Ahmad Chehime Policy Control Architecture for Wireline

Policy Control Architecture for Wireline Networks

Intelligent Service Gateway

Ahmad Chehime

. Services Evolution Requires: Cisco ISG – Intelligent Service Gateway

. ―Classic‖ Policy Control for Broadband Applications Portal Based Self-Services Tiered Services (Time & Volume) Advanced Application Aware Tiered Services

Intelligent Service Gateway

. SPs to offer differentiated services Services Application Rapid introduction of new value added services and Function Personalized applications to reduce churn and Service Layer enhance differentiation Delivery Platform Multimedia and Combinational (e.g. Fixed-Mobile) Services End-to-End Session . SPs require close User and Normalization Network control Layer Service Authentication, Charging, Policy Enforcement Exchange (QoS, Security, Accounting…) Generic Layer ―Walled Garden‖ Service Concept for a wide Resource/Access/ variety of Services Network-Service Control . Network Convergence Access independence and mobility Transport convergence over IP Transport Network Network Device Reuse of common resources Access Networks Layer Aging PSTN Equipment Price pressure of commoditization

Add Subscribers

Add Services

Pay As You Pay What Broadband Broadband Broadband Go! You Use! Light Basic Premium Buy credit Buy Buy: $19.99 Buy: $29.99 Buy: $39.99

Add Value

Branded Branded Branded VoD TV Phone ($4.99/movie) ($29.99) ($15.99 + LD)

Subscriber identified using multiple dimensions. Identity gathered: Identity Subscriber . From multiple sources and events Sessions . Over session lifecycle Subscriber Services Different Services and Rules applied based on: Intelligent Differentiated Services . Who subscriber is Service . Where he is Session creation/ authentication Gateway . What he requires

Services and Rules updated based on : Subscriber Dynamic Service Services Management . How subscriber behaves Dynamic Policy . What he requires NOW Push and Pull

Subscriber Policy Layer

Policy Web DHCP AAA … Server Server Portal Server

Open Cisco Intelligent Services Gateway Northbound (ISG) is a licensed feature set on Interfaces Cisco Routers that provides Session Management and Policy Policy Subscriber Management services to a variety of Management Identity and access networks Management ISG Enforcement

ISG

So focal, that the entire device is often referred as an: Intelligent Service Gateway router or simply ―The ISG‖

Subscriber Policy Layer AAA Policy Web DHCP Server Server Portal Server

Internet/Core

Guest Video Portal Audio Servers Open Garden Walled Garden

. Sits at the edge of the network . Subscriber Identification . Communicates with other devices to . Subscriber Authentication control all aspects of subscriber . Subscriber Services Determination access in the network and Enforcement . Single point of contact . Dynamic Service update . Per access and per service accounting BRKOPT-2110 13621_05_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9 ISG’s Subscriber Policy Layer

Subscriber Policy Layer AAA Policy Web DHCP Server Server Portal Server

Subscriber Authentication Internet/Core Subscriber Authorization: User and Service Profile Repository AAA Server Per access and Per Service Accounting Front-end toward billing system Guest Video Policy Server DynamicPortal Policy Push (Application LevelAudio Trigger) Servers Open Garden Walled Garden Front end toward the subscriber for: Self Subscription Web Portal Web Logon Service Selection (Application Level Trigger)

Hand over of addresses to subscribers DHCP Server Class-based address handover for ISG driven address pool selection AAA Server, Policy Server, Web Portal can co-reside in the same appliance BRKOPT-2110 13621_05_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10 ISG’s Dynamic Policy Activation

Dynamic Policy pull Dynamic Policy push (e.g. Automatic Service-Profile (e.g. ―Turbo Button‖) Download on Session Application/ Establishment) Service Layer event

Subscriber Policy Layer Subscriber Policy Layer DHCP Web AAA AAA DHCP Web Policy AAA Server Portal Server Server Server Portal Server Server

