Upload
billythesid
View
89
Download
10
Tags:
Embed Size (px)
Citation preview
THE MX-SERIES AS SERVICE DELIVERY GATEWAY IN MOBILE NETWORKS
Norbert Wicker,
EMEA Advanced Technology Specialist
8th September 2012
SDG SOLVING TODAY’S PROBLEMS
3 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
• CGN
• Stateful Firewall
• Dynamic App Awareness
• Dynamic Sub Awareness
Network Address
Translation Traffic Control
• Application Delivery Control (ADC)
• Transparent Load Balancer (TLB)
Load Balancing
• Dynamic Flow Capture
• J Flow
Network Visibility
Juniper Service Delivery Gateway (SDG)
Juniper MX 3D Universal Edge Routers
Security
• IPS • IPSec
1 2
3 4
5
4 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
THE BIG PICTURE OF A MOBILE USE CASE
5 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
USE CASE 1: MOBILE OPERATOR SERVICES ZONE FW/CGN, ADC, TRIO BASED JFLOW, TLB
FW/NAT
ADC/SLB
Routing
Optimization
[Video/Web]
DNS
Access/GW
Switching
Switching
Caching
FW/NAT
ADC/SLB
Routing
Optimization
[Video/Web]
DNS
Access/GW
Switching
Switching
Caching
20Gig 20Gig
Services Complex
Next Gen Services Complex
Optimization
[Video/Web]
DNS
Access/GW
Caching
40Gig
CGN/SFW
ADC/SLB
CGN/SFW
ADC/SLB
Problem Simplify cost saving services
architecture
Optimization Complexity and Operation
Solution on Gi CGN – NAT 44[4]/NAT64
SFW to replace existing FWs
ADC for outbound HTTP/S, DNS, Radius
Support all the existing routing
requirements such as OSPF/BGP and
VRFs.
Combine multiple services zones
6 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
THE PRICE TAG DRIVER
Compared with traditional service delivery methods, the SDG has:
• 41% shorter time for the initial deployment and 46% less time to incrementally add new applications
• 14 times less service implementation risk
• Approximately 3 times less operational risk
• 72% reduced power, 76% reduced floor space, 69% reduced cooling
• 50% lower TCO
7 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
USE CASE 1: MOBILE OPERATOR SERVICES ZONE FW/CGN, ADC, TRIO BASED [JFLOW, HYBRID-ADC]
With SDG Orchestrating multiple Mobile Services
DNS
CGN/SFW
ADC/SLB
VIP RADIUS
MME
HTTPS
JFlow
TLB
Internet
DMZ
Web and Video
Optimization
MSP
8x10
Gi Traffic Mix v4/v6
HTTP
10G uplink
downlink 62G = DSR
80G using IPFix
~2G VIP mix
traffic
16x10
16G [80Gx20%]
72G
Video and Web
8 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
USE CASE 2:REQUIREMENTS AND PAIN POINT
Rrequirement
Performance
More than 52M stateful sessions
More than 1M stateful CPS
More than 140Gbps(70Gbps full duplex) at 512byte frame size
Key feature
HTTP header enrichment to distinguish subscribers
Supporting overlapping subnet
Pain point
Launch VoLTE service which needs 2 * ip address per UE
With this service, private ip address space (10/8) can’t cover all of the subscribers
So, SP-X plan to use overlapping subnet per GGSN or PGW
However, current billing system for MMS and IPTV can distinguish each subscribers by ip
address only.
9 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
SOLUTION VALUE PROPOSITION
Scalable performance
with 8 * MS-DPC, MX-960 supports below performance
68M stateful session (Actually I got 67M w/ Spirent)
More than 1M stateful CPS w/ RST
70Gbps full duplex (140Gbps) UDP throughput @ 512 byte w/ 56M flows (3.5M flows per NPU)
HTTP Content Management (HCM) / Junos Web Aware (JWA)
HCM supports several functions and SP-X wants HTTP header insertion for RADIUS attribute
MX-960 will insert RADIUS attribute for subscribers to HTTP header and billing system will
distinguish each subscribers by HTTP header information, like MSISDN.
