Norbert Wicker-The MX-Series as Service Delivery Gateway in Mobile Networks

THE MX-SERIES AS SERVICE DELIVERY GATEWAY IN MOBILE NETWORKS

Norbert Wicker,

EMEA Advanced Technology Specialist

8th September 2012

SDG SOLVING TODAY’S PROBLEMS

3 Copyright © 2012 Juniper Networks, Inc. www.juniper.net

• CGN

• Stateful Firewall

• Dynamic App Awareness

• Dynamic Sub Awareness

Network Address

Translation Traffic Control

• Application Delivery Control (ADC)

• Transparent Load Balancer (TLB)

Load Balancing

• Dynamic Flow Capture

• J Flow

Network Visibility

Juniper Service Delivery Gateway (SDG)

Juniper MX 3D Universal Edge Routers

Security

• IPS • IPSec

1 2

3 4

5


THE BIG PICTURE OF A MOBILE USE CASE


USE CASE 1: MOBILE OPERATOR SERVICES ZONE FW/CGN, ADC, TRIO BASED JFLOW, TLB

FW/NAT

ADC/SLB

Routing

Optimization

[Video/Web]

DNS

Access/GW

Switching

Switching

Caching

FW/NAT

ADC/SLB

Routing

Optimization

[Video/Web]

DNS

Access/GW

Switching

Switching

Caching

20Gig 20Gig

Services Complex

Next Gen Services Complex

Optimization

[Video/Web]

DNS

Access/GW

Caching

40Gig

CGN/SFW

ADC/SLB

CGN/SFW

ADC/SLB

Problem Simplify cost saving services

architecture

Optimization Complexity and Operation

Solution on Gi CGN – NAT 44[4]/NAT64

SFW to replace existing FWs

ADC for outbound HTTP/S, DNS, Radius

Support all the existing routing

requirements such as OSPF/BGP and

VRFs.

Combine multiple services zones


THE PRICE TAG DRIVER

Compared with traditional service delivery methods, the SDG has:

• 41% shorter time for the initial deployment and 46% less time to incrementally add new applications

• 14 times less service implementation risk

• Approximately 3 times less operational risk

• 72% reduced power, 76% reduced floor space, 69% reduced cooling

• 50% lower TCO


USE CASE 1: MOBILE OPERATOR SERVICES ZONE FW/CGN, ADC, TRIO BASED [JFLOW, HYBRID-ADC]

With SDG Orchestrating multiple Mobile Services

DNS

CGN/SFW

ADC/SLB

VIP RADIUS

MME

HTTPS

JFlow

TLB

Internet

DMZ

Web and Video

Optimization

MSP

8x10

Gi Traffic Mix v4/v6

HTTP

10G uplink

downlink 62G = DSR

80G using IPFix

~2G VIP mix

traffic

16x10

16G [80Gx20%]

72G

Video and Web


USE CASE 2:REQUIREMENTS AND PAIN POINT

Rrequirement

Performance

More than 52M stateful sessions

More than 1M stateful CPS

More than 140Gbps(70Gbps full duplex) at 512byte frame size

Key feature

HTTP header enrichment to distinguish subscribers

Supporting overlapping subnet

Pain point

Launch VoLTE service which needs 2 * ip address per UE

With this service, private ip address space (10/8) can’t cover all of the subscribers

So, SP-X plan to use overlapping subnet per GGSN or PGW

However, current billing system for MMS and IPTV can distinguish each subscribers by ip

address only.


SOLUTION VALUE PROPOSITION

Scalable performance

with 8 * MS-DPC, MX-960 supports below performance

68M stateful session (Actually I got 67M w/ Spirent)

More than 1M stateful CPS w/ RST

70Gbps full duplex (140Gbps) UDP throughput @ 512 byte w/ 56M flows (3.5M flows per NPU)

HTTP Content Management (HCM) / Junos Web Aware (JWA)

HCM supports several functions and SP-X wants HTTP header insertion for RADIUS attribute

MX-960 will insert RADIUS attribute for subscribers to HTTP header and billing system will

distinguish each subscribers by HTTP header information, like MSISDN.