Network Layer Event

Guest Guest Portal Portal Open Garden Walled Garden Open Garden Walled Garden

Subscriber Policy Layer AAA Policy Web DHCP Server Server Portal Server

Internet/Core

Guest Video Portal Audio Servers Open Garden Walled Garden

RADIUS Interface, for subscriber AAA functionalities and Policy service download PULL RADIUS Extensions (RFC 3576) and XML based (SGI(*)) Open Interfaces, for dynamic, administrator or subscriber Policy driven, session and service management functions PUSH (*) SGI: Service Gateway Interface BRKOPT-2110 13621_05_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12 The Subscriber Session in ISG

Subscriber Policy Layer AAA Policy Web DHCP Server Server Portal Server Subscriber 1 Subscriber 1 session

Subscriber 2 Subscriber 2 Internet/Core session

Subscriber 3 session Guest Video Subscriber 3 Portal Audio Servers Open Garden Walled Garden

. Construct within Cisco IOS that represents a subscriber subscriber: billable entity and/or an entity that should be authenticated/authorize . Common context on which services are activated . Created at first sign of peer activity (FSOL = First Sign Of Life)

PSTN Dial

DSL DSLAM ATM/Ethernet Switch

Fiber Cable Node

Walled Garden Open Garden

Access . subscriber-centric services regardless of Ethernet Distribution access technology ―any service applicable to any session‖ paradigm

. subscriber management capabilities are 802.11 extended into Metro and Enterprise Ethernet, Wireless LAN, Cable, for an all IP aggregation

. legacy technologies (DSL/ATM) still supported Mobile RAN

Subscriber Session

TC ACL

Traffic TC Forwarding

Data ACL FeatureFeatureFeature Service

Default-Class

Session-Features: Flow-Features: Forwarding Service: Apply to the Traffic Classification (using traffic classes: Apply to the Forwarding (at L2, e.g. entire session classified flow L2TP) or e.g. per-user-ACL, class-map type traffic) (a portion of Routing (L3, e.g. Policing, MQC, the entire session connection to a VRF) Accounting data) Mutually exclusive

. Based on Subscriber Access Protocol not Technology . Session typologies:

Dynamically Created Sessions: PPP sessions CPE Mode # of Sessions IP Sessions Bridged 1 per end-host Routed 1 per household IP ―Subnet‖ Sessions . Subscriber ―Subnet‖ membership determined during authentication . Authentication mandatory for # of Sessions subnet sessions 1 per subnet

Statically Created Sessions: Interface Sessions– # of Sessions IP based access only 1 per interface

PPP Sessions IP Sessions

Virtual Template w/ Virtual Access (sub)Interfaces IP–Layer2 Connected IP PPPoA PPP 1483 ATM AAL5 ATM IP Phy Eth Eth Phy Access IP Distribution PPPoEoA PPP Ethernet PPPoE Eth Native IP capable 802.3 based main intfes ATM 1483 transport technologies AAL5 802.11, 802.16 Subinterfaces: .1q, QnQ ATM Phy IP–Routed PPPoEoE / PPPoEoVLAN/PPPoEoQnQ

IP IP PPP IP Eth Eth PPPoE Phy .1Q QnQ Any access Eth Phy technology

PPPoL2TP IP PPP L2TP ATM IP/UDP IP ATM,E Eth th,.. Phy

. ISG sessions are initiated at the First Sign of Life (FSOL) . FSOL depends on the Session Type PPP Sessions - FSOL IP Sessions - FSOL .... there are options .....

