Agility 2018

PRESENTED BY: • • • • • • • • • • • • • • • • • • •

• • • • • • • • • Gi LAN Architecture Consolidating L4-L7 network services on the Gi LAN

VAS layer Static port 80 steering

EPC

PGW/ RTR TCP Policy URL CGNAT Firewall Internet GGSN/PGWGGSN Opt. Enforcement Filtering

CONSOLIDATION

VAS layer Dynamic & intelligent steering Service Chaining VIPRION EPC

PGW/ Internet GGSN/PGW DNS GGSN Devices & Connections Exponential Growth Security Smartphones, Of Data and Evolving and Increasing Applications, Internet Signaling Traffic Threats and Attacks of Things

• Scale and performance • Scale and performance • Scale and performance • IPv4→ IPv6 transitions • Control plane and data plane • L4-L7 security • DDoS mitigation • Signaling overload protection • Programmability and flexibility

80 Gbps – 1.12 Tbps 80M – 1,440M sessions 1M – 23.6M CPS

10 Gbps – 320 Gbps 14M – 300M sessions 125K – 4M CPS Up to 10 Gbps 10M sessions 100K CPS 25M, 200M, 1G, 3G, 5G, 10G Planned: 40G & 100G Virtual Editions BIG-IP Appliances VIPRION blade-based chassis NAT44 IPv6 transitions

• • • • • • • • • • • • • • Address/Port Allocation Mechanisms High High NAPT – RANDOM ALLOCATION OF PORTS • Efficient usage of public addresses • Large logging infrastructure needed

Port Block Allocation • Less efficient usage of public addresses

• Possible to tune the ratio logging/users-per-IP (block size/number of blocks)

Logging Efficiency

Deterministic NAT • Pre-allocated blocks for subscribers • Logging very small (only configuration storage needed)

Low Low Monitor and Baseline L3/L4

• DDoS attacks are more complex – now multi-vector • Detection of complex multi-vector attacks is limited with static/single dimensional vectors • Aggregate rate-limiting “catches” good traffic with bad • Per-SrcIP ineffective with spoofed IP’s or “wide” botnet attacks

• Attack detection in both inline and out-of-band deployments • Sub-second attack detection • Detects anomalies compared against historical baseline • Statistical method baselines 3,000+ L3/4 metrics • Dynamically generates “signatures” (vectors) upon attack detection • On-demand/real-time “signature” creation and sharing • Targeted “signatures” = Low false positive rate AFM • Detect-only mode allows review before enforcement The following metrics are monitored to detect anomalies and to generate multi-dimensional vectors

Layer3/4 Metrics Number of packets Number of fragments Packet size IP header size IP, TTL, TOS, IP flags Source IP (SrcIP) and destination IP (DstIP) (v4 and v6) Source port (SrcPort) and destination port (DstPort) TCP flags and TCP window size

Dynamic Protection Policy Deployment incl. Baselines and Attack DDoS Characteristics Anomaly Detection Attack Ended! Mitigation Enforcement

Clean Config and Stop Traffic Diversion Traffic Diversion via BGP Route Injection

DDoS Mitigation [ attack path ] [ clean path ]

Flow Data Collection Learning Baselines

[ protected object 1]

[ protected object 2] Service Provider Core

[ Internet ] • • • •

Attach profiles to AFM rules to Protocol checks can be updated optimize performance outside of TMOS release

• • • • •

User Equipment PCRF

IMS APN SGi Firewall + CGNAT Query PCRF for Subscriber’s Policy. (Firewall policy only) Internet APN

eNodeB SGW PGW Security PE Internet Administrative APN Enrich Logs with Subscriber ID. (Firewall and CGNAT logs) Log Enterprise APN Servers • • •

User Equipment

IMS APN SGi Firewall + CGNAT

Internet APN

eNodeB SGW PGW Security PE Internet Administrative APN Enrich Logs with Subscriber ID. (Protocol Inspections & Traffic Intelligence) Log Enterprise APN Servers Content Server

Radio PGW/ GGSN

TCP-SYN TYPICALLY USES TUNE SEND/RECEIVE BUFFERS TO INTERNET STANDARD TCP CHOOSE CONGESTION CONTROL TO INTERNET SETTINGS OF THE TCP-SYN/ACK ENABLE S-ACK FOR ALL TCP CONNECTIONS OPERATING SYSTEM ENABLE OTHER TCP OPTIONS TCP-ACK

TCP-SYN TUNE SEND/RECEIVE BUFFERS TO RADIO CHOOSE CONGESTION CONTROL TO RADIO TCP-SYN/ACK ENABLE RATE PACING TO RADIO ENABLE S-ACK FOR ALL TCP CONNECTIONS TCP-ACK ENABLE LOSS FILTER ENABLE OTHER TCP OPTIONS TCP PROFILE CLIENT-SIDE TCP PROFILE SERVER-SIDE Send Buffer Proxy Buffer Reassembly Queue INGRESS MANAGEMENT

