 280, the SP network device 202, or an associated component in operation or functional capacity. Essentially, in order for the orchestrator 330 to decide what to move, the latency of the communication (e.g., over link 502 or 290) between the pAP 302 and the SP network is determined. In particular, because if the latency is too large, and some of the protocols / functionality is virtualized or moved out, the protocol itself built on wireless WiFi protocol will fail because it is bound in time.

[0086] In another embodiment, in order to define / determine what the latency of the communication is, the latency or link is measured. The orchestrator 330 can measure the latency by using a "ping" procedure. A ping, communication or query can be sent from the SP network 280 to the AP 302, which replies to the PING in response, and then the orchestrator 330 can measure the time it takes to receive the response, which will determine the latency. Then, the SP orchestrator 330 or manager 31 0 can operate to decide how to configure the partitions as well as the appropriate ranges of any parameters associated with the particular partition configurations 510-530, for example. Then the SP orchestrator 330 can configure the partition configuration 51 0-530 option with the AP 302 by sending a command to the AP 302 that indicates the partition configuration by which it should function or operate in association with a community WiFi network and one or more connecting UEs thereto. In addition, the orchestrator 330 can configure the appropriate VNFs on the SP network side of the WPA2 pass- through 270.

[0087] Referring to FIG. 6, illustrated is an example process flow 600 for dynamic partitioning operations associated with FIG. 5 in accordance with the aspects or embodiments being disclosed.

[0088] At 602, the process flow 600 initiates with determining a partition

configuration of one or more VNFs to be configured at a virtual access point (e.g., vAP 340) of the SP network 280 from a physical access point (e.g., pAP 302) of a customer premise equipment (e.g., CPE 240) based on a communication parameter of a communication interface / link (e.g., link 502) to the CPE 240.

[0089] At 604, the flow comprises instantiating the vAP of the SP network based on a community WiFi network to enable a WiFi protected access 2 (WPA2) pass-through. This act can be based on a partition configuration determined by the VNF orchestrator 330, for example. A communication query or PING can be sent to the CPE, a response then received in response to the PING / query, and based on a measurement of a related parameter (e.g., WAN latency, load, etc.) the partition can be selected and configured.

[0090] At 606, the flow continues by enabling the WPA2 pass-through transparently through the pAP from the vAP. [0091] At 608, the orchestrator 330, for example, can modify the partition

configuration of from the set of VNFs by removing operations associated with the pAP of the community WiFi network from the pAP to the vAP in response to a change in a latency value of the communication link.

[0092] The first partition configuration from the set of VNFs can be configured when a link latency is about 100 ms or greater. The second partition configuration from the set of VNFs can be configured when the link latency is less than about 100 ms and greater than about 10 ms. A third partition configuration can be configured from the set of VNFs when the link latency is about 10 ms, or less than about 10 ms, for example.

Alternatively, other ranges of parameters can correspond differently to the first, second or third partitions.

[0093] As such, the orchestrator component 330, or the SP network device 202 can measure a WAN link latency: GW-to-SP network Access GW, using a PING of communication, for example. Then a decision can be made to enable vAP functions based on measured latency, such as for non-real time control only (e.g., the first partition 510), non-real time control with privacy and a part of real-time control (e.g., the second partition 520), non-real time, real time, hard real-time control, and privacy (e.g., the third partition 530). Then the orchestrator 330 can configure the GW functions and AP VNFs (e.g. as a vWPA2 pass-through operational system). Then AP management and control is located on the virtual WPA control VNF, the AP data plane is in the virtual plane.

[0094] Referring now to FIG. 7, illustrated is an example virtualization architecture in accordance with various aspects or embodiments herein. For example, the NFV operations can be performed / managed according to the SP components, which can correspond to similarly to an NFV management and organization (NFV MANO) 702, as a defined framework for the management and orchestration of the cloud data center, including computing, networking, storage, and virtual machine (VM) resources. One or more components or devices within or a part of the SP network 280. The architecture 700 can facilitate or enable VR performance measurement threshold monitoring (e.g., such as by one or more partition configuration / communication link parameters) as well as threshold crossing notification according to various aspects described herein. In FIG. 7, a virtual network function (VNF) performance measurement (PM) threshold creation flow (and optional subsequent notification of threshold crossing) that can be employed in connection with various aspects described is illustrated as an example threshold monitoring operation, along with a threshold crossing notification flow. [0095] The system illustrated in FIG. 7 comprises a Network Manager (NM) 710, Network Function Virtualization (NFV) Orchestrator (NFVO) 720, network Element Manager (EM) 730, a set of Virtualized Network Functions (VNFs) 770, virtualized by Virtualization Resources (VRs) of a NFV Infrastructure (NFVI) 750, a VNF Manager (VNFM) 740, and a Virtualized Infrastructure Manager (VIM) 760. The solid lines between these entities indicate the various reference points that facilitate data exchange between these entities, the dashed lines indicate the flow of data associated with threshold creation, and the dashed and dotted lines indicate the flow of data associated with the notification of threshold crossing.

[0096] One or more components discloses or described herein can correspond to these components. For example, the orchestrator 330 can be configured as the VNFO 720 to facilitate / enable / control on-boarding of network services (NS) and VNF functions, VNF packages, NS lifecycle management, global resource management, validation and authorization of network functions virtualization infrastructure (NFVI) resource requests, and the like. The orchestrator 330 can be coupled to the manger 310 as well as the vAP (or virtualized network element) 340 as a VNF manager 740 that oversees or controls lifecycle management of VNF instances; coordination and adaptation role for configuration and event reporting, for example. The pCPE control 320, for example, can operate also as a virtualized infrastructure manager (VIM) 760 as an entryway or portal to the SP network 280 and the SP network device(s) or components 202, for example, to control and manage the NFVI compute, storage, or network resources, including the WPA2 pass-through and WPA2 protocol process flows. Any one of the orchestrator 330, database or other server component (e.g., authentication, authorization, accounting server, or the like) of a server system, which manages or enables the SP network 280 can further operate to open an access for a specific user/ UE 250 (e.g., service set identifier (SSID)) of the SP network 280 to the internet or other WAN.

[0097] In order to provide further context for various aspects of the disclosed subject matter, FIG. 8 illustrates a non-limiting example of a UE device, such as a laptop, tablet, or other communication device or wireless terminal 800 that can implement some or all of the aspects described herein. In an aspect, wireless terminal, such as a laptop, tablet, other communication device, or wireless terminal, network device or SP network device 800 of an SP network can receive and transmit signal(s) to and/or from wireless devices such as APs, access terminals, wireless ports and routers, or the like, through a set of L antennas 820I -L, which can be configured according to one or more embodiments or aspects described herein. In one example, antennas 820 can be implemented as part of a communication platform 815, which in turn can comprise electronic components and associated circuitry and/or other means that provide for processing and manipulation of received signal(s) and signal(s) to be transmitted. The antennas 820 can comprise the various antenna elements incorporating the different aspects or embodiments disclosed herein.

[0098] In an aspect, communication platform 815 can include a monitor component 804 and antenna component 806, which can couple to communication platform 815 and include electronic components with associated circuitry that provide for processing and manipulation of received signal(s) and other signal(s) to be transmitted. The

communication platform 815 can further comprise a receiver/transmitter or transceiver 81 6, which can transmit and receive signals and/or perform one or more processing operations on such signals (e.g., conversion from analog to digital upon reception, conversion from digital to analog upon transmission, etc.). In addition, transceiver 81 6 can divide a single data stream into multiple, parallel data streams, or perform the reciprocal operation.

[0099] Additionally, the communication device 800 can include display interface 808, which can display functions that control functionality of the device 800, or reveal operation conditions thereof. In addition, display interface 808 can include a screen to convey information to an end user. In an aspect, display interface 808 can be a liquid crystal display, a plasma panel, a monolithic thin-film based electro chromic display, and so on. Moreover, display interface 808 can include a component (e.g., speaker) that facilitates communication of aural indicia, which can also be employed in connection with messages that convey operational instructions to an end user. Display interface 808 can also facilitate data entry (e.g., through a linked keypad or through touch gestures), which can cause access equipment and/or software 800 to receive external commands (e.g., restart operation).

[00100] Broadband network interface 810 facilitates connection of access equipment and/or software 800 to a service provider network (not shown) that can include one or more cellular technologies (e.g., third generation partnership project universal mobile telecommunication system, global system for mobile communication, and so on) through backhaul link(s) (not shown), which enable incoming and outgoing data flow. Broadband network interface 810 can be internal or external to access equipment and/or software 800, and can utilize display interface 808 for end-user interaction and status information delivery. [00101 ] Processor 835 can be functionally connected to communication platform 808 and can facilitate operations on data (e.g., symbols, bits, or chips) for

multiplexing/demultiplexing, such as effecting direct and inverse fast Fourier transforms, selection of modulation rates, selection of data packet formats, inter-packet times, and so on. Moreover, processor 835 can be functionally connected, through data, system, or an address bus, to display interface 808 and broadband network interface 810, to confer, at least in part, functionality to each of such components.

[00102] In another example, a multiplexer/demultiplexer (mux/demux) unit 817 can be coupled to transceiver 81 6. Mux/demux unit 817 can, for example, facilitate

manipulation of signal in time and frequency space. Additionally or alternatively, mux/demux unit 81 7 can multiplex information (e.g., data/traffic, control/signaling, etc.) according to various multiplexing schemes such as time division multiplexing (TDM), frequency division multiplexing (FDM), orthogonal frequency division multiplexing (OFDM), code division multiplexing (CDM), space division multiplexing (SDM), or the like. In addition, mux/demux unit 817 can scramble and spread information according to substantially any code generally known in the art, such as Hadamard-Walsh codes, Baker codes, Kasami codes, polyphase codes, and so on.

[00103] In a further example, a modulator/demodulator (mod/demod) unit 81 8 implemented within communication platform 815 can modulate information according to multiple modulation techniques, such as frequency modulation, amplitude modulation (e.g., L-ary quadrature amplitude modulation (L-QAM), etc.), phase-shift keying (PSK), and the like. Further, communication platform 815 can also include a coder/decoder (codec) module 81 9 that facilitates decoding received signal(s) and/or coding signal(s) to convey.

[00104] According to another aspect, wireless terminal 800 can include a processor 835 configured to confer functionality, at least in part, to substantially any electronic component utilized by wireless terminal 800. As further shown in system 800, a power supply 825 can attach to a power grid and include one or more transformers to achieve a power level at which various components and/or circuitry associated with wireless terminal 800 can operate. In one example, power supply 825 can include a

rechargeable power mechanism to facilitate continued operation of wireless terminal 800 in the event that wireless terminal 800 is disconnected from the power grid, the power grid is not operating, etc.

[00105] In a further aspect, processor 835 can be functionally connected to

communication platform 815 and can facilitate various operations on data (e.g., symbols, bits, chips, etc.), which can include, but are not limited to, effecting direct and inverse fast Fourier transforms, selection of modulation rates, selection of data packet formats, inter-packet times, etc. In another example, processor 835 can be functionally connected, via a data or system bus (e.g., a wireless PCIE or the like), to any other components or circuitry not shown in system 800 to at least partially confer functionality to each of such components, such as by the antenna systems disclosed herein.

[00106] As additionally illustrated, a memory 845 can be used by wireless terminal 800 to store data structures, code instructions and program modules, system or device information, code sequences for scrambling, spreading and pilot transmission, location intelligence storage, determined delay offset(s), over-the-air propagation models, and so on. Processor 835 can be coupled to the memory 845 in order to store and retrieve information necessary to operate and/or confer functionality to communication platform 81 5 and/or any other components of wireless terminal 800.

[00107] Further, the antenna systems described above with the communication device 800 can also be configured, for example, to operate at a wide range of frequencies in a high band frequency range additionally include peer-to-peer (e.g., mobile-to-mobile) ad hoc network systems often using unpaired unlicensed spectrums, 802. xx wireless LAN, BLUETOOTH and any other short- or long- range, wireless frequency ranges and communication techniques. The narrow band antenna elements disclosed herein, such as antennas resonating systems of devices disclosed, for example, can also be configured to operate at other frequency ranges also.

[00108] In other examples, the components (of SP device 202 or an affiliated component) disclosed herein can operate to communicate wirelessly with other components, such as the display interface 808 as a wireless device, or with other wireless interfaces, such as a wireless USB device, for example. For example, a wireless USB device can communicate within a frequency range. In addition, the antenna systems disclosed can be configured to communicate with other wireless connections, components, interfaces or devices in order to provide communication interfacing for wireless component-to-component communications. For example, a PCB to PCB interface can be facilitated by the high band antenna systems as well as micro millimeter wave communications among one or more internal or external components. Other communication interfaces can also be facilitated by the antenna elements disclosed such as an internet of things (loT) to loT components, wearable components, mobile to mobile, a network base station (e.g., a macro cell network device, femto cell device, pico cell device or other network devices) or any combination thereof to communicate via one of more of the antenna elements, such as via the antenna system or devices herein, for example. Additional other examples are also envisioned by which the antenna systems disclosed herein can operate in different frequency ranges, as well as communication and facilitate communications with, or among, one or more wireless components or devices. For example, industrial, scientific and medical (ISM) radio bands, radar band widths, or other ranges of a frequency spectrum can also be facilitated for communications by the antenna systems being disclosed.

[00109] Embodiments described herein can be implemented into a system using any suitably configured hardware and/or software. FIG. 9 illustrates components of a network in accordance with some embodiments. In various aspects, part(s) or all of one or more of the components illustrated in connection with the figures herein can be implemented as virtual network functions (VNFs) in connection with various aspects described herein. An Evolved Packet Core (EPC) network 900 is shown to include a Home Subscriber Server (HSS) 91 0, a Mobility Management Entity (MME) 920, a Serving GateWay (SGW) 930, a Packet Data Network (PDN) GateWay (PGW) 940, a Policy and Charging Rules Function (PCRF) 950.

[00110] The HSS 910 comprises one or more databases for network users, including subscription-related information to support the network entities' handling of

communication sessions. For example, the HSS 910 may provide support for routing/roaming, authentication, authorization, naming/addressing resolution, location dependencies, etc. The EPC network 900 may comprise one or several HSSs 910, depending on the number of mobile subscribers, on the capacity of the equipment, on the organization of the network, etc.

[00111 ] The MME 920 is similar in function to the control plane of legacy Serving General packet radio service (GPRS) Support Nodes (SGSN). The MMEs 920 manage mobility aspects in access such as gateway selection and tracking area list

management. The EPC network 900 may comprise one or several MMEs 920

[00112] The SGW 930 terminates the interface toward an Evolved UMTS (Universal Mobile Telecommunications System) Terrestrial Radio Access Network (E-UTRAN), and routes data packets between the E-UTRAN and the EPC network 900. In addition, the SGW 930 may be a local mobility anchor point for inter-eNodeB handovers and also may provide an anchor for inter-3GPP mobility. Other responsibilities may include lawful intercept, charging, and some policy enforcement.

[00113] The PGW 940 terminates an SGi interface toward the PDN. The PGW 940 routes data packets between the EPC network 900 and external networks, and may be a node for policy enforcement and charging data collection. The PCRF 950 is the policy and charging control element of the EPC network 900. In a non-roaming scenario, there may be a single PCRF in the Home Public Land Mobile Network (HPLMN) associated with a User Equipment's (UE) Internet Protocol Connectivity Access Network (IP-CAN) session. In a roaming scenario with local breakout of traffic, there may be two PCRFs associated with a UE's IP-CAN session: a Home PCRF (H-PCRF) within a HPLMN and a Visited PCRF (V-PCRF) within a Visited Public Land Mobile Network (VPLMN). The PCRF 950 may be communicatively coupled to an application server (alternatively referred to as application function (AF)). Generally, the application server is an element offering applications that use Internet Protocol (IP) bearer resources with the core network (e.g., UMTS Packet Services (PS) domain, Long Term Evolution (LTE) PS data services, etc.). The application server may signal the PCRF 950 to indicate a new service flow and selecting the appropriate Quality of Service (QoS) and charging parameters. The PCRF 950 may provision this rule into a Policy and Charging

Enforcement Function (PCEF) (not shown) with the appropriate traffic flow template (TFT) and QoS class of identifier (QCI), which commences the QoS and charging as specified by the application server.

