studium przypadków dla dostawców usługstatic.veracomp.pl/cdn/files/bj9j65-3sh/full.pdf ·...

studium przypadków dla dostawców usług Grzegorz Kornacki

Field Systems Engineer

March 2015

© F5 Networks, Inc 2

1. Introduction to F5 architectures in Core Networks and Datacenters

2. Traffic monetization: content injection, header enrichment

3. Network Quality: TCP-acceleration, SPDY proxy

4. VAS: Parental Control, Security-as-a-Service

5. Network Cost reduction: Intelligent Traffic Steering, Gi-LAN consolidation,

6. Security

7. Virtualization: NFV+SDN use cases

Agenda / subjects


Facts about F5 load balancers

Internet

member 1

member 2

member 3

F5 LTM user


LB facts

Corelates packets

SNATs

stateful

Remembers the source

May enforce


Our use case

Internet

member 1

member 2

member 3

F5 LTM user


Complex architectures in the S/Gi network

Internet RTR FW DPI/TDF L2 Switch RTR

Mobile Devices

Video optimization Transparent caching URL filtering

Value-added services (VAS)

Control Plane

DNS PCRF IMS AAA HSS OCS DRA

Challenges

• Complex architecture, hard to scale

• Resulting high CapEx and OpEx

• Difficulty adding new services

LDNS

Static port80 based steering into VAS complex

Multiple point product solutions inline in the data path

CGNAT

LDNS

PGW/

GGSN

Challenges with current approach


A Changing Environment

SSL / SPDY INCREASE

• In many countries, SSL traffic (HTTPS and SPDY) on mobile networks is currently reaching around 50% of total Internet traffic

• Top web sites such as Google, Facebook, and Twitter use SPDY

• HTTP 2.0 being standardized in IETF with browsers requiring TLS encryption when setting up HTTP 2.0 connections

RISE OF ADAPTIVE BIT RATE VIDEO STREAMING

• Top video sites such as YouTube, Netflix, Hulu, and BBC iPlayer have all embraced ABR video technology

• Video is encoded at different bit rates, client dynamically chooses or changes appropriate bit rate based on network conditions

http://dashif.org/


A Changing Environment

NFV & SDN

• Industry moving ahead on virtualization and NFV (Telco Cloud)

• The EPC and Gi LAN architecture are prime targets for NFV

• Service chaining POCs happening in many places

IPV6 ADOPTION

• IPv6 adoption is rising rapidly : over 4% of all users access Google via IPv6 (USA : 9.6%, Germany : 11.1%, France: 5.4%, Japan : 5.6%) (*)

• Still, apart from some exceptions, the IPv6 adoption rate in mobile networks remains low

(*) Source : https://www.google.com/intl/en/ipv6/statistics.html


The new Gi LAN should focus on …

Monetize Secure Optimize

Quality of Experience mgmt

Easy opt-in/opt-out modules

OTT partnerships & flexible

charging

Intelligent steering to VAS

Consolidate L4-L7 functions

TCP Optimization

Migrate to NFV-based solution

Network Security (Gi FW)

Dynamic subscriber security

IPv4/IPv6 Transition

Re-architect the Gi LAN with F5


F5 in the S/Gi network – A Consolidated Approach Simplifying the delivery of network services

BEFORE F5

WITH F5

PGW/

GGSN

Firewall PGW/ GGS

N

Policy Enforcement

CGNAT Internet

Internet

LDNS URL Filtering

RTR

VAS layer

Static port 80 steering

Dynamic & intelligent steering

VAS layer

VIPRION


Key F5 network services – Optimize, Monetize, Secure

A unified platform and single management framework

Intelligent traffic management

CGNAT and IPv6 migration

ICSA certified network firewall

Policy enforcement

TCP optimization

Header Enrichment

Content Injection

URL filtering

(HTTP URI / HTTPS SNI)