10 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
NEXT GENERATION NETWORK ADDRESSING – CARRIER GRADE NAT
11 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
ABOUT THE CHALLENGE: IPV4 ADDRESS DEPLETION (E.G.IN EUROPE)
• The IANA pool of available
IPv4 addresses was
exhausted on 3 February,
2011.
• The RIPE NCC is still able to
allocate IPV4 addresses to
its members from its pool of
IPv4 addresses for an
unspecified period.
• The Internet will not stop
functioning when the
remaining IPv4 addresses
are depleted.
• Deploying IPv6 is the only
option for Internet growth
and evolution.
Source: http://www.ripe.net/internet-coordination/ipv4-exhaustion/ipv4-available-pool-graph
• The amount of IPv4 addresses shown includes the 4.26 million IPv4 addresses temporarily set aside for the De-Bogonising New Address Blocks project.
• This graph includes the last /8 that the RIPE NCC received from the IANA on 3 February 2011 and the /13 pool for temporary assignments (both shown by the yellow horizontal line).
12 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
RIPE NCC IPV4 AVAILABLE POOL - GRAPH
http://www.ripe.net/internet-coordination/ipv4-exhaustion/ipv4-available-pool-graph
13 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
WHAT NEXT?
Depends on…
• Your unused IPv4 address pool
• Your subscriber and service growth
• Your network and operations readiness
• Your budget and resources
• Your market strategy
• Your vendors
14 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
IP FAMILY TRANSITION SERVICES ON MS-PIC/MS-DPC
IPv6 Features
IPv6 NAT and IPv6 Stateful Firewall
NAT-PT Supported (ICMP ALG)
NAT-PT DNS ALG (10.4)
NAT66 supported
NAT64 (10.4)
NAT44
Support CGN requirement
(draft-ietf-behave-lsn-requirements-00)
IPv6 Softwire
DS-Lite (10.4)
4over6 (10.4)
6rd/6to4/6to4-pmt (11.2)
8 MS-DPC per Chassis (11.4)
15 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
DIMENSIONING CGN
Three primary data points required to size a CGN deployment
• # of Concurrent Subscribers
• Sessions per-second per-subscriber
• Bandwidth required per-subscriber
The above elements are enough to provide a model for sizing any CGN solution
Sizing of solution also depends on deployment type:
• Centralized vs. Decentralized
• Dependent on network architecture
16 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
DEPLOYED SOLUTIONS
Deployment Models:
Centralized – Mobile
Distributed – Wireline
Deployed in MX pairs for redundancy/HA
Both active/active and active/passive
MPLS VPN
Typical ALG’s deployed:
FTP, PPTP, RTSP, SIP, TFTP
EIM/EIF
P2P gaming in mobile
Platform gaming (Xbox and PS3) in Wireline
17 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
DEPLOYED SOLUTIONS
Load Balancing
ECMP
FBF
NAT Pool Methods
PBA – when regulatory compliance per-session not needed
Session-based Dynamic Source-NAT – For regulatory compliance
18 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
APPLICATION LAYER GATEWAYS (ALG)
Example ALG percentage based on large mobile provider (data usage):
Sessions: 1 million
410 RTSP sessions
1 TFTP session
14 PPTP sessions
11 FTP sessions
Application timeouts have a directly affect session scalability
Too small and sessions will be terminated prematurely
Too large and stale sessions will consume resources unnecessarily
Custom applications should be defined for well known applications that do not need
EIM/EIF
No limit to the number application definitions.