Unclassified MAC or IP • IP packet with unknown MAC or IP source address Data Traffic Use MAC for L2-connected IP sessions Use IP for routed IP sessions PPP Call Request (LCP) DHCP • DHCP Discover message DHCP discover • ISG must be DHCP Relay or Server

RADIUS RADIUS • RADIUS Access/Accnt Start Access Request OR Accounting Start • ISG must be a Radius Proxy • Typically used in PWLAN and Wireless WiMAX environments Client AP

Authentication models supported: . Access Protocol Native Authentication: PPP: CHAP/PAP IP: EAP for wireless client . Transparent Auto Logon (TAL): Authenticates using network identifiers. Typically ―subscriber traffic‖ related identifiers . Web Logon

Authentication is not mandatory on a session, but used in most situations

BRKOPT-2110 13621_05_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19 Session Authentication—PPP PPP - common scenarios + PPP CHAP/PAP Auth AAA Server . Uses legacy PPP authentication protocols PPP CHAP/PAPATM Eth, RADIUS . Applicable to all session types Username: L2TP PPP Username Pwd: PPP pwd

TAL: PPPoE Tag Auth AAA Server . DSLAM inserts PPPoE tags, typically Circuit and Remote ID PPPoE CtrlATM Msg Eth, RADIUS L2TP Username: . ISG performs authentication using a combination of RemoteID:CircuitID Circuit and RemoteID as username Pwd: Shared PPP DSLAM inserts . Only available for PPPoE sessions PPPoE tags CircuitID/RemoteID

TAL: NAS-Port-ID Auth AAA Server . ISG performs authentication using NAS-PortID as username Data TrafficATM Eth, Deployment likelihood Deployment RADIUS . Typically used w/ PPPoA and PPPoEoQnQ where a Username: NAS-Port-ID L2TP single subscriber is associated to VC/subif

Web Logon Web AAA Portal Server . User traffic redirected to a Web Portal to enter credentials (username and password) RADIUS . User Credentials propagated to ISG ATM Eth, Username: WebLogon . ISG uses credentials to authenticate user with AAA Data Traffic Username L2TP . Applicable to all session types - redirection

IP – common scenarios

+ Web Logon Web AAA . User traffic redirected to Web Portal to enter Portal Server credentials . User Credentials propagated to the ISG RADIUS . ISG uses credentials to authenticate user with AAA Username: WebLogon server Data Traffic Username redirection . Applicable to all session types

TAL: Option82 Auth AAA . Access Switch inserts Option82 Circuit and Remote Server ID in DHCP Requests DHCP exchange RADIUS . ISG performs authentication using a combination of Username: Circuit and RemoteID as username MAC:RemoteID:CircuitID Access SW inserts Option 82 . ISG session must be DHCP initiated CircuitID/RemoteID . User starts EAP authentication with Access Point (AP) EAP Auth AAA . ISG impersonates RADIUS server toward AP and RADIUS Server RADIUS client toward real server EAP (EAP based auth) RADIUS . ISG learns session authentication status by proxying Deployment likelihood Deployment Username: RADIUS messages betw/ real RADIUS client and Wireless EAP username AP Server Client . ISG session must be RADIUS initiated

TAL:IP/MAC AAA Server . ISG performs authentication using identifiers from Data Traffic RADIUS subscriber traffic (source IP/MAC) Username: . Typically used in IP-L2 connected topologies to support MAC or IP - clients w/ static IP address or in IP-routed topologies

IP and PPP Sessions

Idle and Absolute Timeouts/Timer Expiry Web Logoff Web Portal RADIUS CoA Account-Logoff

PPP Sessions Exclusively IP Sessions Exclusively ICMP/ARP keepalive failure

Keepalive failure PPP and PPPoX protocol events ICMP Keepalives used to terminate routed sessions ARP keepalives used to terminate l2-connected sessions ppp disconnect; ppp keepalives or L2TP hellos failure DHCP OR DHCP DHCP lease expiry initiated DHCP Release sessions RADIUS PoD (Packet Of Disconnect) Policy only Manager RADIUS PoD RADIUS RADIUS RADIUS EAP Accounting Stop initiated sessions Wireless only Client AP BRKOPT-2110 13621_05_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22 ISG Services

Service: a collection of features that are applicable on a subscriber session Service = {feat.1, feat.2,...,feat.n}