How it works – the framework


Optimize the Gi LAN – Increase VAS Efficiency

INTELLIGENT STEERING

PGW/ GGSN

Internet

VIPRION

RTR

Data Center

Video

Optimization

Transparent

Caching

Parental

Controls

WAP

Gateway

Context-aware & policy-driven steering & intelligent service chaining CONTEXT

SUBSCRIBER DEVICE-TYPE RAT-TYPE CONTENT (VIDEO, URI, ... ) CONGESTION

PCRF

Diameter Gx


1. Recognize subscriber

2. Ask for a policy

3. Recognize traffic

Customers’ traffic recognition in 3 steps


Lab architecture


Recognize subscriber


DHCPv4 and DHCPv6 subscriber discovery

• In addition to Radius, use DHCP to discover subscribers

• Relay mode (L2 model)

• Forward mode (L3 model)

• Lightweight BNG funtionality to cover

• Wireline market (DSL, FFTX)

• Wifi market (L2 Aps)

One new modules

DHCP module : providing DHCP

relay/proxy for IPv4 and IPv6

BIG-IP

DHCP MODULE

PEM LISTENER

SUBSCRIBER INTERNET

DHCP SERVER

POOL

Sub Mgmt Msgs


DHCPv4 and DHCPv6 subscriber discovery

DHCP OPTIONS 82

CODE

LENGHT

DATA

SUBOPTION CODE

SUBOPTION CODE

SUBOPTION LENGHT

SUBOPTION DATA

SUBOPTION LENGHT

SUBOPTION DATA

SUBOPTION CODE

SUBOPTION LENGHT

SUBOPTION DATA


Other methods



2. Ask for a policy




Ask for a policy


• While using DHCP to discover subscribers, allows

• Authenticate the subscriber

• Generate accounting records

DHCP subscriber discovery With Authentication

BIG-IP

DHCP MODULE

PEM LISTENER

SUBSCRIBER INTERNET

DHCP SERVER POOL

RADIUS AUTH. MODULE

Sub Mgmt Msgs

Auth Msgs

RADIUS SERVER POOL


Radius Event Example iRule



2. Ask for a policy





2. Ask for a policy


Flow




2. Ask for a policy


Flow

URL categorization




2. Ask for a policy


Flow

URL categorization

Classification - DPI




2. Ask for a policy


Flow

URL categorization

Classification – DPI

iRule anything else you need




2. Ask for a policy


4. Treatment:

• Steering


Monetize the Gi LAN – Opt-in / Opt-out Services

INTELLIGENT STEERING & SERVICE CHAINING

PGW/ GGSN

Internet

VIPRION

RTR

Data Center

Cloud

Storage

Security

Services

Parental

Controls

Streaming

Services

Subscriber-aware (PCRF controlled)

Traffic steering & Service chaining

PCRF

Diameter Gx

• PCRF controls steering and service chaining on a per subscriber basis (dependent on subscription)

• Any combination of services is possible



2. Ask for a policy


4. Treatment:

• Steering

• Bandwidth enforcement


Monetize the Gi LAN – Bandwidth and QoE management

Even if subscriber is entitled for more by

subscriber bandwidth policy his P2P traffic

gets reduced to configured value (512kbps)

Gold Subscriber (20 Mbps)

Silver Subscriber (10 Mbps)

Bronze Subscriber (5 Mbps)

PER-SUBSCRIBER BANDWIDTH CONTROL

PER-SUBSCRIBER PER APPLICATION BANDWIDTH CONTROL

PGW/GGSN VIPRION

PGW/GGSN VIPRION

Gold Subscr total (20 Mbps)

Gold Subscr p2p (512 kbps)

PCRF



2. Ask for a policy


4. Treatment:

• Steering


• Real-time billing


OTT MONETIZATION & FLEXIBLE CHARGING

Monetize the Gi LAN – OTT & Special Svc Monetization

PGW/GGSN VIPRION

Gold Subscr total (acct only)