[00114] The components of the EPC 900 may be implemented in one physical node or separate physical nodes. In some embodiments, Network Functions Virtualization (NFV) is utilized to virtualize any or all of the above described network node functions via executable instructions stored in one or more computer readable storage mediums (described in further detail below). A logical instantiation of the EPC network 900 may be referred to as a network slice 901 . A logical instantiation of a portion of the EPC network 900 may be referred to as a network sub-slice 902 (e.g., the network sub-slice 902 is shown to include the PGW 940 and the PCRF 950).

[00115] Referring to FIG. 10, illustrates is an example data flow for protocols details of data flows for a CPE or residential home GW in accordance with the aspects or embodiments described herein. The process flow 1 00 illustrates the data exchanges occurring for a partitioning of the VNFs from a pAP 302 in the CPE to the vAP 340 at the SP provider network 280. When the data flow occurs via communications of the WPA2 pass-through interface 270, for example, a dynamic partition can be enabled. When this dynamic partition is performed, partition configuration two can be one options as discussed herein, which can be enabled when the link 290 is a cable link, or considered as option 2. The partitioning here, what functions will be removed from the pAP 302 of the CPE 240 and what will be executed / done in the pAP 302 at the CPE 240 or AP or Gateway can be illustrated by the acts of FIG. 10 between a WAV 500 or WiFi chip component and a platform system on a chip (SOC), in which each can be a part of or integrated with the CPE 240 as a wireless routing or network device, or residential home GW, for example. The WAV 500 component can individually or separately also be a part of or comprise a range extender coupled to the pAP 302 for wireless communication with a UE, mobile device or other network device.

[00116] In one example, the left portion / path can be considered a receive path 1030. Packets can be received via the receive path at the pAP 302 of the CPE 240 over an air interface or WiFi airlinkl 002 in order to process data for the community WiFi network from a UE, for example, or other network wireless device. Packets can be generically referred to as data packets or packet data, while also data packets and be different from management packets, and the term packets or data packets can refer to both or data packets specifically, for example. In general, management packets can comprise a request for association or authentication, while data packets can refer to packets already configured for association or authentication after such protocols have succeeded between the SP network 280 and CPE 240, for example, or corresponding components.

[00117] The pAP 302 of the CPE 240 can include one or more components including the WAV 500 WiFi processor chip, for example, and the Platform SoC of the CPE. These can be separate components or division with separate interfaces within or a part of the CPE 240 overall or the pAP 302. In response to receiving a packet (or mobile / UE packet) at 1004 along the receive path 1 030, a check can be performed at 1006 (e.g., by the pAP 240) as to whether or not the packet belongs to the community WiFi network, which is configured as a virtual network.

[00118] The check at 1006 can be performed by the WAV 500 according to or based on the BSS ID of the packets such as a corresponding BSS ID in a receive frame for the community WiFi BSS ID. If the packets belong to the BSS according to the BSS ID, then a determination or check can be made for the class (e.g., a CLASS 1 -3) of the packet. However, if the packet does not belong to the BSS as the community WiFi network, then the partition configuration is not virtualized and the residential GW or CPE 240 would process the packet accordingly without a WPA2 pass-through interface 270 to the SP network 280.

[00119] With respect to checking for the class, (e.g., Class 1 -3), this is the wireless LAN specific functionality that as defined in the Wireless LAN 802.1 1 spec. Three different specific types of the packets can be enabled or specified to be in a specific state, called class 1 , 2 and 3. If in the state, when the client is not associated to the network, then you can buff-in only packets that are management packets, called Class 1 . Management packets can be similar to or considered packets making an initial request for an association with the network. Class 2 can be considered an intermediate class, and class 3 is if the packet is associated with the network then you can buff in all of the date packets, especially data packets and management packets as different packet types (unlike class 2).

[00120] After checking whether the packets received over the airlink (or air interface) belong to the community WiFi network or not, and if belonging, forwarding the packets along the receive path 1030, a received metadata can be added to the packet. The received metadata, for example, can be any additional information that is not originally within or a part of the packet, but that would have / could have been collected when the packet was received. This received metadata or metadata can include, for example, the received signal strength (e.g., a received signal strength indication (RSSI)), the signal- to-noise ratio or other signal power strength indication or parameter that was also received / able to be determined with receiving the packet over the air 1002, and a physical header (e.g., 802.1 x PHY layer header or other similar packet header) associated with it. Typically, the physical header with all the associated information has been dropped because there may not be a need for it in further processing, aside from only utilizing it to receive the frame at the lowest possible level (e.g., as Class 1 ).

However, this physical header could be available for the VNF by the SP network 280 if retained, as in the act at 1008. The metadata can be information that the SP 280, for example, could use to manage a radio resource parameter (e.g., a latency, power or signal strength, or other similar communication signal / link parameter) such as a radio parameter of the SP network, the community WiFi network or communication link therebetween.

[00121 ] In an aspect, packet data or packets can be received and further transferred for processing without alteration to the encryption or decryption of the packets by the CPE 240. The packets can be passed along (via the WPA2 pass-through interface 270) in the same form as received, as well as with some added or additional metadata information, for example.

[00122] The packet can be moved to the next stage (e.g., at a platform SoC or SoC platform) for processing whereby at 1 01 0 a genetic routing encapsulation (GRE) header can also be added. This GRE header, for example, can be an IP header that contains the information of what is the destination, in which the destination can be the virtual network function (VNF) in the SP network 280, such as at the vAP 340.

[00123] Additionally, the packet(s) can be forwarded at 1012 to the wide area network (WAN) interface or CPE WAN link 1014 (e.g., cable / digital subscriber line (DSL) / passive optical network (PON) 290), which can be at least in part in a router of the CPE. This CPE WAN link 1014, for example, can be the network interface that connects to the SP network 280 (e.g., a cable provider network or the like). As such, the CPE 240, for example, can operate by receiving packets from the wireless interface1002, adding to them and passing them along to the WAN 1014 to go to the SP network 280 without a modification involving an encryption or decryption by the CPE 240.

[00124] Continuing along the right side of FIG. 10, a transmit path 1040 is configured for the continued data flow, which can be a management and control path for management and control operations, while the receive path 1030 a data path. Along the transmit path 104, a packet from the WAN at 1016 is received, which could contain SP provider data or other internet provider (IP) data to be rendered at a screen of the UE or by a browser. The received packet can be from the SP network or the CPE 1 link 1014, for example over the cable modem link, and then processed at additional steps. Once the packet is received from the cable modem, for example, the packets can be identified as belonging to the network (community WiFi network) that has been virtualized at the vAP 340.

[00125] For example, at 1 018 a GRE can be stripped from the received packet, as the packet can come from the VNF (e.g., vAP 3240) as an IP packet. The packet can then be passed along the transmit path 1040 without the GRE header to the WiFi access point chip (e.g., WAV 500 or the like component). The WiFi AP chip then operates to transmit the packet at 1022 further along to the air interface 1002. For example, the WiFi AP chip puts the packet without the GRE header in the WiFi transmit queue at 1020 and schedule it for transmission at 1022; as such the CPE does not have to do any further modification to the packet, especially with respect to encryption / decryption. These acts of the data flow 1000 can be what is performed for the community WiFi network with virtualization to happen in the CPE 240 in a router, for example. Typically, if all the functionality is inside the CPE or router, and the operating network is not a virtual network, there would be many more steps for the CPE to implement that are not included here, such as encryption / decryption operations. The received packet would also be transformed from 802.3 to 802.1 1 format, decrypted and only then connected or associated to the transmit queue, for example. [00126] As such, the WPA2 pass-through 270 can enable / manage an authentication or security protocol with the UE 250 based on a VNF of a pAP 302 associated with the community WiFi network for (e.g., the creation of) a vAP of the SP network 280 of the SP network device / component 202. The vAP 340, thus, can be a creation or instance of a set of functions that have been virtualized from the pAP 302 in relation to a community WiFi network. As described above, the community WiFi network can be a hot spot, or other pass point or network configured to be enabled at the CPE 240 for guest, subscribers of the SP (e.g., Com cast), or the home with a UE 250 that recognizes the community WiFi network based on a BSSID, for example, and initiates connection with it. In return, an authentication / security protocol can be exchanged without interference, tampering, modification or concern of breach by or through the CPE 240 to the vAP 340 at the SP network 280, especially with respect to decryption / encryption via the WPA2 pass-through associated with the community WiFi network.

[00127] Further, the SP network component 202 can operate to virtualize

authentication and encryption protocols over the WPA2 pass-through to ascertain one or more credentials to be filled in by the UE 250, or client by maintaining / controlling / operating functions that would otherwise be associated with the residential GW / CPE 240 at the SP network 280. The authentication protocols can include, for example, WISPr 1 .0, or 802.1 x protocol where a specific procedure / protocol with .1 x can be with / without extensions such as EAP-TTLs, PEAP, EAP-SIM, EAP-AKA, for example, or other extensions. As such, the SP network component 202, for example, can create a virtual network function for a pAP to form an instance of a vAP based on one or more VNFs, depending on the partition configuration (e.g., a second partition configuration for cable).

[00128] The WPA2 pass-through 270 from end-to-end ensures security all the way through the CPE to the SP network and ensures that modification, tampering or breach of privacy does not provide opportunity otherwise, in association with a community WiFi network, or to disrupt such communication flow for any possible breach. The WPA2 pass-through 270 can be instantiated or generated by the SP network device 202 when there is a configuration at the CPE 240 where all the traffic for a specific network (e.g., community WiFi network) is passed transparently through the residential GW 240 without the residential GW 240 touching / removing any of the bits on this traffic, and through the cable/ DSL/ PON access to the SP network 280 at one or more components / devices thereat (e.g. the SP network device 202). [00129] Authentication or security protocol(s) can then be facilitated through the WPA2 pass-through 270 connection / interface. An encryption key is then

communicated (shared) between the UE 250 and some function or component in the SP network 280 as part of such protocol. In this situation, all the data traffic from the connecting UE 250 can flow transparently through the home network CPE 240, gets to the SP network 280, and there it is encrypted / decrypted. With this approach utilizing or generating the WPA2 pass-through 270 by the SP network device / component, there is no security at home or at a home CPE, in the middle between the UE and the SP network, where the traffic is not encrypted and someone can hack into this home GW 240 and get an access to it. This is the traffic that does not belong to the home network, it's the traffic of the community WiFi, and thus belongs to the SP, but happens to pass through the home network via the WPA2 pass-through.

[00130] Referring now to FIG. 11 , illustrated is an example data flow between the CPE 1 102 (from the CPE WAN link 1014 of FIG. 10) and the community WiFi wireless access GW 1 122 (e.g., the SP network device 202, or any component thereof) in accordance with various aspects or embodiments being described. Thus, the happenings or acts operating in the VNF (e.g., vAP 340) of the SP network 280, in the part the functions that have been split out from the pAP 302, and implemented as functions in the SP network or SP network device / component 202 are illustrated along the data flow 1 100.

[00131 ] Beginning for reference at 1 104, a packet has been received from the receive direction / path 1030 of FIG. 10 over the CPE WAN link 1014 from the CPE 1 102 and processed along receive path 1 1 70 to the Hostapd community WiFi control 1 1 16 or the Community Wifi Wireless Access GW 1 122 as part of the receive path. At 1 106, the GRE header is stripped because the packet has been received at its destination, and thus, to get to the packet body or data payload the GRE header can be stripped. At 1 1 08, a determination can be made whether the packet is encrypted and to decrypt the packet if there is an encryption. In order to decrypt the packet, a stations (STA) context database 1 1 12 (e.g., DB 508), which can include a station connector state, keys for encryption / decryption and other client / UE specific related data (e.g., an RSSI, latency, or other parameters or data) can be accessed.

[00132] At 1 108, by reference to the STA context database 1 1 12, a determination can be made to decrypt the packet, whether a replay attack is occurring (whether the packet is similar to another or past packet that has been decrypted previously), or if decryption is unsuccessful or not. If a determination is made that a replay attack notification is to be generated, in which the packet is shown to have been decrypted as the same or similar packet one time before, this can mean the client or sending device has not created a replay attack, where the attacker has captured one packet and the attacker is sending it again and again to see how the network behavior will be (called a replay attack). If a replay attack is detected, a replay attack notification can be generated, the packet or encrypted packet is dropped and a replay update counter (not shown) can be updated, which can be included in the STA context database 1 1 12. The counters in the STA context database 1 1 12 can also part of the VNF that handles data flow at the SP network device 202, for example.

[00133] At 1 1 10, a determination is made as to whether the packet is an aggregated packet, such as an aggregated MAC service data unit (A-MSDU). An A-MSDU can be the result of multiple MSDU packets aggregated together such as from several packets in a special format called an A-MSDU. Alone an MSDU is the service data unit that is received from the logical link control (LLC) sub-layer, which can lie above the media access control (MAC) sub-layer in a protocol stack, for example. The LLC and MAC sub-layers are collectively referred to as the data link layer (DLL). Some packets received at 1 1 10 could be determined as not aggregated. Aggregation can occur, for example, to reduce the overhead of the transmission and obtain or form a higher layer group or grouping. When packets are received there is usually a gap between them. So to decrease the gap and increase efficiency, many packets can sometimes be lumped together or aggregated in one large packet such as an A-MSDU. If the packets received are aggregated as an A-MSDU, then they can be de-aggregated and split at 1 1 10 into individual packets and moved to the next stage 1 1 14 of the receive path 1 170 for further processing.

[00134] At 1 1 14, a determination can be made as to whether the packets are management packets or data packets. If the packets after the de-aggregation contain management packets referred to as management MPDU (MMPDU), which are the packets that are used to establish a connection to change any connection parameters, then these MMPDUs are forwarded at 1 1 14 to a Hostapd community WiFi control (e.g., pAP 320, manager 310 or other component of the SP network).

[00135] Some packets could be simply data packets, which are packets with information or data in a payload for communicating information once the user or UE has been associated (e.g., with data of class 2 or class 3). Data packets can be considered packets that just hold information, for example, from a web browser or any type of application or software program. If the packet received is an MMPDU, then it can be passed to be un-packaged / processed to the component doing access point management and control at the transmit path 1 180 to the control VNF or Hostapd 1 1 16 (e.g., pCPE control 320) for BSS management, for example. As a management packet, the hostapd 1 1 1 6 can be a component operating BSS management by recognizing that the packet represents a new client (unassociated UE or network device) that wants to connect by asking for a station request with a MMPDU packet. The hostapd component 1 1 16 can send a station response, and it will be processed along the transmit path 1 180 as a management and control path through the CPE 240 over air to the client. So the client can then start establishing a connection.

[00136] However, if the packet comprises a data packet (e.g., a video or Netflix that includes like Netflix data), this packet can go all the way up to a data VNF or community Wifi Wireless Access GW 1 122 (e.g., vAP or other SP network component) where it will detect the data packet and be transmitted from here to the internet, for example. If the packet is not an MMPDU packet, but a data packet, then it becomes converted at 1 1 18 from 802.1 1 format to the 802.3 format, which are formats of the IEEE standard. Then, at 1 1 18 the packet will be forwarded it to the community WiFi GW 1 12, further forwarding to the internet. Before being forwarded completely, at 1 120 a GRE header of the community WiFi GW can be added, and it will be sent out from there as an IP packet so eventually it will get to the community WiFi GW 1 122.

[00137] In the transmit direction 1 180, a packet can be received from the community WiFi GW 1222. At 1 124, the GRE header is stripped, then the packet is encrypted at 1 1 26 using this station context database and using the WPA2 keys to encrypt it. The GRE header is then added at 1 1 28 for the CPE 1 102 or for the residential home router, the home GW. The packet is transmitted to the CPE 1 102 (e.g., CPE 240 of FIG. 2) as an IP packet to the UE via the CPE. So this packet will be sent for encryption, then the GRE will be added and they will be sent to the CPE as well. As such, packets designated as or related to data packets will come from the community WiFi GW 1 122 and the management packets will be generated by the Hostapd 1 1 1 6 as the community WiFi control.

[00138] Referring to FIG. 12, illustrated is an example of different packet structures along various stages of the processing paths described with respect to FIGs. 10-1 1 . The first packet structure 1202 is the payload of the 802.1 1 MSDU (see above for discussion of aggregated MSDU with a privacy class of 1 ) as an 8.1 1 packet payload comprising three fields. The three fields of packet 1 202 include an encrypted data in the middle, a packet number (PN) or seed used for seed in encryption and decryption (e.g., about 8 octets), and the message integrity code (MIC) at the end that authenticates that this is encrypted data that has been encrypted by the sender or identifying the sender. This packet is then transmitted over the air from the client / UE to the AP (e.g., the pAP 302) transmitted in the format of packet structure 1204. This packet structure 1204 has the payload and an 802.1 1 MAC header is appended to this payload. So when a packet in this format will be received over the air, it can be in this format.