19 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
SUPPORT FOR A LARGE TYPE OF NAT (NAT44, NAPT44, NAT66, NAT-PT, NAT64, NAPT66, TWICE-NAT)
Standard NAT Features
TCP/UDP/ICMP configurable timeouts and TCP
Keep-Alives
Large number of Application Level Gateways
(Bootp, RPC, rsh, FTP, H323, ICMP, IIOP, SMB,
Netshow, Realaudio, RTSP, Snmp, Sqlnet, TFTP,
Traceroute, Winframe, DNS, SIP, PPTP)
NAT MIB
Port Limit per private IP
draft-ietf-behave-lsn-requirements
EIM/EIF
Air pinning
Address Pooling paired
Logging Improvement
Port bucket allocation (11.2)
Load-Balancing across Service Cards
1 + 1 Warm Standby
1 + N Warm Standby
Active/Active Stateless load balancing
O&M commands
alarms to monitor NAT pool, mapping, session state,
etc
monitor total sessions, sessions/sec, sessions
lifetime, etc
Tight Routing integration
VRF/6PE/6VPE support
CGN Bypass
Service Chaining (IDS/IDP, Stateful Firewall, …)
20 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
PERFORMANCE
Per card (MS-DPC) performance – on average 19Gbps throughput
Metrics NAPT44(4) PBA1 NAT64
Throughput 19Gbps 18Gbps
Total Flows 17M 15M
Peak Flow2 Ramp-up Rate 1.2M Flows/sec 540K Flows/sec
Public Port Pool 4B ports 4B ports
Ramp-up time (4M Flows) 4sec 8sec
1Port Block Allocation (PBA): When PBA is configured, ports for a host are
allocated in blocks. Subsequent port allocations for the same host come from the
previously allocated block. 2Flow = Uni-directional flow through the Router
21 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
DYNAMIC NAT
Public address – Ports allocation (one user per color)
Am
oun
t O
f L
og
gin
g
Se
cu
rity
Ra
tio U
se
rs/P
ublic
IP
High High High
Low Low Low
DYNAMIC NAT – RANDOM ALLOCATION OF PORTS
• Good Ratio Users/Public addresses
• One log needed per Session (Needs a substantial Logging
infrastructure)
• No security issue
• Default NAPT Behavior
22 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
NAT WITH PORT BUCKET ALLOCATION (PBA)
Am
oun
t O
f L
og
gin
g
Se
curity
Ra
tio U
se
rs/P
ublic
IP
Public address – Ports allocation (one user per color)
High High High
Low Low Low
S1
B1 S2
B2
S1
B2
S2
B1
NAT WITH PORT BLOCK ALLOCATION
• Contiguous blocks of ports allocated to subscriber
• Port is randomly chosen from allocated block
• Possible to tune the ratio Logging/Security/Users-per-IP Reduce
dramatically the logs infrastructure needed
• Log is only generated on each allocation and release
23 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
DETERMINISTIC NAT
Am
oun
t O
f L
og
gin
g
Se
curity
Ra
tio U
se
rs/P
ublic
IP
Public address – Ports allocation (one user per color)
High High High
Low Low Null
S1 S3 S4 S2 S5
DETERMINISTIC NAT
• Algorithmic allocation of IP address and port block per subscriber
• Subscribers keep the same public address all the time
• Lowest ratio of subscriber/public address
• No log messages needed at all
24 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
LOAD BALANCING
25 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
SDG – MOBILE OPERATOR USE CASE
The NEW SDG Mobile Zone - Orchestrating multiple Mobile Services
TLB
Internet
DMZ
Web and Video
Optimization
MSP
8x10
Gi Traffic Mix v4/v6
HTTP
10G uplink
downlink = DSR
16x10
72G
Video and Web
26 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
Internet
Origin
Server
Access 10 GE
Core
IPv4 VXA2010
Subscribers
MX series IPv6
SLB 4 x 10 GE
Pacifica Pacifica
CDN USECASE
Problem • Dynamic growth of video consumes tremendous
amounts of bandwidth
• Optimized Access based Caching solution
TLB TLB
27 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
TLB ARCHITECTURE [TRAFFIC LOAD BALANCER]
Leverages traffic distribution capabilities of TRIO chipset
Source IP address based hashing to distribute traffic
Data plane
(NPU)
Forwarding plane
(Trio)
2. Apply next hop rules
according to health status
MX
Video
Media
Gateway
Media
Monitoring
1. Monitor applications and
servers health
3. Distribute traffic
according to rules
ECMP LB
Supports graceful operation change, does not affect traffic flows to other active servers
Hybrid mode: Separate application level health checks mechanism on MS-DPC, inline traffic not requiring MS-DPC
28 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
ADC VS. TLB
TLB ADC
Methods Hash Hash, least connections, round robin, response
time, bandwidth
Session State Stateless Stateful or Stateless
Traffic Rate PFE dependent MS-DPC dependent
Layer support L4 L4 - L7 providing Enhanced services stickiness
Transparency Supported Supported
+ Enables configurable virtual IP destination as
part of the ADC.