OTT Service (acct + DSCP mark) PCRF

• Subscription models / bundles for OTT or specialized service

• Bundled into subscription for a lower fee

• OTT traffic excluded from volume bundle

• OTT traffic marked/tagged for differential treatment at radio layer

SPECIALIZED SERVICE

(MNO BRAND)


Traffic type – rating group assigment



2. Ask for a policy


4. Treatment:

• Steering



• Enrichment



Header injection


• HTTP header enrichment for subscriber identification

• Content insertion (javascript) into HTTP payload to enable

• In-browser notifications

• Toolbar insertion

• Ad insertion

Monetize the Gi LAN – Content Insertion

BNG/BRAS

Internet

2. Javascript insertion about quota max

1. Content being sent back to

subscriber; data maxed out

3. Subscriber realizes they have

maxed out data

CONTENT INJECTION / AD INSERTION


Content injection


Content injection – commercial deployment

Header Ad

Toolbar Handle


Add Server usually receives from F5:

• Customer ID

• Customer’s tariff plan.

• Last known location

• Original URN

• Destination IP and destination Geo Location

• Local time

Content injection – commercial deployment



2. Ask for a policy


4. Treatment:

• Steering



• Enrichment

• Policing



1. Pass DNS, but anti DNS tunneling iRule

2. Filter HTTP by built-in URL reputation + custom URL db

a) Dest IP anti spoofing, to block /etc/hosts tricks.

b) Built in DNS resolver/cache

c) Block http tunelling

3. Filter HTTPS by built-in URL reputation + custom URL db

a) Option 1: SNI checks

b) SSL forward proxy with banking whitelist

4. SMTP, POP3, IMAP steered via external mail filter

5. Additional white list for known good IP/ports

6. BLOCK

Parental control example



2. Ask for a policy


4. Treatment:

• Steering



• Enrichment

• Policing

• CGNAT



LSN modes:

• Network Address Port Translation

• Deterministic NAT

• Port-Block Allocation

Carrier Grade NAT integration



2. Ask for a policy


4. Treatment:

• Steering



• Enrichment

• Policing

• CGNAT

• iRules


The Consolidation


Key F5 network services – Optimize, Monetize, Secure

A unified platform and single management framework

Intelligent traffic management

CGNAT and IPv6 migration

ICSA certified network firewall

Policy enforcement

TCP optimization

Header Enrichment

Content Injection

URL filtering

(HTTP URI / HTTPS SNI)


Optimize the Gi LAN – Consolidate Network Functions

L2 switching MPLS L2 PE

L3 routing MPLS L3 PE

BRAS/BNG

Full Proxy (TCP opt,

HHE)

Firewall

L3/L4 Steering

Policy Enforcement

CGNAT

TCP OPTIM

DPI/PCEF

L7 STEERING

FW/CGN

HTTP HE

2010–2014 2005–2010 L2–L3 L4–L7

IP ROUTING

MPLS L2 PE

MPLS L3 PE

BRAS/BNG

Multi-service router

Dedicated platforms, different vendors

Single platform, L2–L3 consolidation

Dedicated platforms, different vendors

Unified platform, L4–L7 consolidation

TCP Optimization


Optimize the Gi LAN – TCP Optimization

Minimal Buffer

Bloat

Flow Fairness High Goodput

VIPRION

Origin

Server

INTERNET

PGW/ GGSN

RTR

2G/3G

LTE

Mobile

Client

TCP EXPRESS

Cell-optimized TCP stack WAN-optimized TCP stack


TCP Optimization Helps Avoid Bufferbloat

RTT graphs are based on two file downloads under good 3G coverage

NON-OPTIMIZED (11 Mbps)

(up to 2.5 seconds latency)

OPTIMIZED (11 Mbps)

(constant 200 ms latency)

LATENCY MAY NOT DESTROY THROUGHPUT, BUT WILL DEGRADE BROWSING EXPERIENCE


HTTP Performance Tests – Location Variances (3G)