NEXT GENERATION NETWORK ADDRESSING – CARRIER GRADE NAT


ABOUT THE CHALLENGE: IPV4 ADDRESS DEPLETION (E.G.IN EUROPE)

• The IANA pool of available

IPv4 addresses was

exhausted on 3 February,

2011.

• The RIPE NCC is still able to

allocate IPV4 addresses to

its members from its pool of

IPv4 addresses for an

unspecified period.

• The Internet will not stop

functioning when the

remaining IPv4 addresses

are depleted.

• Deploying IPv6 is the only

option for Internet growth

and evolution.

Source: http://www.ripe.net/internet-coordination/ipv4-exhaustion/ipv4-available-pool-graph

• The amount of IPv4 addresses shown includes the 4.26 million IPv4 addresses temporarily set aside for the De-Bogonising New Address Blocks project.

• This graph includes the last /8 that the RIPE NCC received from the IANA on 3 February 2011 and the /13 pool for temporary assignments (both shown by the yellow horizontal line).

http://www.ripe.net/internet-coordination/ipv4-exhaustion/ipv4-available-pool-graph












RIPE NCC IPV4 AVAILABLE POOL - GRAPH















WHAT NEXT?

Depends on…

• Your unused IPv4 address pool

• Your subscriber and service growth

• Your network and operations readiness

• Your budget and resources

• Your market strategy

• Your vendors


IP FAMILY TRANSITION SERVICES ON MS-PIC/MS-DPC

IPv6 Features

IPv6 NAT and IPv6 Stateful Firewall

NAT-PT Supported (ICMP ALG)

NAT-PT DNS ALG (10.4)

NAT66 supported

NAT64 (10.4)

NAT44

Support CGN requirement

(draft-ietf-behave-lsn-requirements-00)

IPv6 Softwire

DS-Lite (10.4)

4over6 (10.4)

6rd/6to4/6to4-pmt (11.2)

8 MS-DPC per Chassis (11.4)


DIMENSIONING CGN

Three primary data points required to size a CGN deployment

• # of Concurrent Subscribers

• Sessions per-second per-subscriber

• Bandwidth required per-subscriber

The above elements are enough to provide a model for sizing any CGN solution

Sizing of solution also depends on deployment type:

• Centralized vs. Decentralized

• Dependent on network architecture


DEPLOYED SOLUTIONS

Deployment Models:

Centralized – Mobile

Distributed – Wireline

Deployed in MX pairs for redundancy/HA

Both active/active and active/passive

MPLS VPN

Typical ALG’s deployed:

FTP, PPTP, RTSP, SIP, TFTP

EIM/EIF

P2P gaming in mobile

Platform gaming (Xbox and PS3) in Wireline


DEPLOYED SOLUTIONS

Load Balancing

ECMP

FBF

NAT Pool Methods

PBA – when regulatory compliance per-session not needed

Session-based Dynamic Source-NAT – For regulatory compliance


APPLICATION LAYER GATEWAYS (ALG)

Example ALG percentage based on large mobile provider (data usage):

Sessions: 1 million

410 RTSP sessions

1 TFTP session

14 PPTP sessions

11 FTP sessions

Application timeouts have a directly affect session scalability

Too small and sessions will be terminated prematurely

Too large and stale sessions will consume resources unnecessarily

Custom applications should be defined for well known applications that do not need

EIM/EIF

No limit to the number application definitions.


SUPPORT FOR A LARGE TYPE OF NAT (NAT44, NAPT44, NAT66, NAT-PT, NAT64, NAPT66, TWICE-NAT)

Standard NAT Features

TCP/UDP/ICMP configurable timeouts and TCP

Keep-Alives

Large number of Application Level Gateways

(Bootp, RPC, rsh, FTP, H323, ICMP, IIOP, SMB,

Netshow, Realaudio, RTSP, Snmp, Sqlnet, TFTP,

Traceroute, Winframe, DNS, SIP, PPTP)

NAT MIB

Port Limit per private IP

draft-ietf-behave-lsn-requirements

EIM/EIF

Air pinning

Address Pooling paired

Logging Improvement

Port bucket allocation (11.2)

