You are on page 1of 36

THE MX-SERIES AS SERVICE DELIVERY GATEWAY IN MOBILE NETWORKS

Norbert Wicker, EMEA Advanced Technology Specialist 8th September 2012

SDG SOLVING TODAYS PROBLEMS

Juniper Service Delivery Gateway (SDG)


1
Network Address Translation

Traffic Control

CGN Stateful Firewall

Dynamic App Awareness Dynamic Sub Awareness

Load Balancing

Network Visibility

Application Delivery Control (ADC) Transparent Load Balancer (TLB)

Dynamic Flow Capture J Flow

5
IPS

Security
IPSec

Juniper MX 3D Universal Edge Routers


3
Copyright 2012 Juniper Networks, Inc. www.juniper.net

THE BIG PICTURE OF A MOBILE USE CASE


4
Copyright 2012 Juniper Networks, Inc. www.juniper.net

USE CASE 1: MOBILE OPERATOR SERVICES ZONE FW/CGN, ADC, TRIO BASED JFLOW, TLB Solution on Gi Problem
Simplify cost saving services architecture Optimization Complexity and Operation CGN NAT 44[4]/NAT64 SFW to replace existing FWs ADC for outbound HTTP/S, DNS, Radius Support all the existing routing requirements such as OSPF/BGP and VRFs. Combine multiple services zones

Services Complex
FW/NAT ADC/SLB ADC/SLB FW/NAT

Switching
DNS Routing Caching

Switching
DNS Routing Caching

Next Gen Services Complex

CGN/SFW ADC/SLB

CGN/SFW
DNS

ADC/SLB
Caching

Switching Optimization [Video/Web] Access/GW

Switching Optimization [Video/Web] Access/GW


Access/GW

Optimization [Video/Web]

20Gig
5

20Gig
Copyright 2012 Juniper Networks, Inc. www.juniper.net

40Gig

THE PRICE TAG DRIVER

Compared with traditional service delivery methods, the SDG has: 41% shorter time for the initial deployment and 46% less time to incrementally add new applications 14 times less service implementation risk Approximately 3 times less operational risk 72% reduced power, 76% reduced floor space, 69% reduced cooling 50% lower TCO
6
Copyright 2012 Juniper Networks, Inc. www.juniper.net

USE CASE 1: MOBILE OPERATOR SERVICES ZONE FW/CGN, ADC, TRIO BASED [JFLOW, HYBRID-ADC]
~2G VIP mix traffic
ADC/SLB VIP
HTTPS

DNS

8x10 Gi Traffic Mix v4/v6


80G using IPFix
JFlow

CGN/SFW

RADIUS MME

16G [80Gx20%]

16x10
TLB

Internet DMZ

HTTP 10G uplink downlink 62G = DSR

72G Video and Web

Web and Video Optimization MSP

With SDG Orchestrating multiple Mobile Services


7
Copyright 2012 Juniper Networks, Inc. www.juniper.net

USE CASE 2:REQUIREMENTS AND PAIN POINT


Rrequirement Performance

More than 52M stateful sessions More than 1M stateful CPS More than 140Gbps(70Gbps full duplex) at 512byte frame size

Key feature
HTTP header enrichment to distinguish subscribers Supporting overlapping subnet

Pain point Launch VoLTE service which needs 2 * ip address per UE


With this service, private ip address space (10/8) cant cover all of the subscribers So, SP-X plan to use overlapping subnet per GGSN or PGW However, current billing system for MMS and IPTV can distinguish each subscribers by ip

address only.
8
Copyright 2012 Juniper Networks, Inc. www.juniper.net

SOLUTION VALUE PROPOSITION


Scalable performance
with 8 * MS-DPC, MX-960 supports below performance

68M stateful session (Actually I got 67M w/ Spirent) More than 1M stateful CPS w/ RST 70Gbps full duplex (140Gbps) UDP throughput @ 512 byte w/ 56M flows (3.5M flows per NPU)

HTTP Content Management (HCM) / Junos Web Aware (JWA)


HCM supports several functions and SP-X wants HTTP header insertion for RADIUS attribute MX-960 will insert RADIUS attribute for subscribers to HTTP header and billing system will

distinguish each subscribers by HTTP header information, like MSISDN.