Business center

Shopping mall

Residential area

Business center

Shopping mall

Residential area

Business center

Shopping mall

Residential area

Business center

Shopping mall

Residential area

Case 1 – 100 * 64KB images Case 2 – 1 * 10MB image

Case 3 – Regular website 1 Case 4 – Regular website 2

Optimized (sec)

As-is (sec)

Improvement (%)


Ref test: duckduckgo.com (25 samples on 4G)

HTTPS/SPDY Performance Tests

TCP OPTIMIZATION PROVIDES ADDITIONAL BENEFITS ON TOP OF SPDY BENEFITS

0%

5%

10%

15%

20%

25%

30%

35%

Non-SPDY SPDY Non-SPDY-OPT

SPDY-OPT

Serie1 0% 11% 23% 31%

Gain

in D

ow

nlo

ad T

ime %

Impact SPDY/Optimizer

0

0,2

0,4

0,6

0,8

1

1,2

1,4

1,6

1,8

Non-SPDY SPDY Non-SPDY-OPT

SPDY-OPT

Serie1 1,64 1,46 1,27 1,16

Page D

ow

nlo

ad T

ime S

econds

Impact SPDY/Optimizer


• HTTP inefficient and outdated

• HTTP protocol inefficiencies have a negative impact on mobile web browsing experience

• Due to higher latencies in mobile networks

• SPDY: New app layer protocol developed by Google

• Overcomes inherent inefficiencies with HTTP

• Improved performance (~ 20-50%)

• Good for low bandwidth / high latency mobile networks

• Forms the basis for HTTP 2.0 in IETF

SPDY – Load Web Pages Faster


F5’s HTTP - to - SPDY Gateway (Data Center / Reverse Proxy)

1

2

1) Client connects to BIG-IP via HTTP

2) BIG-IP sends “Alternate-Protocol: 443:npn-spdy/2” header

3) Client sends GET request via SPDY

4) BIG-IP converts SPDY request to HTTP and sends to server

5) Server sends HTTP response, BIG-IP converts to SPDY and sends to client

3 4

5

SPDY 2

SPDY 3

SPDY 3.1

HTTP 2.0 (experimental)

SSL Forward proxy


A Normal SSL Transaction

TCP Connection

SSL Client Hello

Server Hello (plus

Certificate)

Server Certificate Validation

HTTP/S Requests and

Responses

Client/Browser Web Service

Internet

Or WAN

Trusted CA

Certificates

Server

Certificate


SSL Transaction with F5 SSL Forward Proxy

TCP Connection

SSL Client Hello

Server Hello (plus

Certificate)

Server Certificate Validation

HTTP Requests and

Responses

Client/Browser Web Service

Internet

Or WAN

Trusted CA

Certificates

Server

Certificate

BIG-IP

Proxied! Proxied! Intercepted!

New Server

Certificate

Service Provider

CA Cert

Spoofed! Optimizable!


Original Server Certificate Forged Server Certificate

Original server certificate vs forged certificate

3/11/2015 70


• Parental control

• Anti malware

SSL Forward Proxy use cases

Security and NAT-ing


Protecting the Radio Resources

Service Delivery Controller

(LTM)

After

Before Cleans only 2-3%

of bad traffic Paging 1000s of Handset can

Cause CPU to Spike and Cause RNC out of Service

SYN ACK And Port Scan

attack

SYN ACK And Port Scan

attack

• Protection of the Radio Area Network

• Reduced CapEx Spend on expansion of RNC

• Maintained good network User Experience

• Simplified Traffic Plane – Consolidated Gi Firewall, IDS/IPS, Traffic Steering,

Analytics

VS VS

SYN

SYN ACK

ACK SYN

F5 Full Proxy

Architecture

3 Way TCP

Handshake

By adding a VS on the internet facing side , all the SYN ACK traffic was dropped. Further adding a Source IP Counter/Time, Port Scans were detected and dropped. 98% attacks dropped.