[00139] Then a station (STA) context can be added (e.g., info to the right of the transmission data packet 1206), which can be detailed in the format of a vWPA header and can be 16 octets long. The STA context, for example, can contain a client context identity (ID), a payload offset and a length, as well as one or more RF parameters (e.g., the metadata added at 1008 of FIG. 10) or an association identity (AID) with one or more transmit parameters for transmission of the packets. The association ID identifies the client, UE or other network device along with other transmit parameters in the STA context 1 1 1 2. As such, the packet 1206 can become of this format: vWPA header, 802.1 1 MAC header and the payload.

[00140] Further, when the packet is moved from WiFi AP chip to the platform SOC as in FIG. 10 and a GRE header is added to it to form part of the packet structure 1208, as at 1010 along with an outer IP header and outer MAC header and the previous stage with the WPA header, 802.1 1 MAC header and payload. This packet structure 1208 is the format (the long one) when the packet is coming to the first GW / first server in the SP network (e.g., the pCPE control 320 or the vAP 340) of VNF data processing at 1 1 04 along the data / reception path 1 170.

[00141 ] As the packet received along path 1 1 70 is processed to move the packets to this WPA2 data VNF at 1 106 there can be outer MAC address that can be stripped and the rest of the packet can be retained, as demonstrated by the packet structure 1 210. The MAC address that is stripped (outer MAC header) at 1 106 is stripped because it communicates with the IP addresses that are not needed anymore, what is left is sent to the data VNF (e.g., vAP 340, data path 526, or set of VNFs 504 of a partition

configuration).

[00142] After stripping the GRE, the packet is decrypted at 1 1 06 and a different GRE header is added and the packet is sent to the community WiFi access GW at 1 120, which can be demonstrated for example by the packet structure 1 214, which is the last packet structure at the output of the receive path 1 170 processing to the community WiFi GW. This packet structure 1214 can have an outer header (outer GRE header), a different GRE header than the last one that was stripped. The first GRE header is to get to the data VNF for processing, while this different GRE header here is to get to the wireless access GW. Then packet can be in a 802.3 format, after decryption as the result of a transformation from MAC 802.1 1 to 802.3. If the payload cannot be encrypted it can be dropped, here the payload can be encrypted and so it goes up the decryption process.

[00143] The packet structure 1 212 is an example of the management packet

(MMPDU). This packet structure 1 212 is the format of the packet that can go forward of the MMPDU at 1 1 14 to the hostapd community WiFi control 1 1 16, which can be after decryption and be a clear text payload, with a 802.1 1 MAC header as MMPDU as management packet and can also have the STA context, which can be utilized here in the control function.

[00144] FIGs. 13-18 illustrates embodiments related to the control flow operations and provisioning of data for the data flow operations describe above in FIGs. 10-1 1 .

Generally, this is the information that is acquired in the vCPE or vAP 340 in the VNF and as well in the pCPE or pAP 302 in the GW / CPE 240). In the vCPE 340, for example, it has to be provisioned with the information that will enable it to configure the community WiFi vAP parameters, which will then be used by the WiFi AP. The key parameters, as described elsewhere herein, can include the BSS parameters that essentially are then used in the WiFi protocol, such as the 802.1 1 protocol. The AP uses also to communicate with clients, Radius Server IP and wireless access GW name and the IP address. This information is used to register the IP. These two parameters are also required for various operations such as the control VNF and data VNF. The control VNF (or hostapd 1 1 16 or pCPE control 320) has to receive the IP address of this server to be able to communicate with it. The community WiFi GW IP address and the IP address is also utilized by the data VNF (e.g., the vAP 340) to create this processing of the data VNF when it handles the packet that it receives from the pCPE 302 to process it and forward it to the community WiFi gateway or SP network 280.

[00145] The pCPE 302, in particular, has to create a secure connection with the VNF or VNFs of the SP network 280, for which the protocol is transferred. It has to have a credential for this secured connection, like a public security key (PSK) or public security certificate. Because the GW already has the credential(s) to be able to communicate with the SP network, the pCPE in the GW can reuse this credential to not have to configure a new credential for the communications. Another parameter that can be utilized in the process flows of the pCPE 302 is the service set identifier or SSID or the name of the community WiFi that will be displayed in beacons that the WiFi AP (CPE 240) transmits so the client / UE can identify this as a community WiFi BSS and connect to it. Every SP uses its own name. Another parameter that can be utilized is the domain name, the server name of the data VNF. So the UE or network device (e.g., 250) is able to reach to it, obtain an IP address of it and establish the GRE protocol, the

communication from the pCPE 302 to the data VNF or vAP 340.

[00146] In case a range extender (e.g., range extender as peripheral device 104) is utilized these parameters and provisioning for process flows can also be used to enable communication between the range extender and the VNF to configure the credentials via the secure link with the control VNF or pCPE control 320 because it is different from the GW or CPE 240 as illustrated in FIG. 5. The GW 240 receives these credentials when it is being initialized. However, a range extender 104, for example, though typically does not receive these credentials, so the range extender has to be configured with the credentials that enable it to establish this secure link or the WPA2 pass-through interface 270. Essentially the credentials are certificates of the control VNF 320 and it has to be configured with the same parameters like the pCPE 302 to enable a communication over WiFi. The service provider, the SSID, the network name, and the data VNF, the data VNF domain name can all be provisioned in various process control flows described.

[00147] Referring to FIG. 13, illustrated is an example provisions control flow of parameters and data for data flows of WPA2 pass-through communications of a partition configuration of VNFs in accord with various aspects or embodiments described. In the management part of the init or initialization process, this is the procedure of how to initialize or orchestrate the communication between the data VNF (e.g., the vAP 340 with DB 508 according to a partition configuration 504), the control VNF and the pCPE / range extender. Initially, the pCPE 302 establishes the

communication with the vCPE or vAP 340 for all the communications between SP network device 202 and the GW / CPE 240 at 1320. When this communication is established then the orchestrator 330 of the vCPE management 1318 to initialize the control VNF and the data VNF.

[00148] Terminology used herein has various synonyms and for purposes or our description, the control flow is illustrated with reference to particular components of the CPE 1304, which can include pAP 302, as well as pCPE control 320 on the SP network side and can correspond to the WLAN driver 1306, the hostapd agent 1308, and the pCPE management 1316 (as part of the CPE). The data center 1310 can include any data bases such as DB 508 or AAA 506, vCPE management (e.g., manager 310), vWPA2 VNF data 1312 (e.g., vAP 340, and the orchestrator 330), and vWPA2 VNF control 1314 (e.g., also part of the pCPE control 320, the Hostapd community WiFi control 1 1 16, or a control VNF).

[00149] The orchestrator 330, for example, initializes the control VNF 1 314 at 1324 and then uses the initial procedure towards the pCPE 1316 to initialize the vAP 340 for community WiFi. So it sends the configuration file to the pCPE 1316 at 1 326. The pCPE 1316 then uses this data to configure or prepare for the work of different components in the CPE 1304. For example, the pCPE 1316 initializes the hostapd agent 1 308 that is the data secure member at 1328. This hostapd agent 1308 is the agent used for the communication protocol between the pCPE 1318 and the control VNF 1314. The pCPE 1318 initializes the hostapd agent 1308, which initializes wireless LAN driver 1306 for supporting communication operations at 1330. Afterwards, the secured connection between the hostapd agent 1308 and the control VNF 1314 can be established as at 1332, and then the protocol flow is enabled for the control flow 1300.

[00150] As part of this protocol flow 1 300, there is an initial configuration of the BSS parameters at 1 334. So the control VNF 1314 configures the BSS parameters to the hostapd agen1308, which then configures the AP driver 1306 with this SSID, for example, or one of these parameters described herein at 1336. Afterwards, the control VNF 1314 can start communication at 1338. After this point then, the pCPE functionality for the community WiFi as well as the VNF are configured and ready for work at 1340 as the final stage of the init sequence.

[00151 ] Referring not to FIG. 14, illustrates an example of the BSS parameter configuration control flow, which provides further details on the control plane and how parameters are changed after the init 1420 processes of FIG. 13. As such, the control VNF 1414 of the data center 1410 sends or sets a beacon template 1422 using this communication protocol, or this secure link to the hostapd agent, which then will configure the beacon templates to the wireless LAN AP driver at 1424. The beacon template can be used to create the beacons that then the wireless AP starts transmitting over the air so clients will be able to identify it and initiate a connection procedure for the community WiFi network, for example.

[00152] Additionally, at 1426 another information has to be configured considered as a probe response template, which is also configured through the hostapd agent 1408 of the CPE 1404 to the AP driver 1406 (e.g., waveform audio file format or WAV driver) at 1428. The probe responses are used when the client / UE sends an inquiry called a probe requests to the residential GW / AP / CPE 1404 to obtain more information of the AP capabilities.

[00153] Then the control VNF at 1430 sends the command starts BSS, to start the community WiFi BSS to the hostapd agent 1408, which commands the WiFi driver 1406 to start BSS at 1432. Then the BSS has started and client UEs will be able to connect to it. Further, from time to time there could be a change in the BSS parameters at 1434. For example, an indication of a change in the traffic, a change of the buffer traffic for clients that are connected to the access point, as the traffic indication map (TIM). In this case, it has to update the beacon template and send the TIM to the AP, done by the last sequence at 1436 from the VNF control 1414 to the hostapd agent 1408 to the driver 1406 at 1438 finally. This process or control flow 1400 can be how BSS parameters are configured after the I NIT processed 1420 from FIG. 13 and during run time operation.

[00154] Referring to FIG. 15, illustrated is another example control flow 1500 in accordance with various aspects or embodiments herein. The control flow 1500 demonstrates the operation flow of the client / UE (e.g., 1502) connection

establishment, which is a little modification to the standard behavior of the connection establishment that typically happens locally, except when a partition configuration has been virtualized by one or more VNFs. When a client UE 1602 want to connect to the AP, it sends packets at 1520 or starts the process for the authentication, adds to the packet an 802.1 1 authentication message, or a management MAC protocol data unit (MMPDU).

[00155] Once the UE 1502 sends the authentication requests at 1520, the packet is then encapsulated using a GRE tunnel at 1 522 by the wireless LAN driver 1 506 of CPE 1504, and sends it directly to the data VNF 1512 of the data center 1 51 0. The data VNF 1524 identifies this packet as the management frame (or authentication / association request) and sends it to the control VNF 1514 at 1 524. Based on this information, the control VNF creates the client context or STA context, and sends / sets the client state to class 2 at 1 526. Class 2 in 802.1 1 is the state in which the AP is configured to accept a management association, or association messages from clients. Before this act at 1526, the SP network or SP network device / component 202 could just drop any association requests from the clients.

[00156] Then in the next act, at 1528 the control VNF 1514 sends the command set Class 2 for client MAC address because it is a new client, to the hostapd agent, which then at 1530 forwards it to the WLAN driver 1506. This WLAN driver 1506 sets it in the data base (e.g., DB 508). Then, the control VNF 1514 at 1 532 sets the MMPDU to client authentication 2, which is the authentication response, to be transferred using the protocol of the WiFi AP driver 1506 at 1534, which then forwards it over the air to the client 1502 at 1536. When the client receives, it updates the state machine and continues with association, which is part of 802.1 1 protocol at 1538. Then the association requests is put with a GRE at 1 540 and forwarded to the data VNF 1512, which forwards it to the control VNF1 514 at 1 542.

[00157] At 1544, the control VNF 1514 updates the client context (STA context of the STA database 1 1 1 2 of FIG. 1 1 to Class 3, which means that afterwards that the client access port will accept data packets and not just management packets from the client 1502, and thus both data and management packets can be processed readily. So control VNF 1 514 then changes the client state to associated, assigns an association ID (AID) and sends this configuration to the hostapd agent 1508 at 1546, which, in turn, sends this to the WLAN driver 1506 at 1 548. Afterwards, at 1548 the control VNF 1514 sends the packet association response with an indication of a success to the data VNF1512, which then at 1550 forwards it over a GRE tunnel to the WiFi driver / AP driver 1506 that forwards / sends this packet to the client 1502 at 1552 for the client to be then considered associated.

[00158] Referring to FIG. 16, illustrated is another embodiment of a control flow with operations directed toward securing connection establishment in accordance with various aspects or embodiments herein. After a success association notification from 1552 of FIG. 15, the client 1 602 can now can send data packets to the AP (e.g., vAP or SP network device 202) and the data packets communicated will contain 802.1 x authentication protocol from the UE 1602 through the CPE 240 with pAP 302 to the SP network device 202 (e.g., to the authentication server 1616, or the AAA 506) via a WPA2 pass-through interface and without modification from decryption / encryption at the CPE 240.

[00159] A 802.1 x authentication protocol can be sent from the WiFi client 1602 then through all of this chain (1 604-1616) to the authentication data server 1 616. The authentication server 1616 communicates back to the WiFi client 1602 by updating the client's credentials and sending additional key material so the client 1602 will be enabled to create or derive the master station key (MSK) at 1622. The authentication server 1616, at 1624 derives the master station key as well and configures it to the control VNF 1 614. After this there is a stage where the encryption key that will be used for the encryption of the data and management packets will be executed, which is called four-way handshake 1626. Essentially, in the four-way handshake the control VNF 1614 is the one that initiates it and the WiFi client 1602 is the one that co-operates using the communication response protocol known as a Four-way handshake, meaning about or at least four messages are exchanged between WiFi client 1602 and the control VNF 1614 using communications 1628 there-between.

[00160] At 1630 and 1632, both client 1 602 and AP or vWPA2 VNF control 1614 derive the encryption key used for WPA2 encryption of unicast frames or unicast packets used, for example, as a client pairwise temporal key / pairwise transient key (PTK), which can also be used for the communication from the AP 1614 to the client 1602 of broadcast messages or broadcast traffic. Broadcast message, for example, can be generated using a different key, a group temporal key (GTK), for example. A GTK can be derived in the VNF control 1614 and transferred to client 1 602 using the secured link (e.g., the WPA2 pass-through interface) as part of the WPA2 four-way handshake 1626. The client 1602 accepts it and configures the GTK into the hardware. As such, the control flow 1600 illustrates the transpiring communication response of the client 1602 and control VNF 1614 with respect to key derivation. The key is not visible necessarily to any other component, does not stay in or reside at any point / component along the communication path 1628 in-between, and is responsive or utilized for the communications over the WPA2 pass-through, for example.

[00161 ] Afterwards, the control VNF 1614 configures to the client context data base (e.g., STA context database 1 1 12 or the vWPA2 VNF data 1612) these keys for the unicast traffic and broadcast traffic at 1634, while further commanding the data VNF 1612 to open a port (access port) for communication with this particular client 1602. So from this point on, any traffic at all, which is coming from client over the data flow 1 636, will go to the SP network and reach this wireless access gateway (WAG)1618.

[00162] After this point, when the client / UE 1602 wants to send IP traffic, for example, for an application to communicate, it typically sends the packet to the WiFi driver 1606 at 1638, which then at 1640 puts this packet into the GRE tunnel and sends it to the data VNF 1612. The data VNF 1612 further decrypts the packet and

encapsulates it into a different GRE header, further sending it to the WAG 1618 at 1642. The WAG 1618 then hands it out farther in the SP network and eventually to the internet. Then any incoming packets for this client 1602 that are coming from the WAG 1618 can also be forwarded to the interface or using this GRE tunnel at 1644. Then they will be repackaged, modified to the 802.1 1 format and be encrypted, and repackaged into a GRE tunnel and sent to the WiFi driver 1606 at 1646, which then will forward them to the client 1 602 over the air at 1648. [00163] Referring to FIG. 17, illustrated is another example control flow for a client disconnect, in which the client / UE 1702 desires to disconnect from the community WiFi network in accordance with various aspects or embodiments herein. For example, the client / UE could 1702 could discern that the signal with this communication connected with the AP (e.g., SP network device 202 of FIG. 5) is week and would like to

disconnect at 1720 from this AP 202 and connect to some other AP or GW with a stronger signal.