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

NEXT GENERATION NETWORK ADDRESSING CARRIER GRADE NAT


10
Copyright 2012 Juniper Networks, Inc. www.juniper.net

ABOUT THE CHALLENGE: IPV4 ADDRESS DEPLETION (E.G.IN EUROPE)


The IANA pool of available IPv4 addresses was exhausted on 3 February, 2011. The RIPE NCC is still able to allocate IPV4 addresses to its members from its pool of IPv4 addresses for an unspecified period. The Internet will not stop functioning when the remaining IPv4 addresses are depleted.
Source: http://www.ripe.net/internet-coordination/ipv4-exhaustion/ipv4-available-pool-graph The amount of IPv4 addresses shown includes the 4.26 million IPv4 addresses temporarily set aside for the De-Bogonising New Address Blocks project. This graph includes the last /8 that the RIPE NCC received from the IANA on 3 February 2011 and the /13 pool for temporary assignments (both shown by the yellow horizontal line).

Deploying IPv6 is the only option for Internet growth and evolution.

11

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

RIPE NCC IPV4 AVAILABLE POOL - GRAPH


http://www.ripe.net/internet-coordination/ipv4-exhaustion/ipv4-available-pool-graph

12

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

WHAT NEXT?

Depends on
Your unused IPv4 address pool Your subscriber and service growth

Your network and operations readiness


Your budget and resources Your market strategy Your vendors

13

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

IP FAMILY TRANSITION SERVICES ON MS-PIC/MS-DPC


IPv6 Features

IPv6 NAT and IPv6 Stateful Firewall NAT-PT Supported (ICMP ALG) NAT-PT DNS ALG (10.4) NAT66 supported NAT64 (10.4)

8 MS-DPC per Chassis (11.4)

NAT44
Support CGN requirement

(draft-ietf-behave-lsn-requirements-00)

IPv6 Softwire
DS-Lite (10.4) 4over6 (10.4) 6rd/6to4/6to4-pmt (11.2)
14
Copyright 2012 Juniper Networks, Inc. www.juniper.net

DIMENSIONING CGN
Three primary data points required to size a CGN deployment
# of Concurrent Subscribers Sessions per-second per-subscriber Bandwidth required per-subscriber

The above elements are enough to provide a model for sizing any CGN solution

Sizing of solution also depends on deployment type:


15

Centralized vs. Decentralized Dependent on network architecture


Copyright 2012 Juniper Networks, Inc. www.juniper.net

DEPLOYED SOLUTIONS
Deployment Models:
Centralized Mobile
Distributed Wireline

Deployed in MX pairs for redundancy/HA


Both active/active and active/passive

MPLS VPN Typical ALGs deployed:


FTP, PPTP, RTSP, SIP, TFTP

EIM/EIF
P2P gaming in mobile
Platform gaming (Xbox and PS3) in Wireline
16
Copyright 2012 Juniper Networks, Inc. www.juniper.net

DEPLOYED SOLUTIONS

Load Balancing
ECMP FBF

NAT Pool Methods


PBA when regulatory compliance per-session not needed Session-based Dynamic Source-NAT For regulatory compliance

17

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

APPLICATION LAYER GATEWAYS (ALG)


Example ALG percentage based on large mobile provider (data usage): Sessions: 1 million
410 RTSP sessions 1 TFTP session

14 PPTP sessions
11 FTP sessions

Application timeouts have a directly affect session scalability


Too small and sessions will be terminated prematurely Too large and stale sessions will consume resources unnecessarily

Custom applications should be defined for well known applications that do not need EIM/EIF No limit to the number application definitions.
18
Copyright 2012 Juniper Networks, Inc. www.juniper.net

SUPPORT FOR A LARGE TYPE OF NAT (NAT44, NAPT44, NAT66, NAT-PT, NAT64, NAPT66, TWICE-NAT)
Standard NAT Features
TCP/UDP/ICMP configurable timeouts and TCP

Load-Balancing across Service Cards


1 + 1 Warm Standby 1 + N Warm Standby Active/Active Stateless load balancing

Keep-Alives
Large number of Application Level Gateways

(Bootp, RPC, rsh, FTP, H323, ICMP, IIOP, SMB, Netshow, Realaudio, RTSP, Snmp, Sqlnet, TFTP, Traceroute, Winframe, DNS, SIP, PPTP)
NAT MIB Port Limit per private IP

