Service Providers trends & F5 Networks SP’s portfolio overview
Service Providers trends &F5 Networks SP’s portfolio overview
© F5 Networks, Inc 2
Attacks from Internet Data Growth / IoT Regulations / Services
Traffic policing
URL filtering
DDoS protection
L4-L7 security
Traffic shaping
Scalability, IPv4/v6
Today‘s ISP trends
Competition, Profitability
Network Consolidation
© F5 Networks, Inc 3
LoadbalancingLTM
Network FWAFM
Web FWASM
DNSDNS
Traffic policingPEM
Cloud scrubbingSilverline
What F5 does for SPs?
Signalling proxyDiameter, SIP, Radius, HTTP, LDAP, …
CGNATIPv4, IPv6
Access ControlAPM
© F5 Networks, Inc 4
iRulesProgramibility
TMOSFull proxy architecture
PowerHW
IPv6Native support
CGNAT
PEM
Silverine
… and our „TREASURES“ under the surface
Communitydevcentral.f5.com
VirtualisationvCMP, VMware, Openstack, …
DNS
AnalyticsStatistics, logs, ...
© F5 Networks, Inc 5
PEM
© F5 Networks, Inc 6
Context-Aware and Policy-Driven Traffic Steering
RAT TYPESUBSCRIBER DEVICE TYPE
CONGESTIONLOCATIONAPPLICATION
2G
3G
4G
PCRFDiameter Gx
GGSN/PGWRADIUS
3RD PARTY TOOLSCustom API
DATA PLANEPEM/DPI Module
What is context ?How does the steering platform learn about
context ?
© F5 Networks, Inc 7
Subscriber awareness with PEM
PGW/GGSN/
BNG
Internet
RTR
Data Center
Video
Optimization
Transparent
Caching
Parental
Controls
WAP
Gateway
PCRFAAA
Radius
Data
OCS
GxGy
Radius
© F5 Networks, Inc 8
PEM for Fixed Line / WiFi
BRAS /BNG
InternetRTR
DHCP
Policies and Subscribers
AAA Syslog
Fixed Broadband
DHCP, Radius
Detection and identification using DHCP
• Subscriber identity extracted from DHCP Option 82 (IPv4) / Option 37 (IPv6)
• Support of DHCP snooping / DHCP relay
Detection and Authentication using Radius
• PEM as Radius client initiates Access-Request for particular subscriber
• Radius Accounting for the reporting
BIG-IP PEM
© F5 Networks, Inc 9
Policy Action: Traffic Steering and Service Chaining
• Intelligent traffic steering to VAS servers
• Leverage subscriber/application awareness for steering
• Steering on Response
• Analyze response and apply steering policy for flow/ transaction
Use Case: Ability to steer traffic through different value added services and network elements
Customer Benefit: A fixed or mobile solution for optimizing subscriber and application traffic through VAS and network elements based on subscriber profile
GGSN
PGWBNG In ternet
Subscriber
Radius
Diameter Gx
Other API
John
Emma
Radius
http (3G)
Service Provider VASParental
Control
Video
Optimization
Control Plane
AAAPCRF
http
Paul User Service Policy
John Video Optimization “LTE bypass”
Parental Control “No”
Paul Video Optimization “Always”
Parental Control “Yes”
Bandwidth and QoE management
Even if subscriber is entitled for more by
subscriber bandwidth policy his P2P traffic gets reduced to configured value (512kbps)
Gold Subscriber (20 Mbps)
Silver Subscriber (10 Mbps)
Bronze Subscriber (5 Mbps)
PER-SUBSCRIBER BANDWIDTH CONTROL
PER-SUBSCRIBER PER APPLICATION BANDWIDTH CONTROL
PGW/GGSN VIPRION
PGW/GGSN VIPRION
Gold Subscr total (20 Mbps)
Gold Subscr p2p (512 kbps)
PCRF
App p2p total (500 Mbps)
© F5 Networks, Inc 11
URL Categorization for filtering & parental control
• URL Filtering
• Custom [iRule]
• Built-in Webroot DB (20M most popular)
• Cloud-based Webroot (400M) DB lookup
• Custom DB (few M)
• SNI based URL categorization for HTTPs
PGW/GGSN
Internet
RTR
2. Integrated WebrootURL Filtering / Blacklist
1. Trying to access blocked URL
3. Access Denied
OTT MONETIZATION & FLEXIBLE CHARGING
Application Classification : DPI engine
PGW/GGSN VIPRION
Gold Subscr total (acct only)
OTT Service (acct + DSCP mark)
PCRF
• Subscription models / bundles for OTT or specialized service
• Bundled into subscription for a lower fee
• OTT traffic excluded from volume bundle
• OTT traffic marked/tagged for differential treatment at radio layer
SPECIALIZEDSERVICE
(MNO BRAND)
RADIUS Accounting(Subscriber discovery)
Analytics
GxSyslog/IPFIX
© F5 Networks, Inc 13
• HTTPS/SSL
• SNI /Common name based classification
• Support for behavioral classification
• Pattern based matching, signature creation
• SSL certificate lookup (domain string lookup inside SSL)
• SSL flow bundling – ability to correlate parent/child SSL flows for an application/protocol – partial SSL handshake scenario where parent flow certificate is not transmitted to child SSL
• Non-HTTPS (Skype, BitTorrent, … )
• Support for pattern based signatures along with behavioral capabilities
• For example, Skype - source IP/port, supernodes etc.