Session Portbundle (PBHK) Keepalives: ICMP and ARP based Administration Timeouts: Idle, Absolute

Traffic QoS: Policing, MQC Conditioning Security: Per User ACLs

Traffic Subscriber Address Assignment Control Redirection: Initial, Permanent, Periodic Forwarding VRF assignment: Initial, Transfer Associated to Features Control L2TP assignment Primary Services

PostPaid Traffic Prepaid: Time/Volume based Tariff Switching Accounting Interim Broadcast

Primary Service: contains one ―traffic forwarding‖ feature and optionally other features. Only one primary service can be active on a sess.

. No limit in the number of features per service, however consider that: Session A service is smallest atomic configuration unit that can be activated/deactivated on a session Service1 Deactivating a service implies deactivating all associated features Feature 1 Feature 2 Service2 . Not all features (and therefore services) are compatible w/ FeatureN each other SessionServiceM . No limit in the number of services per session, however: Only 1 primary service can be active at any given time on the session Good Practice: Different services should have different set of features

Subscriber Session

ACL TC1 Session Features SubscriberX Flow grouped in

ACL TC2 Data Features Session Services

Classification TC3 ACL

. ISG Classification resembles . Each Traffic Class can have a Modular QoS CLI (MQC) different set of features applied . Only traffic that can be . A Traffic Class and associated identified via an IP ACL features also referred as TC service (standard or extended) can be classified . A Default TC can be used to drop traffic that could not be classified

Subscriber Policy Layer AAA Policy Web DHCP To identify what traffic Server Server Portal Server should be redirected to an external appliance (Web Logon, Periodic Advertisement)

Subscriber Data Internet/Core

Guest Video Portal Audio For differentiated billing Servers based on application Open Garden Walled Garden usage

To permit Open Garden traffic over an unauthenticated To offer different QoS session while dropping all levels to different flows other traffic (default drop)

Location Download 1 AAA Server • Premium HSI service should be activated 2 RADIUS Access-request on the session • Services defined in Service Profiles Username: Premium_HSI • No definition yet Password: • Standard and Vendor Specific available RADIUS attributes used • On demand download on a • Service Activated on session 3 RADIUS Access-accept need basis • Service Stored in local cache Features associated w/ service while in use by at least 1 sessions 4

• Definition of all existing Services Policy Manager typically pre-downloaded on Box (supporting the SGI Interface) 1 SGI Request • Services defined in XML Premium, Standard, Basic 3 HSI service definitions • Pre-download of all existing services • Services permanently stored in local database 2 SGI Response

ISG • Services pre-configured using CLI • Services permanently stored • Services defined on Service Policies: in local database policy-map type service

During Subscriber Via an external Policy Via the On-Box Policy Authentication/ Server/Web Portal Manager Authorization

from external PM Administrator Subscriber Policy Layer Subscriber Policy Layer AAA Web Portal / DHCP Web Portal / DHCP AAA actions

Server Policy Server Server Server Policy Server Server

plane

Policy events from RADIUS data RADIUS plane Acc-req plane Control RADIUS CoA or SGI

Acc-accept Request

Data plane

Subscriber Subscriber

• Subscriber is successfully • Service Activation request sent • Policy Plane determines what actions authenticated by External Policy Managers via to take on session based on events a RADIUS CoA or a SGI actions *include* applying a service • RADIUS Response includes Request message Services and Features to activate • Control Plane ensures actions are on Session (from UserProfile) taken –i.e. provisions the data plane • Data Plane enforces traffic conditioning policies to the session

Handles all aspects of subscriber session lifecycle not just Service Activation!