O&M commands
alarms to monitor NAT pool, mapping, session state, etc monitor total sessions, sessions/sec, sessions lifetime, etc

draft-ietf-behave-lsn-requirements
EIM/EIF Air pinning Address Pooling paired

Tight Routing integration


VRF/6PE/6VPE support CGN Bypass

Logging Improvement
Port bucket allocation (11.2)
19

Service Chaining (IDS/IDP, Stateful Firewall, )

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

PERFORMANCE

Per card (MS-DPC) performance on average 19Gbps throughput


Metrics Throughput Total Flows Peak Flow2 Ramp-up Rate Public Port Pool Ramp-up time (4M Flows)
1Port

NAPT44(4) PBA1 19Gbps 17M 1.2M Flows/sec 4B ports 4sec

NAT64 18Gbps 15M 540K Flows/sec 4B ports 8sec

Block Allocation (PBA): When PBA is configured, ports for a host are allocated in blocks. Subsequent port allocations for the same host come from the previously allocated block. 2Flow = Uni-directional flow through the Router
20
Copyright 2012 Juniper Networks, Inc. www.juniper.net

DYNAMIC NAT
High High High

Low

Low

Ratio Users/Public IP

Amount Of Logging

DYNAMIC NAT RANDOM ALLOCATION OF PORTS Good Ratio Users/Public addresses One log needed per Session (Needs a substantial Logging infrastructure) No security issue Default NAPT Behavior

Security

Low

Public address Ports allocation (one user per color)


21
Copyright 2012 Juniper Networks, Inc. www.juniper.net

NAT WITH PORT BUCKET ALLOCATION (PBA)


High High High

Low

Low

Ratio Users/Public IP

Amount Of Logging

NAT WITH PORT BLOCK ALLOCATION Contiguous blocks of ports allocated to subscriber Port is randomly chosen from allocated block Possible to tune the ratio Logging/Security/Users-per-IP Reduce dramatically the logs infrastructure needed Log is only generated on each allocation and release

Security

Low
S1 B1 S2 B1 S2 B2 S1 B2

Public address Ports allocation (one user per color)


22
Copyright 2012 Juniper Networks, Inc. www.juniper.net

DETERMINISTIC NAT
High High High

Null

Low

Ratio Users/Public IP

Amount Of Logging

Security

DETERMINISTIC NAT Algorithmic allocation of IP address and port block per subscriber Subscribers keep the same public address all the time Lowest ratio of subscriber/public address No log messages needed at all

Low

S1

S2

S3

S4

S5

Public address Ports allocation (one user per color)


23
Copyright 2012 Juniper Networks, Inc. www.juniper.net

LOAD BALANCING
24
Copyright 2012 Juniper Networks, Inc. www.juniper.net

SDG MOBILE OPERATOR USE CASE

8x10 Gi Traffic Mix v4/v6


16x10
TLB

Internet DMZ

HTTP 10G uplink downlink = DSR

72G Video and Web

Web and Video Optimization MSP

The NEW SDG Mobile Zone - Orchestrating multiple Mobile Services


25
Copyright 2012 Juniper Networks, Inc. www.juniper.net

CDN USECASE

Problem
Dynamic growth of video consumes tremendous amounts of bandwidth IPv4 Pacifica Optimized Access based Caching solution
IPv6

Pacifica

VXA2010

TLB

TLB

MX series

4 x 10 GE

SLB

Access
Subscribers 26

10 GE

Internet
Origin Server

Core
Copyright 2012 Juniper Networks, Inc. www.juniper.net

TLB ARCHITECTURE [TRAFFIC LOAD BALANCER]


Leverages traffic distribution capabilities of TRIO chipset
Source IP address based hashing to distribute traffic Supports graceful operation change, does not affect traffic flows to other active servers Hybrid mode: Separate application level health checks mechanism on MS-DPC, inline traffic not requiring MS-DPC
1. Monitor applications and servers health

MX Data plane (NPU)


2. Apply next hop rules according to health status

Video

Forwarding plane (Trio) ECMP LB


3. Distribute traffic according to rules
27
Copyright 2012 Juniper Networks, Inc. www.juniper.net

Media Monitoring

Media Gateway

ADC VS. TLB


TLB Methods Session State Traffic Rate Layer support Transparency Hash Stateless PFE dependent L4 Supported ADC Hash, least connections, round robin, response time, bandwidth Stateful or Stateless MS-DPC dependent L4 - L7 providing Enhanced services stickiness Supported + Enables configurable virtual IP destination as part of the ADC.

