Service Providers trends - ALEF

Service Providers trends &F5 Networks SP’s portfolio overview

© F5 Networks, Inc 2

Attacks from Internet Data Growth / IoT Regulations / Services

Traffic policing

URL filtering

DDoS protection

L4-L7 security

Traffic shaping

Scalability, IPv4/v6

Today‘s ISP trends

Competition, Profitability

Network Consolidation


LoadbalancingLTM

Network FWAFM

Web FWASM

DNSDNS

Traffic policingPEM

Cloud scrubbingSilverline

What F5 does for SPs?

Signalling proxyDiameter, SIP, Radius, HTTP, LDAP, …

CGNATIPv4, IPv6

Access ControlAPM


iRulesProgramibility

TMOSFull proxy architecture

PowerHW

IPv6Native support

CGNAT

PEM

Silverine

… and our „TREASURES“ under the surface

Communitydevcentral.f5.com

VirtualisationvCMP, VMware, Openstack, …

DNS

AnalyticsStatistics, logs, ...


PEM


Context-Aware and Policy-Driven Traffic Steering

RAT TYPESUBSCRIBER DEVICE TYPE

CONGESTIONLOCATIONAPPLICATION

2G

3G

4G

PCRFDiameter Gx

GGSN/PGWRADIUS

3RD PARTY TOOLSCustom API

DATA PLANEPEM/DPI Module

What is context ?How does the steering platform learn about

context ?


Subscriber awareness with PEM

PGW/GGSN/

BNG

Internet

RTR

Data Center

Video

Optimization

Transparent

Caching

Parental

Controls

WAP

Gateway

PCRFAAA

Radius

Data

OCS

GxGy

Radius


PEM for Fixed Line / WiFi

BRAS /BNG

InternetRTR

DHCP

Policies and Subscribers

AAA Syslog

Fixed Broadband

DHCP, Radius

Detection and identification using DHCP

• Subscriber identity extracted from DHCP Option 82 (IPv4) / Option 37 (IPv6)

• Support of DHCP snooping / DHCP relay

Detection and Authentication using Radius

• PEM as Radius client initiates Access-Request for particular subscriber

• Radius Accounting for the reporting

BIG-IP PEM


Policy Action: Traffic Steering and Service Chaining

• Intelligent traffic steering to VAS servers

• Leverage subscriber/application awareness for steering

• Steering on Response

• Analyze response and apply steering policy for flow/ transaction

Use Case: Ability to steer traffic through different value added services and network elements

Customer Benefit: A fixed or mobile solution for optimizing subscriber and application traffic through VAS and network elements based on subscriber profile

GGSN

PGWBNG In ternet

Subscriber

Radius

Diameter Gx

Other API

John

Emma

Radius

http (3G)

Service Provider VASParental

Control

Video

Optimization

Control Plane

AAAPCRF

http

Paul User Service Policy

John Video Optimization “LTE bypass”

Parental Control “No”

Paul Video Optimization “Always”

Parental Control “Yes”

Bandwidth and QoE management

Even if subscriber is entitled for more by

subscriber bandwidth policy his P2P traffic gets reduced to configured value (512kbps)

Gold Subscriber (20 Mbps)

Silver Subscriber (10 Mbps)

Bronze Subscriber (5 Mbps)

PER-SUBSCRIBER BANDWIDTH CONTROL

PER-SUBSCRIBER PER APPLICATION BANDWIDTH CONTROL

PGW/GGSN VIPRION

PGW/GGSN VIPRION

Gold Subscr total (20 Mbps)

Gold Subscr p2p (512 kbps)

PCRF

App p2p total (500 Mbps)


URL Categorization for filtering & parental control

• URL Filtering

• Custom [iRule]

• Built-in Webroot DB (20M most popular)

• Cloud-based Webroot (400M) DB lookup

• Custom DB (few M)

• SNI based URL categorization for HTTPs

PGW/GGSN

Internet

RTR

2. Integrated WebrootURL Filtering / Blacklist

1. Trying to access blocked URL

3. Access Denied

OTT MONETIZATION & FLEXIBLE CHARGING

Application Classification : DPI engine

PGW/GGSN VIPRION

Gold Subscr total (acct only)

OTT Service (acct + DSCP mark)

PCRF

• Subscription models / bundles for OTT or specialized service

• Bundled into subscription for a lower fee

• OTT traffic excluded from volume bundle

• OTT traffic marked/tagged for differential treatment at radio layer

SPECIALIZEDSERVICE

(MNO BRAND)

RADIUS Accounting(Subscriber discovery)

Analytics

GxSyslog/IPFIX


• HTTPS/SSL

• SNI /Common name based classification

• Support for behavioral classification

• Pattern based matching, signature creation

• SSL certificate lookup (domain string lookup inside SSL)

• SSL flow bundling – ability to correlate parent/child SSL flows for an application/protocol – partial SSL handshake scenario where parent flow certificate is not transmitted to child SSL

• Non-HTTPS (Skype, BitTorrent, … )

• Support for pattern based signatures along with behavioral capabilities

• For example, Skype - source IP/port, supernodes etc.