Initiation Session Life Cycle described using Authentication Session Termination Cisco Policy Service Activation Language

Through CPL and the On-Box PM ISG is not only a Policy Enforcement Point (PEP) it is also a Policy Decision Point (PDP) BRKOPT-2110 13621_05_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29 Customize and Control: Policy Definition and Nomenclature Policy . Policy: Set of rules which govern the choices in behavior of a system and that are comprised of conditions and actions, where conditions are evaluated when Event Condition triggered by an event.* . Traffic policies: Policies for which the execution trigger is the arrival of a data packet, and for which the action(s) constitutes some form of processing of this packet before it is forwarded to another device, are known as traffic policies.* Policy Decision . Control policies: Policies for which the Point PDP** execution trigger is an explicit control-plane event (e.g. a signaling event, a timer expiry event etc.), and for which the action(s) does not entail the processing of a Policy forwarded data packet, are known Enforcement Point as control policies.* PEP**

Control Conditional policy-map class of events Actions

event 1 action1 class type control action2 more actions for event event ...... policy-map type control event 2

more...... events

Typically applied on Events are identified by their event type Actions are in a ordered list interface Common event types: Different set of actions per {event, Defines all aspects of . Session-start: New session detected condition} session processing . Account-logon: Account-Logon msg. received from external source Common action types: . Service-start: new service start req. from external . Service: Used to start a new service source . Service Unapply: Used to terminate an active service . Service-stop: Service termination req. from external . Authenticate: Used to authenticate a session using source subscriber’s credentials . Timed-policy-expiry: Set Timer expired . Authorize: Used to authenticate a session using one or more network identifiers (TAL) Event actions are executed only if . Set-Timer: Used to generate an event after a are met for the event configured amount of time . Multiple instances of same event w/ unique condition . Different set of actions for same event type . Conditions account for other aspects surrounding BRKOPT-2110 the event 13621_05_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31 Defining a Control Policy Session policy-map type control

Control Policy Condition Event Associate Events and Conditions to an ordered list of Actions

Condition Event Condition Event Condition Event

policy-map type control SUBSCRIBER_RULE class type control always event session-start Control Class: Control Class: Control Class: List of Actions List of Actions List of Actions 10 service-policy type service name PBHK 20 authorize aaa password lab identifier mac-addr 1. Disable Service B 1. Enable Service X 1. Enable Service PBHK 30 service-policy type service name L4R 2. Enable Service A 2. Enable Service Y 2. Take action AAA 3. Take Action R 3. Enable Service L4R 40 set-timer IP_UNAUTH_TIMER 5 4. Take action: Set Timer ! class type control always event account-logon 10 authenticate aaa list IP_AUTH_LIST 20 service-policy type service unapply name L4R ! class type control CND_U event timed-policy-expiry 10 service disconnect !

User Self-Care

Portal Based Self-Subscription with Re-Direction Key Ingredient: Cisco Intelligent Service Gateway - ISG

. User Self Care is . User Self Care addresses Self-Subscription Streamline Network provisioning and User Self-Management management Upgrade Services Reduce human intervention to Change Account attributes Subscriber management to minimum Cruise Control Increase customer loyalty Sub-Account Creation and satisfaction Parental Control Provide easy and scalable way to up-sell services

. User Self-Provisions himself at a portal (upon first access to the network) Choose appropriate Service Provider and Service Portfolio . Once Provisioned, transparent access to the network is granted without further authentication (Transparent Auto-Logon / Persistent Authentication)

. Can be combined with time or volume based Pre-Paid Services (e.g. only access the Internet for X minutes, or only transfer Y amount of data)

1. User connects to network. ISG identifies User with Line-ID and his MAC-Address. ISG tries to authorize User based on Line-ID and MAC- address, but fails initially (User Portal still un-provisioned) (e.g. BH SME) 2. ISG redirects User to Portal. User RADIUS Server self provisions himself and inputs (e.g. CAR) his credentials. Portal passes credentials back to ISG and ISG initiates authentication of user via AAA. On success, ISG places User in VRF of SP B and allows full access to network. MAC-Address 1 Service and Line-ID are saved – to allow L2-Ethernet Provider A for subsequent transparent login 2 Access ISG Network 3. User has full access to network. 3 Service Next time user comes back, ISG will Provider B 4 be able to authorize access to the Walled network based on Line-ID and MAC. Garden 4. User has used up quota (time or Services volume). ISG re-applies default service (e.g. access to Walled Garden only).