Required HW MS-DPC (only 1 NPU) MS-DPC (At least 1 NPU)
Connections/PPS PFE dependent Stateful:1M/2M per NPU
Stateless: PFE dependent/2M per NPU
Health check type ICMP, TCP, HTTP ICMP, TCP, HTTP\S, DNS, SNMP, TFTP, IMAP,
POP3, WAP, SMTP, RADIUS, NNTP, LDAP, FTP,
SIP
IPv4/IPv6 Supported Supported
29 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
JUNOS WEB AWARE (HTTP CONTENT MANAGEMENT)
30 Copyright © 2012 Juniper Networks, Inc. www.juniper.net 2 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
JWA current state
• A powerful SDK based HTTP parser which tracks HTTP requests & their responses
• Actions include:
• Inserting an HTTP header – a.k.a. tag insertion or header enrichment
• Discarding, resetting, counting, etc. the transactions
• Logging the HTTP requests/responses
• Logging the TCP start/end
• Redirecting the client to a new host/URL
• Associating HTTP transactions to corresponding “subscriber” by communicating with DSA component
• GA in 12.2.
• Supports the following HTTP requests:
• GET
• PUT
• POST
31 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
JWA SUPPORTED FEATURES [12.2]
Fixed, wireless and BNG network architectures
IPv4 and IPv6 based tag insertion, URL logging/filtering and error-redirect
Asymmetrical flows (URL logging only)
Extended URL logging for long HTTP contexts
All JWA functions can be run on the same NPU
Multiple NPUs can be used with AMS for IPv4 based traffic to support load balancing
Receiving standard Radius attributes and use it for tagging and logging purpose
Subscriber Opt-in/Opt-out function is supported through Sd/Diameter interface (RE based SDK app) by a 3rd party System Integrator.
32 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
HCM FUNCTIONS: TAG INSERTION EXAMPLE1: MSISDN INSERTION
Hypertext Transfer Protocol
GET / HTTP/1.1
Host: www.juniper.net
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Cookie: uin=o0069457533; skey=@9Hg3xFMiu
X-MSISDN: d0cfd800e25e681b451e047f9f2138ae
Standard
Header
Fields
‘tag’ inserted
*Refer to RFC 4229 (HTTP Header Field Registrations) for the initial contents of a permanent IANA registry for HTTP header fields and a provisional repository for HTTP header fields)
The format of the tag inserted in HTTP requests will be:
“<tag-header>: <{radius|fixed}-attribute><tag-separator><{radius|fixed}-attribute>\n\r”
Example:
33 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
10.100.55.33
10.100.55.33
10.100.55.33 NAT
to 80.87.99.50
10.100.55.33 NAT
to 80.87.105.211
Internet
NAT/PAT
NAT/PAT MX for header
enrichment
MX for header
enrichment GGSN ID=12
GGSN ID=11
X-Forwarded-For:
11.100.55.33
X-Forwarded-For:
12.100.55.33
HCM FUNCTIONS: TAG INSERTION EXAMPLE2: HE IN VIRTUAL SERVICE AREA
Clients get private IP addresses
Private IP addresses reused on a per-GGSN basis
Clients’ IP addresses (private) to be added into X-Forwarded-For: header before NAT is being performed
In order to distinguish two clients with the same private IP address, but from different GGSNs, the first byte (which is
redunant because it‘s 10 everywhere) is replaced by the ID of the GGSN (=the ID of the service area)
34 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
SUMMARY
35 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
Juniper Networks MX Router
Juniper Optimization SDG Services for Service Providers
• Optimize, reduce complexity and
remove point solutions
• Reduce cost and protect investment
• Fast provisioning or new services
and customers
• Granular security and management
Service Delivery is Key to SP Success
FW LB/ADC SWITCHING ROUTING SWITCHING ACCESS
Legacy service delivery model • Expensive operations
• No granular segmentation
• Single tenant architecture
• Point vertical solution vendors
• Complexity
• Not scalable, hard to monetize