[00164] As a result of deciding to disconnect from the community WiFi network, the client 1702 can send the management frame that is called Dissociate over the air at 1722 to the WiFi AP driver 1706, which then puts the packet in a GRE tunnel and forwards it to the data VNF 1712 at 1724. The data VNF1 712 decrypts the packet, detects that this packet is a management packet, and so forwards it to the control VNF 1714 at 1 726. The control VNF 1714 then performs the procedure of the client disconnect at 1730. It changes the client state to Class 1 , which means do not accept any packet other than authenticate requests. The control VNF 1 714 releases or frees up the AID or client association ID at 1 730 and sends commands to change the clas and clost the port at 1732 and 1734, which is forwarded to the WLAn driver 1706 at 1736. However, the context ID can still be retained because client 1702 could attempt to associate with this AP in the future. The client context can be maintained for some time, but the control VNF 1 714 configures the maintenance by re-moving the keys, the encryption keys, to the data VNF 1712 at 1 732 because now the client 1702 has disconnected and these keys are derived upon each new connection (or session). The keys are removed and sends the commands are sent to remove to the hostapd agent 1708 to change client state to class 1 at 1732, in which class 1 is to accept only authentication request packet. Then the hostapd agent 1708 configures this command to the wireless LAN driver 1706 at 1736.

[00165] Now the client / UE 1702 can be disconnected at 1740 with a management command from the vWPA2 VNF data 1712 to the WLAN driver 1706, which then commands a dissociate 802.1 1 messages to the client UE 1 702 at 1 744. Security information that is relevant to the last session or connection can be cleared, and thus dissociation is complete with disconnect at 1746 as a result of the client 1 702 deciding to disconnect from the AP / communicating WiFi network. At 1 738 - 1746, a procedure can be carried out when the VNF decides to disconnect the client 1702, for example, such as in response to when the client 1 702 does not communicate for a period or a duration of time, or any other circumstance when the VNF or component of the SP network device 202 decides for that the client 1702 has to be disconnected. The VNF can create a dissociate message (e.g., MMPDU dissociate client context ID) to be sent to client 1 702 that it forwards at 1740 first to the data VNF 1712, which then puts it on the GRE tunnel and sends it to the WiFi AP driver 1706 at 1 742, which sends it over the air to the client 1702 at 1744 and now the client is disconnected at 1746.

[00166] Referring to FIG. 18, illustrated is another control flow demonstrating the procedure when the CPE WAN link is down or no longer function (e.g., the cable link or optical link 290 between the SP network device 202 and the CPE 1804.

[00167] For example, although communication has been enabled, the WiFi client 1802 communicates to the SP network 280 over the community WiFi network or the WPA2 pass-through interface, but suddenly the cable link 290 goes down or there is some service interruption in the SP network. As such, there is no communication now between the CPE 240 and the data center 1810, or between the CPE 1804 and the SP network 280, for example.

[00168] First, the CPE 1804 detects it that one link is down. For example, cable modem link is down. Additionally, the pCPE 302 moves to autonomous mode at 1 820, so it still wants to be able to function if there is some service interruption in the cable provider or SP network 280, and does not necessarily mean that the home network is down or blocked. However, the community WiFi service should be stopped as at 1 822 with a stop command because the community WiFi network is the SP provider traffic. So pCPE management block 181 6 in the CPE 1804 sends a command to the hostapd agent 1808 to stop at 1822.

[00169] The hostapd agent 1808 configures at 1824 the stop commands then into the WLAN driver 1806, which stops any communication with clients that are related to the community WiFi and stops sending beacons so the community WiFi clients does not see the community WiFi network. The WLAN driver 1 806 then stops the client clean state and queues at 1 826 and the vWPA2 VNF decides to disconnect the client at 1 828.

[00170] At 1830, there is the possibility that the pCPE 181 6 then re-establishes normal modes or a normal connection or link 290 between the CPE and the datacenter or SP network. As such, when it detects at 1828 or decides that the connection has be reestablished on the one link 290 (e.g., the cable modem connection), then it is reestablished, and starts connection recovery with vCPE management 1818 or the orchestrator 330, for example, at 1830. The orchestrator 330 can initialize the init procedure at 1 834 and 1844 for the control VNF 1814 and data VNF 1812. The pCPE management 1816 then starts the init procedure at 1 832 for the community WiFi AP. Alternatively or additionally, the pCPE management 1816 initializes the hostapd agent 1808, which then triggers the whole sequence of the WiFi AP driver initialization, etc. as above with an init sequence or flow 1846.

[00171 ] Referring to FIG. 19, illustrated is an example process flow 1900. A computer- readable storage medium, for example, could storing executable instructions that, in response to execution, cause one or more processors of a service provider (SP) network component or device to perform the operations of the process flow 1 900. The process flow initiates at 1902 with receiving, via a WiFi protected access 2 (WPA2) pass-through, a set of traffic data from a physical access point (pAP) of customer premise equipment (CPE) connected to a user equipment (UE), wherein the set of traffic data is unmodified by the CPE and associated with a community WiFi network of the CPE

[00172] At 1904, the process flow or method 1 900 continues with processing the packet data from the pAP along a receive chain for transmission to a wide area network (WAN).

[00173] At 1906, receiving and processing the WAN data for transmission to the pAP via the WPA2 pass-through interface.

[00174] At 1908, the process flow can include at least one or more of stripping a GRE header from the packet data received from the UE; determining whether the packet data comprises an encrypted data; determining whether a similar encrypted data as the encrypted data has been decrypted before; determining whether the packet data comprises an aggregate media access control (MAC) service data unit (A-MSDU); or determining whether the packet data comprises a data packet or a management packet requesting access to the community WiFi network.

[00175] In one or more other embodiments, the process flow 1900 at 1 908 can include other acts or steps as disclosed herein such as decrypting the packet data in response to the packet data comprising an encrypted data. In response to the encrypted data being similar to a similar encrypted data decrypted before the encrypted data, the SP network device or component 202 can generate a replay attack notification, drop the encrypted data and update a replay attack counter. The packet data can then be de- aggregated in response to the packet data comprising an A-MSDU. In response to the packet data comprising a management packet, the management packet can then be transmitted to a basic service set (BSS) management component that is configured to control a BSS ID of the community WiFi network and a station (STA) connection state. Alternatively or additionally, in response to the packet data comprising a data packet, converting the data packet from an 802.1 1 format to an 802.3 format and add a generic routing encapsulation (GRE) header for transmission to the community WiFi network and the WAN. The actions of data and control flows here can also be further carried in a process flow in conjunction as detailed herein.

[00176] Examples may include subject matter such as a method, means for performing acts or blocks of the method, at least one machine-readable medium including instructions that, when performed by a machine cause the machine to perform acts of the method or of an apparatus or system for concurrent communication using multiple communication technologies according to embodiments and examples described herein.

[00177] Example 1 is an apparatus configured to be employed in a service provider (SP) network component of an SP network, comprising: one or more processors, coupled to a memory that includes instructions to execute operations of the one or more processors, configured to: instantiate a virtual access point (vAP) of the SP network associated with a physical access point (pAP) of a customer premise equipment (CPE) based on a community WiFi network to enable a WiFi protected access 2 (WPA2) pass- through; determine a partition configuration of a set of virtual network functions (VNFs) at the vAP from the pAP based on a communication parameter of a communication link to the CPE; and provide the WPA2 pass-through transparently through the pAP from the vAP based on the partition configuration; and a communication interface, coupled to the one or more processors, configured to receive or transmit communication transmissions.

[00178] Example 2 includes the subject matter of Example 1 , wherein the one or more processors are further configured to: determine the partition configuration by selecting the partition configuration from among a plurality of different partition configurations that correspond to different sets of VNFs configured from the pAP of the CPE to the vAP of the SP network.

[00179] Example 3 includes the subject matter of any one of Examples 1 -2, including or omitting any elements as optional, wherein the communication parameter comprises a link latency of the communication link to the CPE from the SP network.

[00180] Example 4 includes the subject matter of any one of Examples 1 -3, including or omitting any elements as optional, wherein the one or more processors are further configured to: measure the communication parameter of the communication link by measuring a wide area network (WAN) link latency from the pAP of the CPE to the SP network based on a ping process. [00181 ] Example 5 includes the subject matter of any one of Examples 1 -4, including or omitting any elements as optional, wherein the one or more processors are further configured to: generate a communication query to the CPE; receive a response from the CPE; and determine the communication parameter comprising a WAN latency by measuring a time based on the communication query and the response from the CPE.

[00182] Example 6 includes the subject matter of any one of Examples 1 -5, including or omitting any elements as optional, wherein the one or more processors are further configured to: determine, as the partition configuration, a first partition configuration from the set of VNFs in response to the communication parameter comprising a first link latency that is 100 ms or greater than 1 00 ms; determine, as the partition configuration, a second partition configuration from the set of VNFs in response to the communication parameter comprising a second link latency that is less than 100 ms and greater than 10 ms; and determine, as the partition configuration, a third partition configuration from the set of VNFs in response to the communication parameter comprising a third link latency that is 10 ms, or less than 10 ms.

[00183] Example 7 includes the subject matter of any one of Examples 1 -6, including or omitting any elements as optional,wherein the first partition configuration comprises: a WiFi AP management component configured to operate one or more policy settings associated with the vAP; a RADIUS client configured to operate one or more

authentication processes with an authentication server component; an authenticator component configured to authenticate a user equipment (UE) with the vAP through the pAP on the WPA2 pass-through based on the one or more authentication processes; and a basic service set (BSS) management component configured to operate a channel selection associated with a BSS identification (BSSID) of the community WiFi network for a client authentication and a key derivation.

[00184] Example 8 includes the subject matter of any one of Examples 1 -7, including or omitting any elements as optional, wherein the second partition configuration comprises the first partition configuration and further comprises: a radio resource control (RRC) component configured to control per client functionalities that include at least one of: setting a data path, transmit parameters including transmit power, modulation coding schemes, a channel width, beamforming groups, or client received signal strength indicators, and control common client functionalities that include at least one of: a dynamic frequency selection, a channel load and coexistence, based on a real-time operation and a hard-real time operation; an internet protocol security (IPSEC) component configured to control internet protocol (IP) communications and an IP security of the IP communications; and a generic routing encapsulation (GRE) configured to control GRE tunneling protocols for data packets; and wherein the third partition configuration comprises the first partition configuration, the second partition configuration, and operations related to the second partition configuration that are further associated with hard-real time data path functions.

[00185] Example 9 includes the subject matter of any one of Examples 1 -8, including or omitting any elements as optional, wherein the one or more processors are further configured to: modify the partition configuration of the set of VNFs between the vAP and the pAP to a different partition configuration that includes a different number of VNFs in response to a change in a latency value from among a first plurality of latency values to a second plurality of latency values of the communication parameter.

[00186] Example 10 includes the subject matter of any one of Examples 1 -9, including or omitting any elements as optional, wherein the one or more processors are further configured to:receive transparently via the WPA2 pass-through a set of unmodified traffic data from a user equipment (UE) and through the community WiFi network of the CPE to enable an authentication protocol or a decryption of the set of unmodified traffic data, only at the vAP.

[00187] Example 1 1 includes the subject matter of any one of Examples 1 -10, including or omitting any elements as optional, wherein the one or more processors are further configured to: generate a plurality of WPA2 pass-through interfaces to connect a plurality of user equipments (UEs) to a plurality of vAPs of a virtual community WiFi network over the CPE, wherein the plurality of vAPs are associated with the pAP of the CPE a part from a residential network of the CPE, and comprise different layer 2 media access control (MAC) addresses.

[00188] Example 12 is a system to be employed in a service provider (SP) network, comprising: one or more processors configured to execute executable instructions stored in a memory that execute one or more executable components comprising: a virtual network function (VNF) orchestrator component configured to generate an instance of a partition configuration of a set of virtual network functions (VNFs) at a virtual Access Point (vAP) of the SP network from a physical access point (pAP) of a customer premise equipment (CPE) based on a communication parameter of a communication link to the CPE; and a WiFi protected access 2 (WPA2) pass-through component configured to transparently generate a WPA2 pass-through through the pAP from the vAP according to the partition and based on based on a community WiFi network configured at the CPE; and a communication interface, coupled to the one or more processors, configured to receive or transmit communication transmissions.

[00189] Example 13 includes the subject matter of Example 12, including or omitting any elements as optional, wherein the one or more executable components further comprise: a measuring component configured to determine the communication parameter of the communication link by measuring a wide area network (WAN) link latency from the pAP of the CPE to the SP network based on a pinging communication protocol.

[00190] Example 14 includes the subject matter of any one of Examples 1 2-13, including or omitting any elements as optional, wherein the measuring component is further configured to generate a communication to the CPE, receive a response from the CPE, and measure the WAN latency by measuring a time between the

communication and the response from the CPE.

[00191 ] Example 15 includes the subject matter of any one of Examples 1 2-14, including or omitting any elements as optional, wherein the VNF orchestrator component is further configured to select the partition configuration as a first partition configuration based on the communication parameter comprising a first value, wherein the first partition configuration includes a plurality of non-real time operations of the pAP associated with the community WiFi network at the CPE, and moving the plurality of non-real time operations from the pAP to the vAP of the SP network.

[00192] Example 16 includes the subject matter of any one of Examples 1 2-15, including or omitting any elements as optional, wherein the VNF orchestrator component is further configured to select the partition configuration as a second partition configuration based on the communication parameter comprising a second value, wherein the second partition configuration includes the plurality of non-real time operations and a plurality of real time operations of the pAP associated with the community WiFi network at the CPE, and moving the plurality of non-real time operations and the plurality of real-time operations from the pAP to the vAP of the SP network.

[00193] Example 17 includes the subject matter of any one of Examples 1 2-16, including or omitting any elements as optional, wherein the VNF orchestrator component is further configured to select the partition configuration as a third partition configuration based on the communication parameter comprising a third value, wherein the third partition configuration includes the plurality of non-real time operations, a plurality of real time operations, and a plurality of hard-real time operations of the pAP associated with the community WiFi network at the CPE, and moving the plurality of non-real time operations, the plurality of real-time operations, and the plurality of hard real time operations from the pAP to the vAP of the SP network

[00194] Example 18 includes the subject matter of any one of Examples 1 2-17, including or omitting any elements as optional, wherein the VNF orchestrator component is further configured to determine the partition configuration, based on the communication parameter, from among the set of VNFs comprising non-real time operations, real time operations and hard real time operations, wherein partition configuration comprises the non-real time operations including generating one or more policy settings associated with the vAP by a WiFi AP management component, generating an authentication process by a RADIUS client, authenticating a user equipment (UE) for connection to the WPA2 pass-through to the vAP, and generate a channel selection associated with a BSS identification (BSSID) of the community WiFi network for a client authentication and a key derivation.

[00195] Example 19 includes the subject matter of any one of Examples 1 2-18, including or omitting any elements as optional, wherein the real-time operations include: radio resource control (RRC) operations comprising per client functionalities including at least one of: setting a data path, transmit parameters including transmit power, modulation coding schemes, a channel width, beamforming groups, or client received signal strength indicators, and common client functionalities that include at least one of: a dynamic frequency selection, a channel load and coexistence, based on a real-time operation and a non-real time operation; internet protocol (IP) communications of an internet protocol security (IPSEC) tuneel; an GRE tunneling protocols for data packets; and wherein the third partition configuration comprises the first partition configuration, the second partition configuration, and operations related to the second partition configuration that are further associated with hard-real time data path functions.

[00196] Example 20 is a computer-readable storage medium storing executable instructions that, in response to execution, cause one or more processors of a service provider (SP) network component to perform operations comprising: determining a partition configuration of a set of virtual network functions (VNFs) to be configured at a virtual access point (vAP) of the SP network from a physical access point (pAP) of a customer premise equipment (CPE) based on a communication parameter of a communication link to the CPE; instantiating the vAP of the SP network based on a community WiFi network to enable a WiFi protected access 2 (WPA2) pass-through; and enabling the WPA2 pass-through transparently through the pAP from the vAP. [00197] Example 21 includes the subject matter of Example 20, including or omitting any elements as optional, wherein the operations further comprise: modifying the partition configuration of from the set of VNFs by removing operations associated with the pAP of the community WiFi network from the pAP to the vAP in response to a change in a latency value of the communication link.

[00198] Example 22 includes the subject matter of any one of Examples 20-21 , including or omitting any elements as optional, wherein the operations further comprise: measuring the communication parameter of the communication link by measuring a wide area network (WAN) link latency from the pAP of the CPE to the SP network based on a ping query.