IPV6 CENTRIC NAT64 / 464XLAT

IPV4 CENTRIC NAT44

GI FIREWALL (IPV4/V6) & NETWORK DDOS

Secure the Gi LAN

NAT 44

Migration to IPv6 only

architecture using

NAT64/DNS64 and/or

464XLAT

Solving the IPv4 address

exhaustion problem with

NAT44 (with CGN acting

as FW)

Protect network

infrastructure and radio

resources against

outside threats


NAT44

Secure the Gi LAN – IPv4 centric / NAT44

Public IPv4 address space Private IPv4 address space

VIPRION PGW/ GGSN

RTR Internet

NAT44

• Dynamic NAPT, Deterministic NAPT, Port Block Allocation

• Extensive ALG, hairpinning and EIF/EIM support

• Unprecedented scale & performance (Gbps, cps, max conns)

• High-Speed logging with flexible log field inclusion/exclusion


Secure the Gi LAN – IPv6 centric / NAT64 & 464XLAT

NAT64/DNS64 & 464XLAT

Public IPv4 address space


VIPRION PGW/ GGSN

RTR Internet

NAT64

• NAT64/DNS64 and 464XLAT support for IPv4-only destinations

• Gi firewall for native IPv6 traffic

• Unprecedented scale & performance (Gbps, cps, max conns) for both NAT and Gi firewall

464XLAT

IPV6 FW Public IPv6 address space


DNS64


Secure the Gi LAN – Gi Firewall & DDOS Mitigation

GI FIREWALL & DDOS MITIGATION



VIPRION PGW/ GGSN

RTR Internet

IPV4 FW

• Unprecedented scale & performance (Gbps, cps, max conns) for Gi firewall

• BIG-IQ for Centralized management of security policies & DDOS profiles

• Protection against device vulnerabilities (battery drain attacks, malware) and network vulnerabilities (RAN resource exhaustion, revenue leakage, policy violations)

IPV6 FW Public IPv6 address space


BIG-IQ


Network Capacity

Throughput Connections per second

Sessions Footprint

F5

(VIPRION 4480)

Juniper

(SRX 5800)

Cisco

(ASA 5585-X)

Check Point

(61000)

F5

(VIPRION 4480)

Juniper

(SRX 5800)

Cisco

(ASA 5585-X)

Check Point

(61000)

0

50

100

150

200

250

300

350

GB

PS

0

100

200

Millio

ns

0

1

2

3

4

5

6

7

Millio

ns

R

ack u

nit

s

0

100

200

2x 14x

22x 10x

F5

(VIPRION 4480)

Juniper

(SRX 5800)

Cisco

(ASA 5585-X)

Check Point

(61000)

F5

(VIPRION 4480)

Juniper

(SRX 5800)

Cisco

(ASA 5585-X)

Check Point

(61000)


Application-Oriented Policies and Reports

Firewall policies and reports oriented around the application

NFV & SDN


Optimize the Gi LAN – NFV-Ready A stepwise approach : From VAS bursting to full NFV solution