Required HW
Connections/PPS Health check type

MS-DPC (only 1 NPU)


PFE dependent ICMP, TCP, HTTP

MS-DPC (At least 1 NPU)


Stateful:1M/2M per NPU Stateless: PFE dependent/2M per NPU ICMP, TCP, HTTP\S, DNS, SNMP, TFTP, IMAP, POP3, WAP, SMTP, RADIUS, NNTP, LDAP, FTP, SIP
www.juniper.net Supported

28

IPv4/IPv6

Supported

Copyright 2012 Juniper Networks, Inc.

JUNOS WEB AWARE (HTTP CONTENT MANAGEMENT)


29
Copyright 2012 Juniper Networks, Inc. www.juniper.net

JWA current state


A powerful SDK based HTTP parser which tracks HTTP requests & their responses Actions include:
Inserting an HTTP header a.k.a. tag insertion or header enrichment
Discarding, resetting, counting, etc. the transactions Logging the HTTP requests/responses Logging the TCP start/end Redirecting the client to a new host/URL Associating HTTP transactions to corresponding subscriber by communicating with DSA component

GA in 12.2.

Supports the following HTTP requests:


GET PUT POST
30 2
Copyright 2012 2012 Juniper Juniper Networks, Networks, Inc. Inc. Copyright www.juniper.net www.juniper.net

JWA SUPPORTED FEATURES [12.2]


Fixed, wireless and BNG network architectures IPv4 and IPv6 based tag insertion, URL logging/filtering and error

31

redirect Asymmetrical flows (URL logging only) Extended URL logging for long HTTP contexts All JWA functions can be run on the same NPU Multiple NPUs can be used with AMS for IPv4 based traffic to support load balancing Receiving standard Radius attributes and use it for tagging and logging purpose Subscriber Opt-in/Opt-out function is supported through Sd/Diameter interface (RE based SDK app) by a 3rd party System Integrator.
Copyright 2012 Juniper Networks, Inc. www.juniper.net

HCM FUNCTIONS: TAG INSERTION EXAMPLE1: MSISDN INSERTION


The format of the tag inserted in HTTP requests will be:
<tag-header>: <{radius|fixed}-attribute><tag-separator><{radius|fixed}-attribute>\n\r

Example:
Hypertext Transfer Protocol GET / HTTP/1.1 Host: www.juniper.net User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Standard Header Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Fields Connection: keep-alive Cookie: uin=o0069457533; skey=@9Hg3xFMiu tag inserted X-MSISDN: d0cfd800e25e681b451e047f9f2138ae
*Refer to RFC 4229 (HTTP Header Field Registrations) for the initial contents of a permanent IANA registry for HTTP header fields and a provisional repository for HTTP header fields)

32

Copyright 2012 Juniper Networks, Inc.

www.juniper.net

HCM FUNCTIONS: TAG INSERTION EXAMPLE2: HE IN VIRTUAL SERVICE AREA


Clients get private IP addresses

Private IP addresses reused on a per-GGSN basis


Clients IP addresses (private) to be added into X-Forwarded-For: header before NAT is being performed In order to distinguish two clients with the same private IP address, but from different GGSNs, the first byte (which is redunant because its 10 everywhere) is replaced by the ID of the GGSN (=the ID of the service area)
GGSN ID=11 MX for header enrichment NAT/PAT

10.100.55.33 X-Forwarded-For:

11.100.55.33
X-Forwarded-For:

10.100.55.33 NAT to 80.87.99.50 Internet 10.100.55.33 NAT to 80.87.105.211

12.100.55.33

10.100.55.33 33

GGSN ID=12

MX for header enrichment


Copyright 2012 Juniper Networks, Inc. www.juniper.net

NAT/PAT

SUMMARY
34
Copyright 2012 Juniper Networks, Inc. www.juniper.net

Service Delivery is Key to SP Success


Legacy service delivery model

FW LB/ADC SWITCHING ROUTING SWITCHING ACCESS

Expensive operations No granular segmentation Single tenant architecture Point vertical solution vendors Complexity Not scalable, hard to monetize

Juniper Optimization SDG Services for Service Providers



Juniper Networks MX Router
35
Copyright 2012 Juniper Networks, Inc. www.juniper.net

Optimize, reduce complexity and remove point solutions Reduce cost and protect investment Fast provisioning or new services and customers

Granular security and management