Receive Window BIG-IP Radio Access (advertised in TCP) CONGESTION Receive Window UE CONTROL & RATE PACING (advertised in TCP) Internet

Receive Window Server Receive Window BIG-IP (advertised in TCP) CONGESTION (advertised in TCP) CONTROL & RATE PACING Reassembly Queue INGRESS MANAGEMENT Proxy Buffer Send Buffer Dynamic tuning: BIG-IP will change TCP parameters automatically as network conditions change (buffer sizes). Auto-send buffer, Auto-receive buffer, auto-proxy buffer (high low watermarks for TCP proxy buffers). Provides the ability to respond to network changes instantaneously.

Dynamic TCP Tuning

2. UE continues to access the Internet, but over better condition

1. UE moves BIG-IP Platform to better 4. Data is sent back to UE using 3. BIG-IP detects change network new receive window buffer condition and automatically sizes changes buffer sizes

More efficiently utilize your network by mitigating buffer bloating • TCP optimization is a key entry point use case in the Gi LAN for Service Providers across the globe – improved performance and Quality of Experience (QoE) drivers • Integration with PEM for Subscriber Awareness is perceived to be of great value • TCP profile selection based on RAT type • Native support for TCP optimization as a PEM built-in action • Improved TCP troubleshooting/analytics to provide an indicator for TCP experience degradation is of key interest (TCP stats, congestion indicators like goodput, jitter, delay, etc.)

Radius Radius Control Plane (RAT-type Diameter Gx updates) Other API PCRF GGSN John PGW User Service Policy Internet TCP John RAT-Type=3G, select TCP- profile-3G RAT-Type=4G, select TCP- profile-4G

IoT platforms • Transport Security Zone 1 • Revocation

• Inspection SSL Security Zone 2 offload • Traffic steering Application SSL Traffic tunnels Security Zone 3 • Authentication Secure zones based on • Zone management device attributes • Protocol

... all of this makes up an IoT Firewall for your IoT applications and services IoT Features

Protocol Support Transport Support Traffic Management • • • • • • • • •

Security Management Advanced Features • • • • • • • • • Verticals MQTT CoAP AMQP XMPP HTTP HTTP 2.0 WebSkt LWM2M Manufacturing Factories, Mining Utilities Energy Smart Spaces Home, Building, City Transportation Cars, Public Transit Platform Providers Cloud, Service, Integration

MQTT ‒ Message Queuing Telemetry Transport CoAP ‒ Constrained Application Protocol XMPP ‒ Extensible Messaging and Presence Protocol AMQP ‒ Advanced Message Queuing Protocol

Dynamically manages traffic and subscribers in real time • Analytics Centralized Policy Control • HSL, IPFix • Provisioning (Gx) • Usage Reporting Subscriber Aware Traffic Steering DNS CSCF PCRF AAA OCS • Service chaining (Gx / Gy) VAS VAS VAS……VAS VAS • NSH • Optimization

Subscriber Discovery

RTR PGW/GGSN Internet F5 Subscriber awareness

Traffic optimization

Application visibility Application Visibility Automation Security Scale Intelligent traffic steering

Analytics Use Case: Ability to categorize HTTP traffic based on URLs and domain names

• Enforce traffic policy based on HTTP URI attribute categorization • Improved iRules capability for obtaining/setting categorization results • Local database, custom database and cloud based

1. Trying to access blocked URL

Internet PGW/ RTR GGSN

3. Access Denied 2. Integrated Webroot URL Filtering / Blacklist

Customer benefit: Operators can offer URL categorization, parental control plans to subscribers. Subscribers get better control of traffic; operators get monetization benefits. Use Case: Ability to steer traffic through different value-added services and network elements

Service Provider VAS Control Plane Video Parental • Intelligent traffic steering Optimization Control to VAS servers PCRF AAA

Emma Radius • Leverage Diameter Gx Other API subscriber/application http (3G) GGSN awareness for steering John PGW Radius BNG Internet • Steering on response http Paul User Service Policy • Analyze response and apply John Video Optimization “LTE steering policy for flow/ Subscriber bypass” transaction Parental Control “No” Paul Video Optimization “Always” Parental Control “Yes” Customer benefit: A fixed or mobile solution for optimizing subscriber and application traffic through VAS and network elements. Use Case: Sponsered content insertion for free internet access

Policy and Subscriber VAS Content Provider Solution Management • Traffic steering upon 3G /4G • Toolbar content insertion via PEM PCRF WAP Toolbar VAS / Content OTT