[00199] Example 23 includes the subject matter of any one of Examples 20-22, including or omitting any elements as optional, wherein the operations further comprise: configuring a first partition configuration from the set of VNFs when a link latency is 1 00 ms or greater; configuring a second partition configuration from the set of VNFs when the link latency is less than 100 ms and greater than 10 ms; and configuring a third partition configuration from the set of VNFs when the link latency is 10 ms, or less than 10 ms.

[00200] Example 24 includes the subject matter of any one of Examples 20-23, including or omitting any elements as optional, wherein the third partition configuration comprises a hard-real time VNF, the second partition configuration comprise a real-time VNF and the first partition comprises a non-real time VNF.

[00201 ] Example 25 includes the subject matter of any one of Examples 20-24, including or omitting any elements as optional, wherein the operations further comprise: receiving transparently via the WPA2 pass-through a set of unmodified traffic data from a user equipment (UE) and through the community WiFi network of the CPE to enable an authentication protocol or a decryption of the set of unmodified traffic data, only at the vAP.

[00202] Example 26 is an apparatus of a service provider (SP) network component comprising: means for determining a partition configuration of a set of virtual network functions (VNFs) to be configured at a virtual access point (vAP) of the SP network from a physical access point (pAP) of a customer premise equipment (CPE) based on a communication parameter of a communication link to the CPE; means for instantiatijng the vAP of the SP network based on a community WiFi network to enable a WiFi protected access 2 (WPA2) pass-through; and means for enabling the WPA2 pass- through transparently through the pAP from the vAP. [00203] Example 27 includes the subject matter of Example 26, including or omitting any elements as optional, further comprising: means for modifying the partition configuration of from the set of VNFs by removing operations associated with the pAP of the community WiFi network from the pAP to the vAP in response to a change in a latency value of the communication link.

[00204] Example 28 includes the subject matter of any one of Examples 26-27, including or omitting any elements as optional, further comprising: means for measuring the communication parameter of the communication link by measuring a wide area network (WAN) link latency from the pAP of the CPE to the SP network based on a ping query.

[00205] Example 29 includes the subject matter of any one of Examples 26-28, including or omitting any elements as optional, further comprising:means for configuring a first partition configuration from the set of VNFs when a link latency is 100 ms or greater; means for configuring a second partition configuration from the set of VNFs when the link latency is less than 100 ms and greater than 10 ms; and means for configuring a third partition configuration from the set of VNFs when the link latency is 10 ms, or less than 1 0 ms.

[00206] Example 30 includes the subject matter of any one of Examples 26-29, including or omitting any elements as optional, wherein the third partition configuration comprises a hard-real time VNF, the second partition configuration comprise a real-time VNF and the first partition comprises a non-real time VNF.

[00207] Example 31 includes the subject matter of any one of Examples 26-30, including or omitting any elements as optional, further comprising: means for receiving transparently via the WPA2 pass-through a set of unmodified traffic data from a user equipment (UE) and through the community WiFi network of the CPE to enable an authentication protocol or a decryption of the set of unmodified traffic data, only at the vAP.

[00208] Example 32 is an apparatus configured to be employed in a service provider (SP) network device, comprising: one or more processors, coupled to a memory that includes instructions to execute operations of the one or more processors, configured to: initiate a WiFi protected access 2 (WPA2) pass-through interface with a user equipment (UE); receive, via the WPA2 pass-through interface, a set of encrypted data from the UE, wherein the set of encrypted data is associated with a community WiFi network; and generate, via the WPA2 pass-through interface, an authentication protocol with the UE based on a virtual network function (VNF) of a physical access point (pAP) associated with the community WiFi network for a virtual access point (vAP) of an SP network of the SP network device.

[00209] Example 33 includes the subject matter of Examples 32, including or omitting any elements as optional, wherein the one or more processors are further configured to: generate, via the WPA2 pass-through interface, the authentication protocol with the UE and the vAP by passing communications through a residential gateway node that comprises the pAP associated with the community WiFi network.

[00210] Example 34 includes the subject matter of any one of Examples 32-33, including or omitting any elements as optional, wherein the one or more processors are further configured to: receive, transmit, or receive and transmit data traffic that is unmodified through the WPA2 pass-through interface over the residential gateway node.

[00211 ] Example 35 includes the subject matter of any one of Examples 32-34, including or omitting any elements as optional, wherein the WPA2 pass-through interface with the UE is configured to enable communication of data traffic from the UE through a residential gateway node without authentication of the data traffic at the residential gateway node.

[00212] Example 36 includes the subject matter of any one of Examples 32-35, including or omitting any elements as optional, wherein the one or more processors are further configured to: in response to a successful authentication from the authentication protocol, receive, via the WPA2 pass-through interface, data traffic associated with only one basic service set (BSS) from among a plurality of BSSs with a layer 2 privacy through a residential gateway node, wherein the BSS is based on a BSS identification (BSSID) associated with the community WiFi network.

[00213] Example 37 includes the subject matter of any one of Examples 32-36, including or omitting any elements as optional, wherein the one or more processors are further configured to: enable, via the WPA2 pass-through interface, a key exchange as a part of the authentication protocol between the vAP of the SP network and the UE, and a decryption only at the vAP of the SP network device.

[00214] Example 38 includes the subject matter of any one of Examples 32-37, including or omitting any elements as optional, wherein the key exchange comprises an advanced encryption standard (AES) based on a cipher block chaining message authentication code protocol (AES-CCMP) encryption.

[00215] Example 39 includes the subject matter of any one of Examples 32-38, including or omitting any elements as optional, wherein the WPA2 pass-through interface is configured to enable an end-to-end interface between the UE and the vAP of the SP network, and wherein the vAP is configured to enable a virtual WPA2 community WiFi network as the SP network through a residential gateway node comprising the pAP and a range output coupled to a ranger extender configured to extend a range of the community WiFi network and further include one or more UEs without access to a residential network of the residential gateway node.

[00216] Example 40 includes the subject matter of any one of Examples 32-40, including or omitting any elements as optional, wherein the SP network device comprises a Home Subscriber Server (HSS) / a Mobility Management Entity (MME) / a Serving GateWay (SGW) / a Packet Data Network (PDN) GateWay (PGW) / a Policy and Charging Rules Function (PCRF) / a WiFi access point management (WAPM) / a Radius Client / an authenticator / a BSS management.

[00217] Example 41 includes the subject matter of any one of Examples 32-41 , including or omitting any elements as optional, wherein the one or more processors are further configured to: generate the WPA2 pass-through interface to connect the UE to the SP network at the vAP over the residential gateway node based on the

authentication protocol, wherein the SP network comprises an intranet of a remote access gateway node that is configured to be accessed by the UE with data traffic through the WPA2 pass-through interface that is separate from and transparent to residential data traffic of a residential network managed by the residential gateway node.

[00218] Example 42 includes the subject matter of any one of Examples 32-41 , including or omitting any elements as optional, wherein the one or more processors are further configured to: generate a plurality of WPA2 pass-through interfaces to connect a plurality of UEs to a plurality of vAPs of virtual community WiFi networks over the residential gateway node, wherein the plurality of vAPs are coupled to the pAP of the residential gateway node and comprise different layer 2 media access control (MAC) addresses.

[00219] Example 43 is an apparatus configured to be employed in a user equipment (UE) comprising: one or more processors, coupled to a memory that includes instructions to execute operations of the one or more processors, configured to: detect a community WiFi network over a residential gateway; initiate a WiFi protected access 2 (WPA2) pass-through via a physical access point (pAP) of the residential gateway by connecting with the community WiFi network associated with an SP network at a virtual access point (vAP); and communicate transparently via the WPA2 pass-through a set of encrypted data to enable an authentication protocol at the vAP through the residential gateway unmodified and enable a decryption at the vAP.

[00220] Example 44 includes the subject matter of Example 43, including or omitting any elements as optional, wherein the UE comprises a first encryption key associated with a residential gateway AP of a residential network managed by the residential gateway, wherein the first encryption key is separate and different from a second encryption key of the set of encrypted data associated with the community WiFi network.

[00221 ] Example 45 includes the subject matter of any one of Examples 43-44, including or omitting any elements as optional, wherein the one or more processors are further configured to: in response to a successful authentication from the authentication protocol, transmit, via the WPA2 pass-through, data traffic that is associated with a basic service set (BSS) having a layer 2 privacy through the residential gateway node, wherein the BSS is based on a BSS identification (BSSID) of the community WiFi network.

[00222] Example 46 includes the subject matter of any one of Examples 43-45, including or omitting any elements as optional, wherein the one or more processors are further configured to: enable, via the WPA2 pass-through, a key exchange as a part of the authentication protocol between the vAP of the SP network and the UE, wherein the WPA2 pass-through is configured to extend from a communication component of the UE, through the pAP of the residential gateway and to the vAP of the SP network to enable an end-to-end secure traffic data flow there-between.

[00223] Example 47 includes the subject matter of any one of Examples 43-46, including or omitting any elements as optional, wherein the SP network comprises an intranet of a remote access gateway node that is configured to be accessed by the UE with data traffic through the WPA2 pass-through that is separated from and transparent to residential data traffic of a residential network managed by the residential gateway node.

[00224] Example 48 is a computer-readable storage medium storing executable instructions that, in response to execution, cause one or more processors of a service provider (SP) network device to perform operations comprising: initiating a WiFi protected access 2 (WPA2) pass-through via a customer premise equipment (CPE) to a user equipment (UE); and receiving, via the WPA2 pass-through, a set of traffic data from the UE, wherein the set of traffic data is unmodified by the CPE and associated with a community WiFi network of the CPE. [00225] Example 49 includes the subject matter of Example 48, including or omitting any elements as optional, wherein the operations further comprise: generating, via the WPA2 pass-through, an authentication protocol with one or more encrypted data of the set of traffic data with the UE based on a virtual network function (VNF) of a physical access point (pAP) of the community WiFi network for a virtual access point (vAP) of an SP network of the SP network device.

[00226] Example 50 includes the subject matter of any one of Examples 48-49, including or omitting any elements as optional, wherein the operations further comprise: receiving, via the WPA2 pass-through, data only associated with a basic service set (BSS) of a plurality of different BSSs with Layer 2 privacy configured at the CPE, wherein the BSS is based on a BSS identification (BSSID) of a pAP for the community WiFi network.

[00227] Example 51 includes the subject matter of any one of Examples 48-50, including or omitting any elements as optional, wherein the operations further comprise: enabling, via the WPA2 pass-through, a key exchange between a vAP of an SP network and the UE, and a decryption of the key exchange only at the vAP of the SP network device.

[00228] Example 52 includes the subject matter of any one of Examples 48-51 , including or omitting any elements as optional, wherein the SP network comprises an intranet of a remote access gateway node that is configured to be accessed by the UE with data traffic through the WPA2 pass-through that is separate from and transparent to residential data traffic of a residential network managed by the CPE.

[00229] Example 53 includes the subject matter of any one of Examples 48-52, including or omitting any elements as optional, wherein the SP network device comprises at least one of a WiFi access point management (WAPM) / a Radius Client / an authenticator / a BSS management.

[00230] Example 54 is a computer-readable storage medium storing executable instructions that, in response to execution, cause one or more processors of a user equipment (UE) network device to perform operations comprising: detecting a community WiFi network over a residential gateway; initiating a WiFi protected access 2 (WPA2) pass-through via a physical access point (pAP) of the residential gateway by connecting with the community WiFi network associated with an SP network at a virtual access point (vAP); and communicating transparently via the WPA2 pass-through a set of encrypted data to enable an authentication protocol at the vAP through the residential gateway unmodified and enable a decryption at the vAP. [00231 ] Example 55 includes the subject matter of Example 54, including or omitting any elements as optional, wherein the operations further comprise: communicating or generating a first encryption key associated with a residential gateway AP of a residential network managed by the residential gateway, wherein the first encryption key is separate and different from a second encryption key of the set of encrypted data associated with the community WiFi network.

[00232] Example 56 includes the subject matter of any one of Examples 54-55, including or omitting any elements as optional, wherein the operations further comprise: in response to a successful authentication from the authentication protocol, transmitting, via the WPA2 pass-through, data traffic that is associated with a basic service set (BSS) having a layer 2 privacy through the residential gateway node, wherein the BSS is based on a BSS identification (BSSID) of the community WiFi network.

[00233] Example 57 includes the subject matter of any one of Examples 54-56, including or omitting any elements as optional, wherein the operations further comprise: enabling, via the WPA2 pass-through, a key exchange as a part of the authentication protocol between the vAP of the SP network and the UE, wherein the WPA2 pass- through is configured to extend from a communication component of the UE, through the pAP of the residential gateway and to the vAP of the SP network to enable an end- to-end secure traffic data flow there-between.

[00234] Example 58 includes the subject matter of any one of Examples 54-57, including or omitting any elements as optional, wherein the SP network comprises an intranet of a remote access gateway node that is configured to be accessed by the UE with data traffic through the WPA2 pass-through that is separated from and transparent to residential data traffic of a residential network managed by the residential gateway node.

[00235] Example 59 is an apparatus of a service provider (SP) network device comprising: means for initiating a WiFi protected access 2 (WPA2) pass-through via a customer premise equipment (CPE) to a user equipment (UE); and means for receiving, via the WPA2 pass-through, a set of traffic data from the UE, wherein the set of traffic data is unmodified by the CPE and associated with a community WiFi network of the CPE.

[00236] Example 60 includes the subject matter of Example 59, including or omitting any elements as optional, further comprising: means for generating, via the WPA2 pass- through, an authentication protocol with one or more encrypted data of the set of traffic data with the UE based on a virtual network function (VNF) of a physical access point (pAP) of the community WiFi network for a virtual access point (vAP) of an SP network of the SP network device.

[00237] Example 61 includes the subject matter of any one of Examples 59-60, including or omitting any elements as optional, further comprising: means for receiving, via the WPA2 pass-through, data only associated with a basic service set (BSS) of a plurality of different BSSs with Layer 2 privacy configured at the CPE, wherein the BSS is based on a BSS identification (BSSID) of a pAP for the community WiFi network.

[00238] Example 62 includes the subject matter of any one of Examples 59-61 , including or omitting any elements as optional, further comprising: means for enabling, via the WPA2 pass-through, a key exchange between a vAP of an SP network and the UE, and a decryption of the key exchange only at the vAP of the SP network device.

[00239] Example 63 includes the subject matter of any one of Examples 59-62, including or omitting any elements as optional, wherein the SP network comprises an intranet of a remote access gateway node that is configured to be accessed by the UE with data traffic through the WPA2 pass-through that is separate from and transparent to residential data traffic of a residential network managed by the CPE.

[00240] Example 64 includes the subject matter of any one of Examples 59-63, including or omitting any elements as optional, wherein the SP network device comprises at least one of a WiFi access point management (WAPM) / a Radius Client / an authenticator / a BSS management.

[00241 ] Example 65 is an apparatus of a user equipment (UE) network device comprising: means for detecting a community WiFi network over a residential gateway; means for initiating a WiFi protected access 2 (WPA2) pass-through via a physical access point (pAP) of the residential gateway by connecting with the community WiFi network associated with an SP network at a virtual access point (vAP); and means for communicating transparently via the WPA2 pass-through a set of encrypted data to enable an authentication protocol at the vAP through the residential gateway unmodified and enable a decryption at the vAP.

[00242] Example 66 includes the subject matter of Example 65, including or omitting any elements as optional, further comprising: means for communicating or generating a first encryption key associated with a residential gateway AP of a residential network managed by the residential gateway, wherein the first encryption key is separate and different from a second encryption key of the set of encrypted data associated with the community WiFi network. [00243] Example 67 includes the subject matter of any one of Examples 65-66, including or omitting any elements as optional, further comprising: means for

transmitting, in response to a successful authentication from the authentication protocol, via the WPA2 pass-through, data traffic that is associated with a basic service set (BSS) having a layer 2 privacy through the residential gateway node, wherein the BSS is based on a BSS identification (BSSID) of the community WiFi network.

[00244] Example 68 includes the subject matter of any one of Examples 65-67, including or omitting any elements as optional, further comprising: means for enabling, via the WPA2 pass-through, a key exchange as a part of the authentication protocol between the vAP of the SP network and the UE, wherein the WPA2 pass-through is configured to extend from a communication component of the UE, through the pAP of the residential gateway and to the vAP of the SP network to enable an end-to-end secure traffic data flow there-between.

[00245] Example 69 includes the subject matter of any one of Examples 65-68, including or omitting any elements as optional, wherein the SP network comprises an intranet of a remote access gateway node that is configured to be accessed by the UE with data traffic through the WPA2 pass-through that is separated from and transparent to residential data traffic of a residential network managed by the residential gateway node.