Load-Balancing across Service Cards

1 + 1 Warm Standby

1 + N Warm Standby

Active/Active Stateless load balancing

O&M commands

alarms to monitor NAT pool, mapping, session state,

etc

monitor total sessions, sessions/sec, sessions

lifetime, etc

Tight Routing integration

VRF/6PE/6VPE support

CGN Bypass

Service Chaining (IDS/IDP, Stateful Firewall, …)


PERFORMANCE

Per card (MS-DPC) performance – on average 19Gbps throughput

Metrics NAPT44(4) PBA1 NAT64

Throughput 19Gbps 18Gbps

Total Flows 17M 15M

Peak Flow2 Ramp-up Rate 1.2M Flows/sec 540K Flows/sec

Public Port Pool 4B ports 4B ports

Ramp-up time (4M Flows) 4sec 8sec

1Port Block Allocation (PBA): When PBA is configured, ports for a host are

allocated in blocks. Subsequent port allocations for the same host come from the

previously allocated block. 2Flow = Uni-directional flow through the Router


DYNAMIC NAT

Public address – Ports allocation (one user per color)

Am

oun

t O

f L

og

gin

g

Se

cu

rity

Ra

tio U

se

rs/P

ublic

IP

High High High

Low Low Low

DYNAMIC NAT – RANDOM ALLOCATION OF PORTS

• Good Ratio Users/Public addresses

• One log needed per Session (Needs a substantial Logging

infrastructure)

• No security issue

• Default NAPT Behavior


NAT WITH PORT BUCKET ALLOCATION (PBA)

Am

oun

t O

f L

og

gin

g

Se

curity

Ra

tio U

se

rs/P

ublic

IP


High High High

Low Low Low

S1

B1 S2

B2

S1

B2

S2

B1

NAT WITH PORT BLOCK ALLOCATION

• Contiguous blocks of ports allocated to subscriber

• Port is randomly chosen from allocated block

• Possible to tune the ratio Logging/Security/Users-per-IP Reduce

dramatically the logs infrastructure needed

• Log is only generated on each allocation and release


DETERMINISTIC NAT

Am

oun

t O

f L

og

gin

g

Se

curity

Ra

tio U

se

rs/P

ublic

IP


High High High

Low Low Null

S1 S3 S4 S2 S5

DETERMINISTIC NAT

• Algorithmic allocation of IP address and port block per subscriber

• Subscribers keep the same public address all the time

• Lowest ratio of subscriber/public address

• No log messages needed at all


LOAD BALANCING


SDG – MOBILE OPERATOR USE CASE

The NEW SDG Mobile Zone - Orchestrating multiple Mobile Services

TLB

Internet

DMZ

Web and Video

Optimization

MSP

8x10

Gi Traffic Mix v4/v6

HTTP

10G uplink

downlink = DSR

16x10

72G

Video and Web


Internet

Origin

Server

Access 10 GE

Core

IPv4 VXA2010

Subscribers

MX series IPv6

SLB 4 x 10 GE

Pacifica Pacifica

CDN USECASE

Problem • Dynamic growth of video consumes tremendous

amounts of bandwidth

• Optimized Access based Caching solution

TLB TLB


TLB ARCHITECTURE [TRAFFIC LOAD BALANCER]

Leverages traffic distribution capabilities of TRIO chipset

Source IP address based hashing to distribute traffic

Data plane

(NPU)

Forwarding plane

(Trio)

2. Apply next hop rules

according to health status

MX

Video

Media

Gateway

Media

Monitoring

1. Monitor applications and

servers health

3. Distribute traffic

according to rules

ECMP LB

Supports graceful operation change, does not affect traffic flows to other active servers

Hybrid mode: Separate application level health checks mechanism on MS-DPC, inline traffic not requiring MS-DPC


ADC VS. TLB

TLB ADC

Methods Hash Hash, least connections, round robin, response

time, bandwidth

Session State Stateless Stateful or Stateless

Traffic Rate PFE dependent MS-DPC dependent

Layer support L4 L4 - L7 providing Enhanced services stickiness

Transparency Supported Supported

+ Enables configurable virtual IP destination as

part of the ADC.