Portal (e.g. BH SME) RADIUS Server CPE DSLAM Add BRAS (ISG) (e.g. CAR) Option-82 DHCP 1 DHCP Discover Discover 2 Enable PBHK

3 4

5 User Profile data actively 6 managed between ISG DHCP Offer 7 Layer-4 and UAAF/AAA-Server: DHCP Request Redirect to Portal MAC-Address/Opt-82 8 IOS DHCP DHCP ACK Server used here. to Username Mapping 9 does not need to be pre-configured! 10 11 12 13 14 15 16 17

Portal (e.g. BH SME) RADIUS Server CPE DSLAM BRAS (ISG) (e.g. CAR)

19 Service-Profile downloaded on 20 demand (in case the profile is not configured locally or the service profile 21 is already available from cache – from an earlier download) 22

24 25

Per Service Accounting; e.g. Traffic to Internet Per Session Accounting Per Service Accounting; e.g. Traffic to Walled Garden

Portal (e.g. BH SME) RADIUS Server CPE DSLAM BRAS (ISG) (e.g. CAR)

1 DHCP Discover 2 Enable PBHK

3 4

5 DHCP Offer 6 DHCP Request 7 DHCP ACK 8

10 11

Portal (e.g. BH SME) RADIUS Server CPE DSLAM BRAS (ISG) (e.g. CAR)

20 Pre-Paid Service activated 21 22

23 24 25 26 27

Migration to IP- Sessions

DHCP Authentication Key Ingredient: Cisco Intelligent Service Gateway - ISG

Subscriber Identification DHCP auth Subscriber Isolation L3: ISG, ACLs, VRFs L2: VLAN, private VLAN Identify Line ID DHCP opt. 82, vMAC (ATM VC/VP), PPPoE Tag VLAN (802.1q, 802.1ad) IPCP DHCP

Keepalive BFD Service Selection DHCP auth, policy events Start Session DHCP Stop Session BFD

Session Identification Port, Mac, IP

Datagram Transport IP/Ethernet

. Use existing DHCP Client computes Adds subscriber line info message set challenge-response In DHCP Option 82 with user’s password DHCPDISCOVER . Reverse Authentication (with auth-proto-chap Option) DHCPOFFER BNG passes (w/ CHAP Challenge, Name) challenge & response and other Auth Protocols to AAA (no password DHCP REQUEST stored on BNG) (e.g. EAP) not supported (w/ CHAP Name, Response, ID) RADIUS Access-Request . All Attributes are (w/ CHAP Name, ID, Challenge, Response) mapped from RADIUS RADIUS Access-Accept including IP address or (w/ Profile, IP-Addr) Client IP/MAC recorded Pool By DHCP snooping Client Config included in DHCP ACK (could be proxy from an external DHCP-Server DHCPACK (w/ yiaddr)

DHCPNACK (w/CHAP Failure if unsuccessful)

BRKOPT-2110 *See: http://www.ietf.org/internet-drafts/draft-pruss-dhcp-auth-dsl-01.txt 13621_05_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential http://www3.ietf.org/proceedings/07mar/slides/dhc-2.pdf 43 Enhanced DHCP-Auth – For EAP, CHAP server auth etc. draft-pruss-dhcp-auth-dsl-01.txt (Alternative 2)