Classification: Encrypted traffic handling
© F5 Networks, Inc 14
• HTTP header enrichment for subscriber identification
• Content insertion (javascript) into HTTP payload to enable
• In-browser notifications
• Toolbar insertion
• Ad insertion
Content Insertion
BNG/BRAS Internet
2. Javascript insertion about quota max
1. Content being sent back to
subscriber; data maxed out
3. Subscriber realizes they have
maxed out data
CONTENT INJECTION / AD INSERTION
© F5 Networks, Inc 15
HTTP Header Enrichment
GGSN/PGWBNG/BRAS
Internet
2. BIGIP intercepts HTTP request and adds custom header based on pre-configured policy
1. Subscriber sends HTTP request
• HTTP Full-Proxy mode allows for
• Header insertion both in request and response
• Custom header name completely configurable
• Clear-text and hashed/encrypted header content
• Conditions to decide when to insert header fully configurable, example
• Based on destination IP address, URI, … (list of destinations)
• Based on user-id (under PCRF control)
© F5 Networks, Inc 16
• Reports Device-Type & OS for each subscribers
• Identifies the type of Mobile device connected to the network.
• Uses the Mobile device’s (unique) Type Allocation Code (TAC) retrieved from RADIUS Acct START
• The Service Provider can use it’s own database provisioned on Big-IP platform
• Determined by parsing the UA string
• Determined by TCP Fingerprinting
• Tethering
• Ability to detect tethering based on TTL today
• In next release Ability to detect tethering based on enhanced algorithms like TCP fingerprints, UA, #Connections, BW etc.
Classification: Mobile device and Tethering detection
© F5 Networks, Inc 17
Charging/Quota Management
OCS PCRF AAA/HSS
Policy and Subscriber Management
Gx / Gy
PGW/GGSN
Internet
BIG-IP PEM
RTR
• Quota Management / Pre-paid charging use cases per Sub / App
• Gy AVPs / Volume and time based quotas / quota replenishment / quota breach
• License based
© F5 Networks, Inc 18
• F5 provide on Box reporting to show local analytics
• Approach to external analytics is to provide the information to external 3rd
parties vendors implementing this function
• F5 data export can be done leveraging on different protocols
• F5 has partnership with several vendors for analytics
F5 Approach to reporting/analytics/logging
PGW/GGSN
Internet
BIG-IP PEM
RTR
SYSLOG IPFIX RADIUS GX
© F5 Networks, Inc 19
PEM – Wide range of use casesPer-subscriber Application & URL Bandwidth
Control & Filtering
• TCP-friendly rate limiter
• Separate up/down rates
• Highly scalable solution
• TCP Optimization as a bonus
Subscriber Application Analytics
• Subscriber ID / Rate Plan
• Charging rules
• Application Usage Reporting
Intelligent Traffic Steering& Service Chaining to VAS
• Steer traffic based on subscriber profile to Value Added Services & Optimization Services
• Intelligent Service Chaining
Online Charging (Gy)
• Flexible rating group definitions based on applications and/or URI
• Redirect or block upon quota expiration
URL Filtering & Parental Control
• Government lists
• Per-subscriber parental control opt-in/opt-out service
• For HTTP & HTTPS
OTT Identification & Monetization
• Per-subscriber OTT application detection
• Per-OTT bandwidth, marking and charging rules
Header Enrichment & WAP offload
• HTTP HE for content-based charging
• WAP GW bypass/offload and replacement
Content Injection / Toolbars
• Java-script based content injection
• Targeted advertisements
Lightweight BRAS/BNG
• DHCP-based BNG model for wifi and wireline deployments
• Radius AAA client
Case study Tier1 operátor v Polsku – Rodičovská Kontrola
INTERNETAccess
Network
Mobile
Client
Symantec DB
PEM
Scenár nasadenia
- Rodičovská kontrola ako platená služba
- Riešenie tiež pre business zákazníkov
- Whitelisting on-line bankingov
- Load balancing ICAP serverov
- PEM s integráciou Gx do Optenet PCRF
- Reportovanie vadných URL pomocou ICAP
- iRules pre detekciu SNI z SSL prevádzky
RIEŠENIE F5
ICAP calls
PCRF
Gx
Case study Poskytovateľ DSL a VoIP služieb
INTERNETAccess
Network
Mobile
Client
SIP 1
…
LTM & PEM & AFM
SIP 2
- Scenár nasadenia
- SIP Load balancer / proxy
- Inteligentný traffic shaping
- Carrier-grade Firewall
- Úspora US$150,000 na CAPEX (konkurenčné riešenie US$250,000)
- Úspory na OPEX - konsolidácia (správa, trénink)PRÍNOSY
© F5 Networks, Inc 22
CONS
AFM
DNS
CGNAT Consolidate with
Consolidating SP’s security
Protection for networks
and applications
Fewer devices translates to
lower latency for
subscribers
Consolidation of firewall,
application security, and
traffic management
BEFORE F5
WITH F5
Load
Balancer
Firewall
DNS Security
Network DDoS
LoadBalancer & SSL
Application DDoS
Web Application Firewall
Web AccessManagement
BEFORE F5
WITH F5
Load
Balancer
Firewall
DNS Security
Network DDoS
LoadBalancer & SSL
Application DDoS
Web Application Firewall
Web AccessManagement
Consolidating SP’s security
Protection for networks
and applications
Fewer devices translates to
lower latency for
subscribers
Consolidation of firewall,
application security, and
traffic management
Protection for mobility
and core infrastructure
with user awareness
High scale for the
demands of 4G and IPv6
deployments
Consolidation of security,
address, and traffic
management
BEFORE F5
WITH F5
FirewallPGW/
GGSN
DPI, Parental
Control, …
CG-NAT
Consolidating SP’s service functions
Protection for mobility
and core infrastructure
with user awareness
High scale for the
demands of 4G and IPv6
deployments
Consolidation of security,
address, and traffic
management
BEFORE F5
WITH F5
FirewallPGW/
GGSN
DPI CG-NAT
PGW/
GGSN
FirewallDPI CG-NAT
Consolidating SP’s service functions