Classification: Encrypted traffic handling


• HTTP header enrichment for subscriber identification

• Content insertion (javascript) into HTTP payload to enable

• In-browser notifications

• Toolbar insertion

• Ad insertion

Content Insertion

BNG/BRAS Internet

2. Javascript insertion about quota max

1. Content being sent back to

subscriber; data maxed out

3. Subscriber realizes they have

maxed out data

CONTENT INJECTION / AD INSERTION


HTTP Header Enrichment

GGSN/PGWBNG/BRAS

Internet

2. BIGIP intercepts HTTP request and adds custom header based on pre-configured policy

1. Subscriber sends HTTP request

• HTTP Full-Proxy mode allows for

• Header insertion both in request and response

• Custom header name completely configurable

• Clear-text and hashed/encrypted header content

• Conditions to decide when to insert header fully configurable, example

• Based on destination IP address, URI, … (list of destinations)

• Based on user-id (under PCRF control)


• Reports Device-Type & OS for each subscribers

• Identifies the type of Mobile device connected to the network.

• Uses the Mobile device’s (unique) Type Allocation Code (TAC) retrieved from RADIUS Acct START

• The Service Provider can use it’s own database provisioned on Big-IP platform

• Determined by parsing the UA string

• Determined by TCP Fingerprinting

• Tethering

• Ability to detect tethering based on TTL today

• In next release Ability to detect tethering based on enhanced algorithms like TCP fingerprints, UA, #Connections, BW etc.

Classification: Mobile device and Tethering detection


Charging/Quota Management

OCS PCRF AAA/HSS

Policy and Subscriber Management

Gx / Gy

PGW/GGSN

Internet

BIG-IP PEM

RTR

• Quota Management / Pre-paid charging use cases per Sub / App

• Gy AVPs / Volume and time based quotas / quota replenishment / quota breach

• License based


• F5 provide on Box reporting to show local analytics

• Approach to external analytics is to provide the information to external 3rd

parties vendors implementing this function

• F5 data export can be done leveraging on different protocols

• F5 has partnership with several vendors for analytics

F5 Approach to reporting/analytics/logging

PGW/GGSN

Internet

BIG-IP PEM

RTR

SYSLOG IPFIX RADIUS GX


PEM – Wide range of use casesPer-subscriber Application & URL Bandwidth

Control & Filtering

• TCP-friendly rate limiter

• Separate up/down rates

• Highly scalable solution

• TCP Optimization as a bonus

Subscriber Application Analytics

• Subscriber ID / Rate Plan

• Charging rules

• Application Usage Reporting

Intelligent Traffic Steering& Service Chaining to VAS

• Steer traffic based on subscriber profile to Value Added Services & Optimization Services

• Intelligent Service Chaining

Online Charging (Gy)

• Flexible rating group definitions based on applications and/or URI

• Redirect or block upon quota expiration

URL Filtering & Parental Control

• Government lists

• Per-subscriber parental control opt-in/opt-out service

• For HTTP & HTTPS

OTT Identification & Monetization

• Per-subscriber OTT application detection

• Per-OTT bandwidth, marking and charging rules

Header Enrichment & WAP offload

• HTTP HE for content-based charging

• WAP GW bypass/offload and replacement

Content Injection / Toolbars

• Java-script based content injection

• Targeted advertisements

Lightweight BRAS/BNG

• DHCP-based BNG model for wifi and wireline deployments

• Radius AAA client

Case study Tier1 operátor v Polsku – Rodičovská Kontrola

INTERNETAccess

Network

Mobile

Client

Symantec DB

PEM

Scenár nasadenia

- Rodičovská kontrola ako platená služba

- Riešenie tiež pre business zákazníkov

- Whitelisting on-line bankingov

- Load balancing ICAP serverov

- PEM s integráciou Gx do Optenet PCRF

- Reportovanie vadných URL pomocou ICAP

- iRules pre detekciu SNI z SSL prevádzky

RIEŠENIE F5

ICAP calls

PCRF

Gx

Case study Poskytovateľ DSL a VoIP služieb

INTERNETAccess

Network

Mobile

Client

SIP 1

…

LTM & PEM & AFM

SIP 2

- Scenár nasadenia

- SIP Load balancer / proxy

- Inteligentný traffic shaping

- Carrier-grade Firewall

- Úspora US$150,000 na CAPEX (konkurenčné riešenie US$250,000)

- Úspory na OPEX - konsolidácia (správa, trénink)PRÍNOSY


CONS

AFM

DNS

CGNAT Consolidate with

Consolidating SP’s security

Protection for networks

and applications

Fewer devices translates to

lower latency for

subscribers

Consolidation of firewall,

application security, and

traffic management

BEFORE F5

WITH F5

Load

Balancer

Firewall

DNS Security

Network DDoS

LoadBalancer & SSL

Application DDoS

Web Application Firewall

Web AccessManagement

BEFORE F5

WITH F5

Load

Balancer

Firewall

DNS Security

Network DDoS

LoadBalancer & SSL

Application DDoS

Web Application Firewall

Web AccessManagement

Consolidating SP’s security

Protection for networks

and applications

Fewer devices translates to

lower latency for

subscribers

Consolidation of firewall,

application security, and

traffic management

Protection for mobility

and core infrastructure

with user awareness

High scale for the

demands of 4G and IPv6

deployments

Consolidation of security,

address, and traffic

management

BEFORE F5

WITH F5

FirewallPGW/

GGSN

DPI, Parental

Control, …

CG-NAT

Consolidating SP’s service functions

Protection for mobility

and core infrastructure

with user awareness

High scale for the

demands of 4G and IPv6

deployments

Consolidation of security,

address, and traffic

management

BEFORE F5

WITH F5

FirewallPGW/

GGSN

DPI CG-NAT

PGW/

GGSN

FirewallDPI CG-NAT

Consolidating SP’s service functions

Documents

Service Providers trends - ALEF