Precise EAP exchange dependent on EAP method, . Expands capabilities DHCPAUTH message is simply a wrapper of ―Alternative 1‖ : Adds subscriber line info In DHCP Option 82 supports CHAP “EAP passthrough” shown server DHCPDISCOVER (w/ auth-proto- Here. Could be terminated at NAS for chap Option) “PPP CHAP” interface to AAA authentication DHCPEAP (w/ EAP Message) supports EAP and DHCPEAP (w/ EAP Message) with that more Radius Access Request (w/ EAP advance methods Message) Radius Access Accept (w/ EAP for authentication EAP request/response pairs continue over DHCP and RADIUS until EAP is complete. If a Access reject is received a Message) . Requires: DHCPNAK with a EAP failure messages is sent . Else if an OR Radius Access Reject (w/ EAP-success is received in the BNG an DHCPOFFER EAP Message) A new message resumes normal DHCP. DHCP message size >= 1604 for DHCPOFFER (w/ yiaddr) (w/ EAP-success) use with EAP message option DHCPREQUEST (RFC 2132 – max DHCPACK DHCP message size option) Client IP/MAC recorded by DHCP snooping

Tiered Services

Tiered Services Key Ingredient: Cisco Intelligent Service Gateway - ISG

. Quota complements Speed as a tiering parameter . When a User reaches Quota, his Internet service is reduced to dial-up speed . The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month . 15% of the Customers upgrade their Quota every month* . Belgacom, the Incumbent deployed similar Quota system on xDSL

. BT Total Broadband Options Option 1 – Basic Internet with wired home router, 5GB download allowance, Basic Security Option 2 – Internet with wireless home router, 8 GB download allowance, Advanced Security Package Option 3 – Internet with wireless home router and Phone, unlimited downloads, Advanced Security Package

Source: http://www.productsandservices.bt.com/ consumerProducts/displayTopic.do?topicId=15744 BRKOPT-2110 13621_05_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 47 Tiered Services Example Use Case for Dial Migration

. Many Service Providers have Internet use still on Dial-up connections . Maintaining Dial Access Server Shelves is costly and in some cases infrastructure support comes to the end of the lifecycle . Natural Choice is to migrate Subscribers and target shut-down of Dial infrastructure . New Service Offerings need to be low-cost in order to facilitate migration . Upgrade to higher profile packages should be automated and self-managed by subscriber

Max. $10 Max. $10 Max. $15 Bandwidth Bandwidth Bandwidth

1 Mbps 1 Mbps 1 Mbps

64 kbps 64 kbps 64 kbps

2 hrs Time 100 Mbyte Volume Volume or Time

. Time-based, x amount of hour/minute at high-speed per month, then back to dial-bit rate . Volume-based, x amount of M byte free at high-speed-bit rate per month, then flat-rate dial-bit rate . Virtual Network Operator (VNO) sponsored periodic advertising with redirect to VNO Ad homepage

Precondition: User provisioned for migration service. Initial Authentication and Authorization completed. User’s 1 Mbps 1 7 service profile available on BPM. 64 kbps 4

ISG 2 2 2 5 5 5 5 1. User accesses the network. Active BPM 3 6 Profile is ―High-BW-Service‖. 2. ISG sends frequently sends interim accounting records to BPM.

Policy Server 3. BPM tracks quota. If quota expired, (BPM) BPM sends CoA to ISG, changing the service profile to ―Low-BW-Service‖. 4. User accesses the network. Active 3 6 2 5 Profile is ―Low-BW-Service‖.

1 5. ISG continues to frequently send 4 interim accounting records 7 CPE BRAS (ISG) 6. Start of New Months: BPM sends CoA to ISG, changing the service profile to ―High-BW-Service‖ and toping up the quota for High-BW-Service.