[00246] Example 70 is an apparatus configured to be employed in a service provider (SP) network device, comprising: one or more processors, coupled to a memory that includes instructions to execute operations of the one or more processors, configured to: initiate a WiFi protected access 2 (WPA2) pass-through interface with a user equipment (UE); receive, via the WPA2 pass-through interface, a set of encrypted data from the UE, wherein the set of encrypted data is associated with a community WiFi network; and generate, via the WPA2 pass-through interface, an authentication protocol with the UE based on a virtual network function (VNF) of a physical access point (pAP) associated with the community WiFi network for a virtual access point (vAP) of an SP network of the SP network device; and a communication interface, coupled to the one or more processors, configured to receive or transmit communication transmissions.

[00247] Example 71 is an apparatus configured to be employed in a user equipment (UE) comprising: one or more processors, coupled to a memory that includes instructions to execute operations of the one or more processors, configured to: detect a community WiFi network over a residential gateway; initiate a WiFi protected access 2 (WPA2) pass-through via a physical access point (pAP) of the residential gateway by connecting with the community WiFi network associated with an SP network at a virtual access point (vAP); and communicate transparently via the WPA2 pass-through a set of encrypted data to enable an authentication protocol at the vAP through the residential gateway unmodified and enable a decryption at the vAP; a radio frequency (RF) interface, coupled to the one or more processors, configured to receive or transmit communication transmissions.

[00248] Example 72 is an apparatus configured to be employed in a service provider (SP) network component of an SP network, comprising: a WiFi protected access 2 (WPA2) pass-through interface configured to receive or transmit packet data through a customer premise equipment (CPE) with a user equipment (UE) based on a virtual network function (VNF) of a physical access point (pAP) at a virtual access point (vAP), wherein the pAP is associated with a community WiFi network of a virtual access point (vAP) for the SP network; and one or more processors configured to: receive, via the WPA2 pass-through interface, the packet data associated with the community WiFi network; process the packet data from the pAP along a receive chain for transmission to a wide area network (WAN); and receive and process WAN data for transmission to the pAP via the WPA2 pass-through interface.

[00249] Example 73 includes the subject matter of Example 72, wherein the one or more processors are further configured to: strip a GRE header from the packet data received from the UE; determine whether the packet data comprises an encrypted data; determine whether a similar encrypted data as the encrypted data has been decrypted before; determine whether the packet data comprises an aggregate media access control (MAC) service data unit (A-MSDU); and determine whether the packet data comprises a data packet or a management packet requesting access to the community WiFi network.

[00250] Example 74 includes the subject matter of any one of Examples 72-73, including or omitting any elements as optional, wherein the one or more processors are further configured to: decrypt the packet data in response to the packet data comprising an encrypted data; in response to the encrypted data being similar to a similar encrypted data decrypted before the encrypted data, generate a replay attack notification, drop the encrypted data and update a replay attack counter; de-aggregate the packet data in response to the packet data comprising an A-MSDU; in response to the packet data comprising a management packet, transmit the management packet to a basic service set (BSS) management component that is configured to control a BSS ID of the community WiFi network and a station (STA) connection state; and in response to the packet data comprising a data packet, convert the data packet from an 802.1 1 format to an 802.3 format and add a generic routing encapsulation (GRE) header for transmission to the community WiFi network and the WAN.

[00251 ] Example 75 includes the subject matter of any one of Examples 72-74, including or omitting any elements as optional, further comprising: a station (STA) context database configured to update the STA connection state with the UE, one or more keys for encryption / decryption, and the counter associated with the replay attack.

[00252] Example 76 includes the subject matter of any one of Examples 72-75, including or omitting any elements as optional, wherein the one or more processors are further configured to receive the packet data associated with the community WiFi network as UE data that is unmodified through the WPA2 pass-through interface over the CPE to the SP network.

[00253] Example 77 includes the subject matter of any one of Examples 72-76, including or omitting any elements as optional, wherein the one or more processors are further configured to: strip a GRE header from the packet data received from the SP network; encrypt the packet data utilizing a WPA2 key from a STA context database; add a GRE header to the packet data; and transmit the packet data Internet Protocol (IP) packet data to the CPE.

[00254] Example 78 includes the subject matter of any one of Examples 72-77, including or omitting any elements as optional, wherein the one or more processors are further configured to: configure the vAP with a configuration file to provide at least one of: a set of BSS parameters, a RADIUS client server IP name, wireless access gateway (WAG) name, or an IP address; and configure at least one of the pAP or a range extender coupled to the pAP with one or more CPE credentials to establish a secured link with the community WiFi network for communications with the vAP, a Service Provider SSID, and a virtual WPA2 (vWPA2) Data VNF domain name.

[00255] Example 79 includes the subject matter of any one of Examples 72-78, including or omitting any elements as optional, wherein the one or more processors are further configured to control one or more BSS parameters with the CPE by:

communicating a beacon template to establish the beacon template to a wireless local access network (WLAN) AP driver of the CPE for transmission to the UE; initiating a probe response template by communicating the probe response template to establish the probe response template to the WLAN AP driver; commanding a BSS of the community WiFi network to activate; and in response to a change in a buffer traffic at the pAP or the BSS parameter, updating the beacon template and communicate a traffic indication map to the pAP of the CPE.

[00256] Example 80 includes the subject matter of any one of Examples 72-79, including or omitting any elements as optional, wherein the one or more processors are further configured to enable a UE client connection establishment by: in response to receiving a client authentication request in a management packet data unit (MMPDU) of the packet data, create a STA context and update a client state of the STA context to class 2; communicate a command to set the Class 2 for a client MAC address to the pAP and a WLAN driver; communicate an authentication response as the MMPDU for client authentication 2 to the UE via the pAP with the WLAN driver; and in response to receiving an association request, establish the client state of the STA context to Class 3 to enable a data packet and a management packet to be processed, change the client state to associated, assign an association identity (AID), and communicate a packet association response for an association of the UE.

[00257] Example 81 includes the subject matter of any one of Examples 72-80, including or omitting any elements as optional, wherein the one or more processors are further configured to: generate, via the WPA2 pass-through interface, the authentication protocol with the UE and the vAP by updating a client credential with an authentication server and communicating master station key (MSK) data through the CPE comprising the pAP associated with the community WiFi network to enable derivation of an MSK by the UE; enable an encryption key for an encryption of at least one of: a data packet or a management packet of the packet data via a four-way handshake protocol; derive encryption keys for a WPA2 encryption of unicast frames / packets based on a client pairwise transient key (PTK), and for communication from the pAP to the UE with a broadcast messages based on a group temporal key (GTK); and configure a station (STA) context database the encryption keys associated with unicast traffic and broadcast traffic, and command the vAP to open a port for communication with the UE via the WPA2 pass-through interface to communicate data packets from the UE and to a wireless access gateway of the SP network.

[00258] Example 82 includes the subject matter of any one of Examples 72-81 , including or omitting any elements as optional, wherein the one or more processors are further configured to: receive a management packet of the packet data comprising a dissociate packet; decrypt the dissociate packet; alter a client state to Class 1 to prevent accepting further packet data other than an authentication request; release a client AID while retaining an STA context related to the UE; and removing encryption / decryption keys related to the UE.

[00259] Example 83 includes the subject matter of any one of Examples 72-82, including or omitting any elements as optional, wherein the one or more processors are further configured to: generate a determination of whether to dissociate the UE from the SP network; and based on the determination, generate a dissociate message to the UE.

[00260] Example 84 includes the subject matter of Example 72-83, including or omitting any elements as optional, wherein the one or more processors are further configured to: in response to a failed link between the pAP and the vAP of the SP network, receive a stop command to stop communications including a beacon with the UE associated with the community WiFi network; and in response to a successful link following the failed link, receive a connection recovery message at the vAP and initialize a WLAN AP driver of the CPE for transmission to the UE via the WPA2 pass-through interface.

[00261 ] Example 85 includes the subject matter of any one of Examples 72-84, including or omitting any elements as optional, further comprising: a VNF orchestrator component configured to generate an instance of a partition configuration of a set of VNFs at the vAP of the SP network from the pAP of the CPE; and a WPA2 pass- through component configured to transparently generate the WPA2 pass-through through the pAP from the vAP according to the partition configuration associated with the community WiFi network configured at the CPE; wherein the VNF orchestrator component is further configured to select the partition configuration as a second partition configuration from a plurality of partition configurations including a plurality of non-real time operations and real time operations of the pAP associated with the community WiFi network at the CPE.

[00262] Example 86 is an apparatus configured to be employed in a customer premise equipment (CPE), comprising: a physical access point (pAP) comprising one or more processors configured to enable a community WiFi network for a user equipment (UE) by passing along a packet via a WiFi protected access 2 (WPA2) pass-through interface, without generating security operations to the packet, from the UE to a virtual access point (vAP) of a security provider (SP) network; a communication interface, coupled to the one or more processors, configured to: transmit a beacon of the community WiFi network to the UE; receive the packet associated with the community WiFi network from the UE; and pass along the packet from the UE to the SP network via the WPA2 pass-through interface without a decryption / encryption process being performed to the packet.

[00263] Example 87 includes the subject matter of Example 86, including or omitting any elements as optional 72-73, including or omitting any elements as optional, further comprising: a range extender configured to connect the UE to the CPE with an end-to- end connection based on at least one of: the community WiFi network or a home network.

[00264] Example 88 includes the subject matter of any one of Example 86-87, including or omitting any elements as optional, wherein the one or more processors are further configured to: determine whether the packet belongs to the community WiFi network based on a basic service set (BSS) identity (ID) and a class category of the packet, wherein the community WiFi network is configured as a virtual network; in response to the packet belonging to the community WiFi network and a class category of the packet comprising a Class 1 , 2 or 3, add one or more metadata comprising at least one of: a received signal strength, a signal to noise ratio, or a physical (PHY) layer header; and add a generic routing encapsulation (GRE) header to the packet.

[00265] Example 89 includes the subject matter of any one of Examples 86-88, including or omitting any elements as optional, wherein the one or more processors are further configured to: receive another packet from the SP network via the WPA2 pass- through interface; in response to the another packet belonging to the community WiFi network, remove a GRE header of the anther packet; schedule the another packet for transmission to the UE by providing the another packet in a WiFi transmit queue; and transmit the another packet to the UE without the decryption / encryption process being performed to the another packet.

[00266] Example 90 includes the subject matter of any one of Examples 86-89, including or omitting any elements as optional, wherein the one or more processors are further configured to: receive a beacon template to establish the beacon template to a wireless local access network (WLAN) AP driver of the CPE for transmission of the beacon of the community WiFi network to the UE; receive a probe response template to establish the probe response template to the WLAN AP driver for an inquiry related to the community WiFi network by the UE; activate a BSS with a BSS ID of the community WiFi network in response to receiving a BSS command from the SP network; and update the beacon template in response to receiving a traffic indication map at the pAP.

[00267] Example 91 includes the subject matter of any one of Examples 86-90, including or omitting any elements as optional, wherein the one or more processors are further configured to: transmit a client authentication request with a management packet data unit (MMPDU) as the packet, in response to the packet comprising a client state that is Class 1 ; receive a command to set the client state to Class 2 with a client MAC address at the pAP and a WLAN driver; receive an authentication response as the MMPDU and transmit the MMPDU for a client authentication 2 to the UE via the pAP and the WLAN driver; and receive another command to set the client state to Class 3 to enable a data packet and a management packet to be communicated to the SP network, change the client state to associated, assign an association identity (AID), and communicate a packet association response for an association of the UE to the SP network via the WPA2 pass-through interface.

[00268] Example 92 includes the subject matter of any one of Examples 86-90, including or omitting any elements as optional, wherein the one or more processors are further configured to: receive a management packet comprising a dissociate packet; forward the dissociate packet via the WPA2 pass-through interface; in response to detecting a failed link between the pAP and the vAP of the SP network, operate the pAP in autonomous mode, receive a stop command to stop communications that include a beacon associated with the community WiFi network, clean a queue and set the client state as Class 1 to prevent accepting a further packet other than an authentication request; and in response to detecting a successful link following the failed link, transmit a connection recovery message to the vAP and initialize a WLAN AP driver of the CPE for transmission via the WPA2 pass-through interface.

[00269] Example 93 is a computer-readable storage medium storing executable instructions that, in response to execution, cause one or more processors of a service provider (SP) network component to perform operations comprising: receiving, via a WiFi protected access 2 (WPA2) pass-through, a set of traffic data from a physical access point (pAP) of customer premise equipment (CPE) connected to a user equipment (UE), wherein the set of traffic data is unmodified by the CPE and associated with a community WiFi network of the CPE; processing the packet data from the pAP along a receive chain for transmission to a wide area network (WAN); and receiving and process WAN data for transmission to the pAP via the WPA2 pass-through interface.

[00270] Example 94 includes the subject matter of Example 93, wherein the operations further comprise at least one of: stripping a GRE header from the packet data received from the UE; determining whether the packet data comprises an encrypted data; determining whether a similar encrypted data as the encrypted data has been decrypted before; determining whether the packet data comprises an aggregate media access control (MAC) service data unit (A-MSDU); or determining whether the packet data comprises a data packet or a management packet requesting access to the community WiFi network.

[00271 ] Example 95 includes the subject matter of any one of Examples 93-94, including or omitting any elements as optional, wherein the operations further comprise at least one of: decrypting the packet data in response to the packet data comprising an encrypted data; in response to the encrypted data being similar to a similar encrypted data decrypted before the encrypted data, generate a replay attack notification, drop the encrypted data and update a replay attack counter; de-aggregating the packet data in response to the packet data comprising an A-MSDU; in response to the packet data comprising a management packet, transmitting the management packet to a basic service set (BSS) management component that is configured to control a BSS ID of the community WiFi network and a station (STA) connection state; or in response to the packet data comprising a data packet, converting the data packet from an 802.1 1 format to an 802.3 format and add a generic routing encapsulation (GRE) header for transmission to the community WiFi network and the WAN.

[00272] Example 96 includes the subject matter of any one of Examples 93-95, including or omitting any elements as optional, wherein the operations further comprise at least one of: stripping a GRE header from the packet data received from the SP network; encrypting the packet data utilizing a WPA2 key from a STA context database; adding a GRE header to the packet data; or transmitting the packet data Internet Protocol (IP) packet data to the CPE.

[00273] Example 97 includes the subject matter of any one of Examples 93-96, including or omitting any elements as optional, wherein the operations further comprise: communicating a beacon template to establish the beacon template to a wireless local access network (WLAN) AP driver of the CPE for transmission to the UE; initiating a probe response template by communicating the probe response template to establish the probe response template to the WLAN AP driver; commanding a BSS of the community WiFi network to activate; and in response to a change in a buffer traffic at the pAP or the BSS parameter, updating the beacon template and communicate a traffic indication map to the pAP of the CPE.

[00274] Example 98 includes the subject matter of any one of Examples 93-97, including or omitting any elements as optional, wherein the operations further comprise enabling a UE client connection establishment by: in response to receiving a client authentication request in a management packet data unit (MMPDU) of the packet data, creating a STA context and update a client state of the STA context to class 2;

communicating a command to set the Class 2 for a client MAC address to the pAP and a WLAN driver; communicating an authentication response as the MMPDU for client authentication 2 to the UE via the pAP with the WLAN driver; in response to receiving an association request, establishing the client state of the STA context to Class 3 to enable a data packet and a management packet to be processed, changing the client state to associated, assign an association identity (AID), and communicating a packet association response for an association of the UE.

[00275] Example 99 includes the subject matter of any one of Examples 93-98, including or omitting any elements as optional, wherein the operations further comprise: generating, via the WPA2 pass-through interface, the authentication protocol with the UE and the vAP by updating a client credential with an authentication server and communicating master station key (MSK) data through the CPE comprising the pAP associated with the community WiFi network to enable derivation of an MSK by the UE; enabling an encryption key for an encryption of at least one of: a data packet or a management packet of the packet data via a four-way handshake protocol; deriving encryption keys for a WPA2 encryption of unicast frames / packets based on a client pairwise transient key (PTK), and for communication from the pAP to the UE with a broadcast messages based on a group temporal key (GTK); and configuring a station (STA) context database the encryption keys associated with unicast traffic and broadcast traffic, and command the vAP to open a port for communication with the UE via the WPA2 pass-through interface to communicate data packets from the UE and to a wireless access gateway of the SP network.