Required HW MS-DPC (only 1 NPU) MS-DPC (At least 1 NPU)

Connections/PPS PFE dependent Stateful:1M/2M per NPU

Stateless: PFE dependent/2M per NPU

Health check type ICMP, TCP, HTTP ICMP, TCP, HTTP\S, DNS, SNMP, TFTP, IMAP,

POP3, WAP, SMTP, RADIUS, NNTP, LDAP, FTP,

SIP

IPv4/IPv6 Supported Supported


JUNOS WEB AWARE (HTTP CONTENT MANAGEMENT)

30 Copyright © 2012 Juniper Networks, Inc. www.juniper.net 2 Copyright © 2012 Juniper Networks, Inc. www.juniper.net

JWA current state

• A powerful SDK based HTTP parser which tracks HTTP requests & their responses

• Actions include:

• Inserting an HTTP header – a.k.a. tag insertion or header enrichment

• Discarding, resetting, counting, etc. the transactions

• Logging the HTTP requests/responses

• Logging the TCP start/end

• Redirecting the client to a new host/URL

• Associating HTTP transactions to corresponding “subscriber” by communicating with DSA component

• GA in 12.2.

• Supports the following HTTP requests:

• GET

• PUT

• POST


JWA SUPPORTED FEATURES [12.2]

Fixed, wireless and BNG network architectures

IPv4 and IPv6 based tag insertion, URL logging/filtering and error-redirect

Asymmetrical flows (URL logging only)

Extended URL logging for long HTTP contexts

All JWA functions can be run on the same NPU

Multiple NPUs can be used with AMS for IPv4 based traffic to support load balancing

Receiving standard Radius attributes and use it for tagging and logging purpose

Subscriber Opt-in/Opt-out function is supported through Sd/Diameter interface (RE based SDK app) by a 3rd party System Integrator.


HCM FUNCTIONS: TAG INSERTION EXAMPLE1: MSISDN INSERTION

Hypertext Transfer Protocol

GET / HTTP/1.1

Host: www.juniper.net

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip, deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Connection: keep-alive

Cookie: uin=o0069457533; skey=@9Hg3xFMiu

X-MSISDN: d0cfd800e25e681b451e047f9f2138ae

Standard

Header

Fields

‘tag’ inserted

*Refer to RFC 4229 (HTTP Header Field Registrations) for the initial contents of a permanent IANA registry for HTTP header fields and a provisional repository for HTTP header fields)

The format of the tag inserted in HTTP requests will be:

“<tag-header>: <{radius|fixed}-attribute><tag-separator><{radius|fixed}-attribute>\n\r”

Example:


10.100.55.33

10.100.55.33

10.100.55.33 NAT

to 80.87.99.50

10.100.55.33 NAT

to 80.87.105.211

Internet

NAT/PAT

NAT/PAT MX for header

enrichment

MX for header

enrichment GGSN ID=12

GGSN ID=11

X-Forwarded-For:

11.100.55.33

X-Forwarded-For:

12.100.55.33

HCM FUNCTIONS: TAG INSERTION EXAMPLE2: HE IN VIRTUAL SERVICE AREA

Clients get private IP addresses

Private IP addresses reused on a per-GGSN basis

Clients’ IP addresses (private) to be added into X-Forwarded-For: header before NAT is being performed

In order to distinguish two clients with the same private IP address, but from different GGSNs, the first byte (which is

redunant because it‘s 10 everywhere) is replaced by the ID of the GGSN (=the ID of the service area)


SUMMARY


Juniper Networks MX Router

Juniper Optimization SDG Services for Service Providers

• Optimize, reduce complexity and

remove point solutions

• Reduce cost and protect investment

• Fast provisioning or new services

and customers

• Granular security and management

Service Delivery is Key to SP Success

FW LB/ADC SWITCHING ROUTING SWITCHING ACCESS

Legacy service delivery model • Expensive operations

• No granular segmentation

• Single tenant architecture

• Point vertical solution vendors

• Complexity

• Not scalable, hard to monetize

Documents

Norbert Wicker-The MX-Series as Service Delivery Gateway in Mobile Networks