PGW/ GGSN

Internet RTR

Video

Optimization

VM Management

and Orchestration

Transparent

Caching

URL Filtering Parental

Controls

Hypervisor

VNF VNF VNF

Hypervisor

VNF VNF VNF

Hypervisor

VNF VNF VNF

Hypervisor

VNF VNF VNF

Gi VAS

ADC Firewall DNS

VIPRION

CGNAT TCP

Optimization Policy

Enforcement


Control

Plane

Data

Plane Soft

ware

-Defined N

etw

ork

SDN Controller

Layer 2-3 Fabric

VXLAN Virtual and Overlay Networks NVGRE

F5 & SDN

Orchestrator iApps

Open

REST

APIs

L4-7 Stateful Fabric

Conclusions

Monetize the Gi LAN From flat fee to value based pricing models

OPT-IN / OPT-OUT VALUE ADDED SERVICES

OTT MONETIZATION & FLEXIBLE CHARGING

Intelligent and context-

aware traffic steering to

value added service

platforms based on a

subscriber opt-in/opt-out

model

Monetizing OTT services

by flexible charging

mechanisms and OTT

partnerships for service

differentiation

BANDWIDTH CONTROL & QOE MANAGEMENT

Bandwidth controls,

TCP optimization and

context-aware traffic

management

HEADER ENRICHMENT & CONTENT INSERTION

Content insertion for

toobar injection or ad

insertion. HTTP header

enrichment for

identification purposes


CONSOLIDATE NETWORK FUNCTIONS

INCREASE VAS LAYER EFFICIENCY

Consolidation of L4-L7

functions into a single

platform (steering, DPI,

firewall, CGNAT, ... )

Context-aware and

policy-enabled traffic

steering to offload VAS

& optimization services

complex

TCP OPTIMIZATION

Increase throughput

and web page load

times on the radio

network

Optimize the Gi LAN

NFV-READY (VAS BURSTING)

As traffic increases,

scale to meet demand

with VAS service

bursting and improve

end user experience

and application

performance

VAS


Advantages of S/Gi network consolidation with F5

$1.1 million Projected 5-year cost savings for 20M subscribers

36-46% lower TCO

$- $2 $4

F5 Networks

Alternative Point Products

Miliony

S/Gi Network Simplification: 5-Year Cumulative TCO

CapEx OpEx

36%

Lower

Cost


Consolidating mobile policy and security Use case

Protection for networks

and applications

Fewer devices translates to lower

latency for subscribers

Consolidation of firewall,

application security, and traffic

management

BEFORE F5

WITH F5

Load

Balancer

Firewall

DNS Security

Network DDoS

Load Balancer & SSL

Application DDoS

Web Application Firewall

Web Access Management

Chain is as strong as its weakest link


Consolidating mobile policy and security Use case

Protection for networks

and applications

Fewer devices translates to lower

latency for subscribers

Consolidation of firewall,

application security, and traffic

management

BEFORE F5

WITH F5

Load

Balancer

Firewall

DNS Security

Network DDoS

Load Balancer & SSL

Application DDoS

Web Application Firewall

Web Access Management


Take a phased approach to this architecture …

Improve VAS

Security at scale

Address IPv4

depletion CGNAT

1

S/Gi FW

2

PEM

3

NFV

4

HE

5

S/Gi FW

1

CGNAT

2

ITM

3

PEM

4

ITM

1

S/Gi FW

2

NFV

3

CGNAT

4

Immediate

pain point Implementation phase

Target S/Gi network

• Different approaches for

different needs and priorities

• Flexibility and extensibility to

future-proof your network

NFV

5

PEM

5

F5 Consolidated Gi LAN solution

If I can be of further assistance please contact me:

[email protected] | +48 609 790 124

Monetize Secure Optimize

Quality of Experience mgmt

Easy opt-in/opt-out modules

OTT partnerships & flexible

charging

Intelligent steering to VAS

Consolidate L4-L7 functions

TCP Optimization

Migrate to NFV-based solution

Network Security (Gi FW)

Dynamic subscriber security

IPv4/IPv6 Transition


F5 for L4-L7 Consolidation Context-aware full-proxy architecture

Network

Session

Application

Web application

Physical

Client / Server

TCP optimization

DPI analysis

Context-aware Steering

Service Chaining

Bandwidth control

Accounting/Charging

HTTP hdr inspect – filter

HTTPS / SSL SNI check

URL classification

Network

Session

Application

Web application

Physical

Client / Server

Gi Firewall, CGNAT

DPI analysis

HTTP hdr enrich

HTTP hdr inspect - filter

Context

Subscriber-id, Device-type,

Application, RAT-Type,

Congestion level, ...

L4

L7

studium przypadków dla dostawców usługstatic.veracomp.pl/cdn/files/bj9j65-3sh/full.pdf ·...

Documents

Transcript of studium przypadków dla dostawców usługstatic.veracomp.pl/cdn/files/bj9j65-3sh/full.pdf ·...