[00276] Example 100 is a computer-readable storage medium storing executable instructions that, in response to execution, cause one or more processors of a customer premise equipment (CPE) to perform operations comprising: enabling a community WiFi network for a user equipment (UE) by passing along a packet via a WiFi protected access 2 (WPA2) pass-through interface by a physical access point (pAP), without generating security operations to the packet, from the UE to a virtual access point (vAP) of a security provider (SP) network; transmitting a beacon of the community WiFi network to the UE; receiving the packet associated with the community WiFi network from the UE; and passing along the packet from the UE to the SP network via the WPA2 pass-through interface without a decryption / encryption process being

performed to the packet. [00277] Example 101 includes the subject matter of Examples 100, wherein the operations further comprise: connecting the UE to the CPE with an end-to-end connection based on at least one of: the community WiFi network or a home network, via a range extender.

[00278] Example 102 includes the subject matter of any one of Examples 100-101 , including or omitting any elements as optional, wherein the operations further comprise: determining whether the packet belongs to the community WiFi network based on a basic service set (BSS) identity (ID) and a class category of the packet, wherein the community WiFi network is configured as a virtual network; in response to the packet belonging to the community WiFi network and a class category of the packet comprising a Class 1 , 2 or 3, adding one or more metadata comprising at least one of: a received signal strength, a signal to noise ratio, or a physical (PHY) layer header; and adding a generic routing encapsulation (GRE) header to the packet.

[00279] Example 103 includes the subject matter of any one of Examples 100-102, including or omitting any elements as optional, wherein the operations further comprise: receiving another packet from the SP network via the WPA2 pass-through interface; in response to the another packet belonging to the community WiFi network, removing a GRE header of the anther packet; scheduling the another packet for transmission to the UE by providing the another packet in a WiFi transmit queue; and transmitting the another packet to the UE without the decryption / encryption process being performed to the another packet.

[00280] Example 104 includes the subject matter of any one of Examples 100-103, including or omitting any elements as optional, wherein the operations further comprise: receiving a beacon template to establish the beacon template to a wireless local access network (WLAN) AP driver of the CPE for transmission of the beacon of the community WiFi network to the UE; receiving a probe response template to establish the probe response template to the WLAN AP driver for an inquiry related to the community WiFi network by the UE; activating a BSS with a BSS ID of the community WiFi network in response to receiving a BSS command from the SP network; and updating the beacon template in response to receiving a traffic indication map at the pAP.

[00281 ] Example 105 includes the subject matter of any one of Examples 100-104, including or omitting any elements as optional, wherein the operations further comprise: transmitting a client authentication request with a management packet data unit (MMPDU) as the packet, in response to the packet comprising a client state that is Class 1 ; receiving a command to set the client state to Class 2 with a client MAC address at the pAP and a WLAN driver; receiving an authentication response as the MMPDU and transmit the MMPDU for a client authentication 2 to the UE via the pAP and the WLAN driver; and receiving another command to set the client state to Class 3 to enable a data packet and a management packet to be communicated to the SP network, change the client state to associated, assign an association identity (AID), and communicate a packet association response for an association of the UE to the SP network via the WPA2 pass-through interface.

[00282] Example 106 includes the subject matter of any one of Examples 100-105, including or omitting any elements as optional, wherein the operations further comprise: receiving a management packet comprising a dissociate packet; forwarding the dissociate packet via the WPA2 pass-through interface; in response to detecting a failed link between the pAP and the vAP of the SP network, operating the pAP in autonomous mode, receive a stop command to stop communications that include a beacon associated with the community WiFi network, clean a queue and set the client state as Class 1 to prevent accepting a further packet other than an authentication request; and in response to detecting a successful link following the failed link, transmitting a connection recovery message to the vAP and initialize a WLAN AP driver of the CPE for transmission via the WPA2 pass-through interface.

[00283] Example 107 is an apparatus of a service provider (SP) network component comprising: means for receiving, via a WiFi protected access 2 (WPA2) pass-through, a set of traffic data from a physical access point (pAP) of customer premise equipment (CPE) connected to a user equipment (UE), wherein the set of traffic data is unmodified by the CPE and associated with a community WiFi network of the CPE; means for processing the packet data from the pAP along a receive chain for transmission to a wide area network (WAN); and means for receiving and process WAN data for transmission to the pAP via the WPA2 pass-through interface.

[00284] Example 108 includes the subject matter of Example 107, further comprising: means for stripping a GRE header from the packet data received from the UE; means for determining whether the packet data comprises an encrypted data; means for determining whether a similar encrypted data as the encrypted data has been decrypted before; means for determining whether the packet data comprises an aggregate media access control (MAC) service data unit (A-MSDU); or means for determining whether the packet data comprises a data packet or a management packet requesting access to the community WiFi network. [00285] Example 109 includes the subject matter of any one of Examples 107-108, including or omitting any elements as optional, further comprising: means for decrypting the packet data in response to the packet data comprising an encrypted data; in response to the encrypted data being similar to a similar encrypted data decrypted before the encrypted data, means for generating a replay attack notification, drop the encrypted data and update a replay attack counter; means for de-aggregating the packet data in response to the packet data comprising an A-MSDU; in response to the packet data comprising a management packet, means for transmitting the management packet to a basic service set (BSS) management component that is configured to control a BSS ID of the community WiFi network and a station (STA) connection state; or in response to the packet data comprising a data packet, means for converting the data packet from an 802.1 1 format to an 802.3 format and add a generic routing encapsulation (GRE) header for transmission to the community WiFi network and the WAN.

[00286] Example 1 10 includes the subject matter of any one of Examples 107-109, including or omitting any elements as optional, further comprising: means for stripping a GRE header from the packet data received from the SP network; means for encrypting the packet data utilizing a WPA2 key from a STA context database; means for adding a GRE header to the packet data; or means for transmitting the packet data Internet Protocol (IP) packet data to the CPE.

[00287] Example 1 1 1 includes the subject matter of any one of Examples 107-1 1 0, including or omitting any elements as optional, further comprising: means for communicating a beacon template to establish the beacon template to a wireless local access network (WLAN) AP driver of the CPE for transmission to the UE; means for initiating a probe response template by communicating the probe response template to establish the probe response template to the WLAN AP driver; means for commanding a BSS of the community WiFi network to activate; and in response to a change in a buffer traffic at the pAP or the BSS parameter, means for updating the beacon template and communicate a traffic indication map to the pAP of the CPE.

[00288] Example 1 12 includes the subject matter of any one of Examples 107-1 1 1 , including or omitting any elements as optional, further comprising: means for enabling a UE client connection establishment by: in response to receiving a client authentication request in a management packet data unit (MMPDU) of the packet data, means for creating a STA context and update a client state of the STA context to class 2; means for communicating a command to set the Class 2 for a client MAC address to the pAP and a WLAN driver; means for communicating an authentication response as the MMPDU for client authentication 2 to the UE via the pAP with the WLAN driver; in response to receiving an association request, means for establishing the client state of the STA context to Class 3 to enable a data packet and a management packet to be processed, means for changing the client state to associated, assign an association identity (AID), and means for communicating a packet association response for an association of the UE.

[00289] Example 1 13 includes the subject matter of any one of Examples 107-1 1 2, including or omitting any elements as optional, further comprising: means for generating, via the WPA2 pass-through interface, the authentication protocol with the UE and the vAP by updating a client credential with an authentication server and communicating master station key (MSK) data through the CPE comprising the pAP associated with the community WiFi network to enable derivation of an MSK by the UE; means for enabling an encryption key for an encryption of at least one of: a data packet or a management packet of the packet data via a four-way handshake protocol; means for deriving encryption keys for a WPA2 encryption of unicast frames / packets based on a client pairwise transient key (PTK), and for communication from the pAP to the UE with a broadcast messages based on a group temporal key (GTK); and means for configuring a station (STA) context database the encryption keys associated with unicast traffic and broadcast traffic, and command the vAP to open a port for communication with the UE via the WPA2 pass-through interface to communicate data packets from the UE and to a wireless access gateway of the SP network.

[00290] Example 1 14 is an apparatus of a customer premise equipment (CPE) comprising: means for enabling a community WiFi network for a user equipment (UE) by passing along a packet via a WiFi protected access 2 (WPA2) pass-through interface by a physical access point (pAP), without generating security operations to the packet, from the UE to a virtual access point (vAP) of a security provider (SP) network; means for transmitting a beacon of the community WiFi network to the UE; means for receiving the packet associated with the community WiFi network from the UE; and means for passing along the packet from the UE to the SP network via the WPA2 pass-through interface without a decryption / encryption process being performed to the packet.

[00291 ] Example 1 15 includes the subject matter of any Example 1 14, further comprising: means for connecting the UE to the CPE with an end-to-end connection based on at least one of: the community WiFi network or a home network, via a range extender. [00292] Example 1 16 includes the subject matter of any one of Examples 1 14-1 1 5, including or omitting any elements as optional, further comprising: means for determining whether the packet belongs to the community WiFi network based on a basic service set (BSS) identity (ID) and a class category of the packet, wherein the community WiFi network is configured as a virtual network; in response to the packet belonging to the community WiFi network and a class category of the packet comprising a Class 1 , 2 or 3, means for adding one or more metadata comprising at least one of: a received signal strength, a signal to noise ratio, or a physical (PHY) layer header; and means for adding a generic routing encapsulation (GRE) header to the packet.

[00293] Example 1 17 includes the subject matter of any one of Examples 1 14-1 1 6, including or omitting any elements as optional, further comprising: means for receiving another packet from the SP network via the WPA2 pass-through interface; means for in response to the another packet belonging to the community WiFi network, removing a GRE header of the anther packet; means for scheduling the another packet for transmission to the UE by providing the another packet in a WiFi transmit queue; and means for transmitting the another packet to the UE without the decryption / encryption process being performed to the another packet.

[00294] Example 1 18 includes the subject matter of any one of Examples 1 14-1 1 7, including or omitting any elements as optional, further comprising: means for receiving a beacon template to establish the beacon template to a wireless local access network (WLAN) AP driver of the CPE for transmission of the beacon of the community WiFi network to the UE; means for receiving a probe response template to establish the probe response template to the WLAN AP driver for an inquiry related to the community WiFi network by the UE; means for activating a BSS with a BSS ID of the community WiFi network in response to receiving a BSS command from the SP network; and means for updating the beacon template in response to receiving a traffic indication map at the pAP.

[00295] Example 1 19 includes the subject matter of any one of Examples 1 14-1 1 8, including or omitting any elements as optional, further comprising: means for transmitting a client authentication request with a management packet data unit (MMPDU) as the packet, in response to the packet comprising a client state that is Class 1 ; means for receiving a command to set the client state to Class 2 with a client MAC address at the pAP and a WLAN driver; means for receiving an authentication response as the MMPDU and transmit the MMPDU for a client authentication 2 to the UE via the pAP and the WLAN driver; and means for receiving another command to set the client state to Class 3 to enable a data packet and a management packet to be communicated to the SP network, change the client state to associated, assign an association identity (AID), and communicate a packet association response for an association of the UE to the SP network via the WPA2 pass-through interface.

[00296] Example 120 includes the subject matter of any one of Examples 1 14-1 19, including or omitting any elements as optional, further comprising: means for receiving a management packet comprising a dissociate packet; means for forwarding the dissociate packet via the WPA2 pass-through interface; in response to detecting a failed link between the pAP and the vAP of the SP network, means for operating the pAP in autonomous mode, means for receiving a stop command to stop communications that include a beacon associated with the community WiFi network, means for cleaning a queue and set the client state as Class 1 to prevent accepting a further packet other than an authentication request; and in response to detecting a successful link following the failed link, means for transmitting a connection recovery message to the vAP and initialize a WLAN AP driver of the CPE for transmission via the WPA2 pass-through interface.

[00297] Applications (e.g., program modules) can include routines, programs, components, data structures, etc., that perform particular tasks or implement particular abstract data types. Moreover, those skilled in the art will appreciate that the operations disclosed can be practiced with other system configurations, including single-processor or multiprocessor systems, minicomputers, mainframe computers, as well as personal computers, hand-held computing devices, microprocessor-based or programmable consumer electronics, and the like, each of which can be operatively coupled to one or more associated mobile or personal computing devices.

[00298] A computing device can typically include a variety of computer-readable media. Computer readable media can be any available media that can be accessed by the computer and includes both volatile and non-volatile media, removable and nonremovable media. By way of example and not limitation, computer-readable media can comprise computer storage media and communication media. Computer storage media includes both volatile and non-volatile, removable and non-removable media

implemented in any method or technology for storage of information such as computer- readable instructions, data structures, program modules or other data. Computer storage media (e.g., one or more data stores) can include, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the computer.

[00299] Communication media typically embodies computer-readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism, and includes any information delivery media. The term "modulated data signal" means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Combinations of the any of the above should also be included within the scope of computer-readable media.

[00300] It is to be understood that aspects described herein may be implemented by hardware, software, firmware, or any combination thereof. When implemented in software, functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code means in the form of instructions or data structures and that can be accessed by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Also, any connection is properly termed a computer-readable medium. For example, if software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), or wireless technologies such as infrared, radio, and microwave, then coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk and disc, as used herein, includes compact disc (CD), laser disc, optical disc, digital versatile disc (DVD), floppy disk and blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer- readable media. [00301 ] Various illustrative logics, logical blocks, modules, and circuits described in connection with aspects disclosed herein may be implemented or performed with a general purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other

programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform functions described herein. A general-purpose processor may be a microprocessor, but, in the alternative, processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, for example, a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration. Additionally, at least one processor may comprise one or more modules operable to perform one or more of the acts and/or actions described herein.

[00302] For a software implementation, techniques described herein may be implemented with modules (e.g., procedures, functions, and so on) that perform functions described herein. Software codes may be stored in memory units and executed by processors. Memory unit may be implemented within processor or external to processor, in which case memory unit can be communicatively coupled to processor through various means as is known in the art. Further, at least one processor may include one or more modules operable to perform functions described herein.

[00303] Techniques described herein may be used for various wireless

communication systems such as CDMA, TDMA, FDMA, OFDMA, SC-FDMA and other systems. The terms "system" and "network" are often used interchangeably. A CDMA system may implement a radio technology such as Universal Terrestrial Radio Access (UTRA), CDMA2000, etc. UTRA includes Wideband-CDMA (W-CDMA) and other variants of CDMA. Further, CDMA2000 covers IS-2000, IS-95 and IS-856 standards. A TDMA system may implement a radio technology such as Global System for Mobile Communications (GSM). An OFDMA system may implement a radio technology such as Evolved UTRA (E-UTRA), Ultra Mobile Broadband (UMB), IEEE 802.1 1 (Wi-Fi), IEEE 802.16 (WiMAX), IEEE 802.20, Flash-OFDM, etc. UTRA and E-UTRA are part of Universal Mobile Telecommunication System (UMTS). 3GPP Long Term Evolution (LTE) is a release of UMTS that uses E-UTRA, which employs OFDMA on downlink and SC-FDMA on uplink. UTRA, E-UTRA, UMTS, LTE and GSM are described in documents from an organization named "3rd Generation Partnership Project" (3GPP). Additionally, CDMA2000 and UMB are described in documents from an organization named "3rd Generation Partnership Project 2" (3GPP2). Further, such wireless communication systems may additionally include peer-to-peer (e.g., mobile-to-mobile) ad hoc network systems often using unpaired unlicensed spectrums, 802. xx wireless LAN, BLUETOOTH and any other short- or long- range, wireless communication techniques, such as millimeter wave bands in the range of 30 GHz to 300 GHz, for example.

[00304] Single carrier frequency division multiple access (SC-FDMA), which utilizes single carrier modulation and frequency domain equalization is a technique that can be utilized with the disclosed aspects. SC-FDMA has similar performance and essentially a similar overall complexity as those of OFDMA system. SC-FDMA signal has lower peak-to-average power ratio (PAPR) because of its inherent single carrier structure. SC-FDMA can be utilized in uplink communications where lower PAPR can benefit a mobile terminal in terms of transmit power efficiency.