3G

PGW RTR Internet BIG- IP PEM - Viprion 4480

4G Benefits • Monetize new services • Optimize subscriber QoE • Total applications covered: 2440 • Issued first signature update package for v12.1 •

• • • • • • •

• • • • • • •

• • • • •

• •

LDNS Authoritative Infrastructure

• Faster DNS for 3G and 4G LTE • Robust, scalable portal • Intelligent DNS for Evolved • Enhanced performance through and service access Packet Core transparent cache • Exponential DNS • Proactively monitor for • Caching resolver for server performance and DDoS service-level adherence consolidation security protection • Enhanced subscriber • Mitigate DNS threats by blocking • Optimize global service experience access to malicious IPs delivery

ENTERPRISE / SERVICE PROVIDER SERVICE PROVIDER Subscriber Management Billing/Self Service IP Multimedia Subsystem (IMS)

DNS HSS/HLR DHCP ENUM Activation PKI CSCF Customer Portal MGCF SBC

DNS

Control Control Plane Authoritative PCRF Local Zones Authoritative LDNS

Mobile Mobile Core Core Infrastructure GGSN /PGW DNS DNS Internet DNS64 Auth. Local Caching/Resolvers NAT64 Zones Transparent Cache MME DNS / GSLB

(e)NodeB

Data Plane SGW/ Web WAP Content SGSN Caching Gateways Streaming Fixed Fixed Core Infrastructure BRAS The Business Case The F5 Advantage

• SPs add DNS servers to accommodate • Ensure a consistent experience for growth subscribers • Effective DNS responsive with load balancing - Health monitors with DNS/service delivery • Easily deploy F5 leading DNS delivery solution • Protect existing infrastructure with firewall • Low barrier to entry services – Works with existing servers and policies • Take advantage of F5 capabilities and services - Same framework, same topology, greater scalability

Traditional DNS Deployment DNS Delivery / Firewall using F5

DNS Resolver BIG-IP Platform DNS Resolvers The Business Case The F5 Advantage • Need to decrease DNS and offload DNS • Scale DNS transparent caches as demand resolvers increases. Offloads existing DNS infrastructure • Implement transparent DNS caches close to the • Provides a simple upgrade path to a full caching subscriber resolver • Deliver DNS scale without impacting service - Eliminate the need for centralized DNS

F5 DNS Services in Mobile Core F5 DNS Services in Mobile Core

BIG-IP Platform BIG-IP Platform

Distributed DNS Transparent Caches Distributed DNS Transparent Caches

DNS Resolver Infrastructure

BIG-IP Platform BIG-IP Platform The Business Case The F5 Advantage

• Need faster and scalable query response • Faster Web browsing and reduced DNS latency • Desire lower CapEx and OpEx • Hardened appliance consolidates many servers – No need for additional DNS resolver farms • Greater reliability through resiliency, HA • BIG-IP delivers high performance, scalable DNS caching and • Simplified management, lower OpEx resolving on one platform • Consolidate and offload DNS for immediate ROI

F5 DNS Services in Mobile Core F5 DNS Services in Mobile Core

BIG-IP Platform BIG-IP Platform

Distributed DNS Caching Resolvers Distributed DNS Caching Resolvers

BIG-IP Platform BIG-IP Platform Problem: Manually Remove Packet Gateways Solution: Automatically Monitor Availability of Gateways • SPs don’t monitor the PGW/GGSN from DNS • Incorporate SP records abstracting GSLB intelligence • SGSN/MME selects an APN by DNS lookup • Enable best performing services for optimal experience • DNS responds with static list of PGW/GGSN • Improved subscriber QoE • Manually remove PGW from record list given to mobile unit • Response with available packet gateways/GGSNs

PGW Availability GTP Echo Test NAPTR and SRV Records Mobile Core PGW/GGSN GTP

MME HSS DNS Query: apn.provider.com DNS Reply: eNodeB Mobile GTP Internet DNS Reply: SGW/SGSN Data Center 1 Mobile Core

BIG-IP

Subscribers Data Center 2

BIG-IP Assure service availability through BIG-IP DNS security services:

Protect Infrastructure and Disruptive and Malicious Traffic Ensure Service Availability • Attacks can disrupt DNS infrastructure: • Keep critical infrastructure available with BIG-IP: • Subscriber maliciously behavior (e.g., DNS tunneling) • Ensure DNS availability for services • Unintentional/unknowingly via bots and malware • Mitigate DNS DDoS and other DNS attacks • DNS DDoS, malicious IPs, NXDOMAIN attacks • Keep DNS responding to legitimate traffic

BIG-IP DNS with Security Services

AUTHORITATIVE

DNS

DNS DDOS MALICIOUS IP BIG-IP DNS ATTACK BIG-IP Platform MITIGATION NXDOMAIN ATTACK Drop excess queries from bad actors DNS TUNNELING