[00305] Moreover, various aspects or features described herein may be implemented as a method, apparatus, or article of manufacture using standard programming and/or engineering techniques. The term "article of manufacture" as used herein is intended to encompass a computer program accessible from any computer-readable device, carrier, or media. For example, computer-readable media can include but are not limited to magnetic storage devices (e.g., hard disk, floppy disk, magnetic strips, etc.), optical discs (e.g., compact disc (CD), digital versatile disc (DVD), etc.), smart cards, and flash memory devices (e.g., EPROM, card, stick, key drive, etc.). Additionally, various storage media described herein can represent one or more devices and/or other machine-readable media for storing information. The term "machine-readable medium" can include, without being limited to, wireless channels and various other media capable of storing, containing, and/or carrying instruction(s) and/or data. Additionally, a computer program product may include a computer readable medium having one or more instructions or codes operable to cause a computer to perform functions described herein.

[00306] Further, the acts and/or actions of a method or algorithm described in connection with aspects disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or a combination thereof. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium may be coupled to processor, such that processor can read information from, and write information to, storage medium. In the alternative, storage medium may be integral to processor. Further, in some aspects, processor and storage medium may reside in an ASIC.

Additionally, ASIC may reside in a user terminal. In the alternative, processor and storage medium may reside as discrete components in a user terminal. Additionally, in some aspects, the acts and/or actions of a method or algorithm may reside as one or any combination or set of codes and/or instructions on a machine-readable medium and/or computer readable medium, which may be incorporated into a computer program product.

[00307] The above description of illustrated embodiments of the subject disclosure, including what is described in the Abstract, is not intended to be exhaustive or to limit the disclosed embodiments to the precise forms disclosed. While specific embodiments and examples are described herein for illustrative purposes, various modifications are possible that are considered within the scope of such embodiments and examples, as those skilled in the relevant art can recognize.

[00308] In this regard, while the disclosed subject matter has been described in connection with various embodiments and corresponding Figures, where applicable, it is to be understood that other similar embodiments can be used or modifications and additions can be made to the described embodiments for performing the same, similar, alternative, or substitute function of the disclosed subject matter without deviating therefrom. Therefore, the disclosed subject matter should not be limited to any single embodiment described herein, but rather should be construed in breadth and scope in accordance with the appended claims below.

[00309] In particular regard to the various functions performed by the above described components or structures (assemblies, devices, circuits, systems, etc.), the terms (including a reference to a "means") used to describe such components are intended to correspond, unless otherwise indicated, to any component or structure which performs the specified function of the described component (e.g., that is functionally equivalent), even though not structurally equivalent to the disclosed structure which performs the function in the herein illustrated exemplary implementations of the invention. In addition, while a particular feature may have been disclosed with respect to only one of several implementations, such feature may be combined with one or more other features of the other implementations as may be desired and advantageous for any given or particular application.

Claims

CLAIMS What is claimed is:

1 . An apparatus configured to be employed in a service provider (SP) network component of an SP network, comprising:

a WiFi protected access 2 (WPA2) pass-through interface configured to receive or transmit packet data through a customer premise equipment (CPE) with a user equipment (UE) based on a virtual network function (VNF) of a physical access point (pAP) at a virtual access point (vAP), wherein the pAP is associated with a community WiFi network of a virtual access point (vAP) for the SP network; and

one or more processors configured to:

receive, via the WPA2 pass-through interface, the packet data associated with the community WiFi network;

process the packet data from the pAP along a receive chain for transmission to a wide area network (WAN); and

receive and process WAN data for transmission to the pAP via the WPA2 pass-through interface.

2. The apparatus of claim 1 , wherein the one or more processors are further configured to:

strip a GRE header from the packet data received from the UE;

determine whether the packet data comprises an encrypted data; determine whether a similar encrypted data as the encrypted data has been decrypted before;

determine whether the packet data comprises an aggregate media access control (MAC) service data unit (A-MSDU); and

determine whether the packet data comprises a data packet or a management packet requesting access to the community WiFi network.

3. The apparatus of any one of claims 1 -2, wherein the one or more processors are further configured to:

decrypt the packet data in response to the packet data comprising an encrypted data; in response to the encrypted data being similar to a similar encrypted data decrypted before the encrypted data, generate a replay attack notification, drop the encrypted data and update a replay attack counter;

de-aggregate the packet data in response to the packet data comprising an

A-MSDU;

in response to the packet data comprising a management packet, transmit the management packet to a basic service set (BSS) management component that is configured to control a BSS ID of the community WiFi network and a station (STA) connection state; and

in response to the packet data comprising a data packet, convert the data packet from an 802.1 1 format to an 802.3 format and add a generic routing

encapsulation (GRE) header for transmission to the community WiFi network and the WAN.

4. The apparatus of claim 3, further comprising:

a station (STA) context database configured to update the STA connection state with the UE, one or more keys for encryption / decryption, and the counter associated with the replay attack.

5. The apparatus any one of claims 1 -4, wherein the one or more processors are further configured to receive the packet data associated with the community WiFi network as UE data that is unmodified through the WPA2 pass-through interface over the CPE to the SP network.

6. The apparatus any one of claims 1 -5, wherein the one or more processors are further configured to:

strip a GRE header from the packet data received from the SP network; encrypt the packet data utilizing a WPA2 key from a STA context database; add a GRE header to the packet data; and

transmit the packet data Internet Protocol (IP) packet data to the CPE.

7. The apparatus of any one of claims 1 -6, wherein the one or more processors are further configured to: configure the vAP with a configuration file to provide at least one of: a set of BSS parameters, a RADIUS client server IP name, wireless access gateway (WAG) name, or an IP address; and

configure at least one of the pAP or a range extender coupled to the pAP with one or more CPE credentials to establish a secured link with the community WiFi network for communications with the vAP, a Service Provider SSID, and a virtual WPA2 (vWPA2) Data VNF domain name.

8. The apparatus of any one of claims 1 -7, wherein the one or more processors are further configured to control one or more BSS parameters with the CPE by:

communicating a beacon template to establish the beacon template to a wireless local access network (WLAN) AP driver of the CPE for transmission to the UE;

initiating a probe response template by communicating the probe response template to establish the probe response template to the WLAN AP driver;

commanding a BSS of the community WiFi network to activate; and in response to a change in a buffer traffic at the pAP or the BSS parameter, updating the beacon template and communicate a traffic indication map to the pAP of the CPE.

9. The apparatus of any one of claims 1 -8, wherein the one or more processors are further configured to enable a UE client connection establishment by:

in response to receiving a client authentication request in a management packet data unit (MMPDU) of the packet data, create a STA context and update a client state of the STA context to class 2;

communicate a command to set the Class 2 for a client MAC address to the pAP and a WLAN driver;

communicate an authentication response as the MMPDU for client authentication 2 to the UE via the pAP with the WLAN driver; and

in response to receiving an association request, establish the client state of the STA context to Class 3 to enable a data packet and a management packet to be processed, change the client state to associated, assign an association identity (AID), and communicate a packet association response for an association of the UE.

10. The apparatus of any one of claims 1 -9, wherein the one or more processors are further configured to: generate, via the WPA2 pass-through interface, the authentication protocol with the UE and the vAP by updating a client credential with an authentication server and communicating master station key (MSK) data through the CPE comprising the pAP associated with the community WiFi network to enable derivation of an MSK by the UE;

enable an encryption key for an encryption of at least one of: a data packet or a management packet of the packet data via a four-way handshake protocol;

derive encryption keys for a WPA2 encryption of unicast frames / packets based on a client pairwise transient key (PTK), and for communication from the pAP to the UE with a broadcast messages based on a group temporal key (GTK); and

configure a station (STA) context database the encryption keys associated with unicast traffic and broadcast traffic, and command the vAP to open a port for communication with the UE via the WPA2 pass-through interface to communicate data packets from the UE and to a wireless access gateway of the SP network.

1 1 . The apparatus of any one of claims 1 -10, wherein the one or more processors are further configured to:

receive a management packet of the packet data comprising a dissociate packet;

decrypt the dissociate packet;

alter a client state to Class 1 to prevent accepting further packet data other than an authentication request;

release a client AID while retaining an STA context related to the UE; and removing encryption / decryption keys related to the UE.

12. The apparatus of any one of claims 1 -1 1 , wherein the one or more processors are further configured to:

generate a determination of whether to dissociate the UE from the SP network; and

based on the determination, generate a dissociate message to the UE.

13. The apparatus of any one of claims 1 -12, wherein the one or more processors are further configured to: in response to a failed link between the pAP and the vAP of the SP network, receive a stop command to stop communications including a beacon with the UE associated with the community WiFi network; and

in response to a successful link following the failed link, receive a connection recovery message at the vAP and initialize a WLAN AP driver of the CPE for transmission to the UE via the WPA2 pass-through interface.

14. The apparatus of any one of claims 1 -13, further comprising:

a VNF orchestrator component configured to generate an instance of a partition configuration of a set of VNFs at the vAP of the SP network from the pAP of the CPE; and

a WPA2 pass-through component configured to transparently generate the WPA2 pass-through through the pAP from the vAP according to the partition

configuration associated with the community WiFi network configured at the CPE;

wherein the VNF orchestrator component is further configured to select the partition configuration as a second partition configuration from a plurality of partition configurations including a plurality of non-real time operations and real time operations of the pAP associated with the community WiFi network at the CPE.

15. An apparatus configured to be employed in a customer premise equipment (CPE), comprising:

a physical access point (pAP) comprising one or more processors configured to enable a community WiFi network for a user equipment (UE) by passing along a packet via a WiFi protected access 2 (WPA2) pass-through interface, without generating security operations to the packet data, from the UE to a virtual access point (vAP) of a security provider (SP) network;

a communication interface, coupled to the one or more processors, configured to:

transmit a beacon of the community WiFi network to the UE; receive the packet associated with the community WiFi network from the

UE; and

pass along the packet from the UE to the SP network via the WPA2 pass- through interface without a decryption / encryption process being performed to the packet.

16. The apparatus of claim 15, further comprising:

a range extender configured to connect the UE to the CPE with an end-to-end connection based on at least one of: the community WiFi network or a home network.

17. The apparatus of any one of claims 15-16, wherein the one or more processors are further configured to:

determine whether the packet belongs to the community WiFi network based on a basic service set (BSS) identity (ID) and a class category of the packet, wherein the community WiFi network is configured as a virtual network;

in response to the packet belonging to the community WiFi network and a class category of the packet comprising a Class 1 , 2 or 3, adding one or more metadata comprising at least one of: a received signal strength, a signal to noise ratio, or a physical (PHY) layer header; and

adding a generic routing encapsulation (GRE) header to the packet.

18. The apparatus of any one of claims 15-17, wherein the one or more processors are further configured to:

receive another packet from the SP network via the WPA2 pass-through interface;

in response to the another packet belonging to the community WiFi network, remove a GRE header of the anther packet;

schedule the another packet for transmission to the UE by providing the another packet in a WiFi transmit queue; and

transmitting the another packet to the UE without the decryption / encryption process being performed to the another packet.

19. The apparatus of any one of claims 15-18, wherein the one or more processors are further configured to:

receive a beacon template to establish the beacon template to a wireless local access network (WLAN) AP driver of the CPE for transmission of the beacon of the community WiFi network to the UE;

receive a probe response template to establish the probe response template to the WLAN AP driver for an inquiry related to the community WiFi network by the UE;

activate a BSS with a BSS ID of the community WiFi network in response to receiving a BSS command from the SP network; and update the beacon template in response to receiving a traffic indication map at the pAP.

20. The apparatus of any one of claims 15-19, wherein the one or more processors are further configured to:

transmit a client authentication request with a management packet data unit (MMPDU) as the packet, in response to the packet comprising a client state that is Class 1 ;

receive a command to set the client state to Class 2 with a client MAC address at the pAP and a WLAN driver;

receive an authentication response as the MMPDU and transmit the MMPDU for a client authentication 2 to the UE via the pAP and the WLAN driver; and

receive another command to set the client state to Class 3 to enable a data packet and a management packet to be communicated to the SP network, change the client state to associated, assign an association identity (AID), and communicate a packet association response for an association of the UE to the SP network via the WPA2 pass-through interface.

21 . The apparatus of any one of claims 15-20, wherein the one or more processors are further configured to:

receive a management packet of the packet data comprising a dissociate packet;

forward the dissociate packet via the WPA2 pass-through interface; in response to detecting a failed link between the pAP and the vAP of the SP network, operate the pAP in autonomous mode, receive a stop command to stop communications that include a beacon associated with the community WiFi network, clean a queue and set the client state as Class 1 to prevent accepting further packet data other than an authentication request; and

in response to detecting a successful link following the failed link, transmit a connection recovery message to the vAP and initialize a WLAN AP driver of the CPE for transmission via the WPA2 pass-through interface.

22. A computer-readable storage medium storing executable instructions that, in response to execution, cause one or more processors of a service provider (SP) network component to perform operations comprising: receiving, via a WiFi protected access 2 (WPA2) pass-through, a set of traffic data from a physical access point (pAP) of customer premise equipment (CPE) connected to a user equipment (UE), wherein the set of traffic data is unmodified by the CPE and associated with a community WiFi network of the CPE;

processing the packet data from the pAP along a receive chain for transmission to a wide area network (WAN); and

receiving and process WAN data for transmission to the pAP via the WPA2 pass-through interface.

23. The computer-readable storage medium of claim 22, wherein the operations further comprise at least one of:

stripping a GRE header from the packet data received from the UE; determining whether the packet data comprises an encrypted data; determining whether a similar encrypted data as the encrypted data has been decrypted before;

determining whether the packet data comprises an aggregate media access control (MAC) service data unit (A-MSDU); or

determining whether the packet data comprises a data packet or a management packet requesting access to the community WiFi network.

24. The computer-readable storage medium of any one of claims 22-23, wherein the operations further comprise at least one of:

decrypting the packet data in response to the packet data comprising an encrypted data;

in response to the encrypted data being similar to a similar encrypted data decrypted before the encrypted data, generate a replay attack notification, drop the encrypted data and update a replay attack counter;

de-aggregating the packet data in response to the packet data comprising an

A-MSDU;

in response to the packet data comprising a management packet, transmitting the management packet to a basic service set (BSS) management component that is configured to control a BSS ID of the community WiFi network and a station (STA) connection state; or

in response to the packet data comprising a data packet, converting the data packet from an 802.1 1 format to an 802.3 format and add a generic routing encapsulation (GRE) header for transmission to the community WiFi network and the WAN.

25. The computer-readable storage medium of any one of claims 22-24, wherein the operations further comprise at least one of:

stripping a GRE header from the packet data received from the SP network; encrypting the packet data utilizing a WPA2 key from a STA context database;

adding a GRE header to the packet data; or

transmitting the packet data Internet Protocol (IP) packet data to the CPE.

26. The computer-readable storage medium of any one of claims 22-25, wherein the operations further comprise:

communicating a beacon template to establish the beacon template to a wireless local access network (WLAN) AP driver of the CPE for transmission to the UE;

initiating a probe response template by communicating the probe response template to establish the probe response template to the WLAN AP driver;

commanding a BSS of the community WiFi network to activate; and in response to a change in a buffer traffic at the pAP or the BSS parameter, updating the beacon template and communicate a traffic indication map to the pAP of the CPE.

27. The computer-readable storage medium of any one of claims 22-26, wherein the operations further comprise

enabling a UE client connection establishment by:

in response to receiving a client authentication request in a management packet data unit (MMPDU) of the packet data, creating a STA context and update a client state of the STA context to class 2;

communicating a command to set the Class 2 for a client MAC address to the pAP and a WLAN driver;

communicating an authentication response as the MMPDU for client authentication 2 to the UE via the pAP with the WLAN driver;

in response to receiving an association request, establishing the client state of the STA context to Class 3 to enable a data packet and a management packet to be processed, changing the client state to associated, assign an association identity (AID), and communicating a packet association response for an association of the UE.

28. The computer-readable storage medium of any one of claims 22-23, wherein the operations further comprise:

generating, via the WPA2 pass-through interface, the authentication protocol with the UE and the vAP by updating a client credential with an authentication server and communicating master station key (MSK) data through the CPE comprising the pAP associated with the community WiFi network to enable derivation of an MSK by the UE;

enabling an encryption key for an encryption of at least one of: a data packet or a management packet of the packet data via a four-way handshake protocol;

deriving encryption keys for a WPA2 encryption of unicast frames / packets based on a client pairwise transient key (PTK), and for communication from the pAP to the UE with a broadcast messages based on a group temporal key (GTK); and

configuring a station (STA) context database the encryption keys associated with unicast traffic and broadcast traffic, and command the vAP to open a port for communication with the UE via the WPA2 pass-through interface to communicate data packets from the UE and to a wireless access gateway of the SP network.