Key Ingredient: ISG, SCE (Service Control Engine)

. Content Filtering Subscriber-managed parental control Basic website blacklisting provided free of charge Page Blocked! Forbidden Comprehensive filtering & Content Detected security for a small monthly subscription

Less Less Less . Implement Fair Use Policy Over Usage Than Than Than 5.6GB Eliminates bandwidth 2.8GB 4.2GB 5.6GB bottlenecks E-mail + No No 256 256 WWW Limit Limit kbps kbps Enhanced user experience Audio/Video No 128 64 48 for the average user Streaming Limit kbps kbps kbps

48 28 28 16 P2P kbps kbps kbps kbps

User Quota Based on 7-Day Timeframe BRKOPT-2110 13621_05_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 53 Improve Over-the-Top-VoIP towards User Shaw Communications (Canada)

Shaw Communications also uses the DPI technology to increase revenue. For example, customers who use Vonage or another Internet phone service can pay an additional CAD $9.95 a month to make sure that their calls get higher priority on the network than some other uses. Source: http://www.shaw.ca/en-ca/ProductsServices/Internet/ServiceEnhancement.htm BRKOPT-2110 13621_05_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 54 Application Aware Data Services Example: Improve Over-the-Top-VoIP

. User has an existing subscription for Internet Access and is leveraging ―Over-the-Top Voice over IP‖ Applications (e.g. Skype), though voice quality is not always acceptable . SP offers User to prioritize ―Over-the-Top Voice over IP‖ for an additional $9.95 a month . User can order an self-provision the service through a portal (―Per-Application Turbo Button‖)

1. PPP session setup. User default access profile downloaded to ISG. 2. AAA-Server notifies BPM of new AAA Server access session and forwards user- handles correlation of Portal accounting data from (e.g. BH SME) profile of BPM. multiple sources for single user 3. BPM creates user-session on SCE and AAA Server enables default profile 4. User accesses the network with default 6 profile active. 2 5 Policy Server 5. User reaches out to service selection (BPM*) portal and chooses acceleration for a specific application (e.g. Skype) 6. Portal notifies the BPM of the new 3 7 service request 1 7. BPM activates a new service profile 4 8 which prioritizes Skype (e.g. mark Skype traffic so that it is put into the BRAS (ISG) SCE priority queue on ISG) Session Traffic Traffic Marking Scheduling and Policing 8. User accesses the network. Skype traffic is now handled with priority. *Other Options, e.g. BroadHop SME applicable as well.

Portal (e.g. BH SME) Policy Server* RADIUS Server CPE BRAS (ISG) SCE (BPM) (e.g. CAR)

PPP start 1 Access Request 2 Access Accept (User-profile) 3 Access Request (Default Service) 4 Access Accept (Parameters for Default Service) 5 6 Accounting start Accounting response 7 Add Session (User) 8 9 Add Session ACK Add Session 10 (SCE-User-Profile) 11 Add Session ACK Accounting start (Default-SCE-profile) 12 Accounting response 13 Select guaranteed access bandwidth for Application (e.g. Skype) 14 Change Profile: 15 New profile for User: Skype-turbo) Modify Session 16 (Skype-turbo) 17 Modify Session ACK Accounting stop (Default-SCE-profile) 18 Note: Call-Flows simplified Accounting response 19 Accounting start (Skype-turbo-profile) *Other Options, e.g. BroadHop SME 20 Accounting response applicable as well. 21 BRKOPT-2110 13621_05_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57 Alternative Deployment Approach Leverage ISG-SCE Control Bus

Policy & Auth Policy & Auth Accounting Accounting

. Leverage upcoming ISG-SCE Control Bus ISG takes the role of PDP and PEP . Benefits Single northbound interface from ISG (BRAS) platform Single Unified subscriber database CAPEX/OPEX optimized deployment Only need to integrate with one platform (ISG) Reduced resource requirements on AAA/policy layer (RADIUS and policy infrastructure) Increased Scale and Reliability BRKOPT-2110 13621_05_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58 Example: Improve Over-the-Top-VoIP Leveraging ISG-SCE Control Bus

1. PPP session setup. User default access profile downloaded to ISG. Single accounting record; 2. ISG establishes session on SCE and Portal incorporates service (e.g. BH SME) passes the portion of the profile identifiers for application relevant to SCE over to SCE. flows as well 3. User accesses the network with AAA Server default profile active. 4. User reaches out to service selection portal and chooses acceleration for a 4 5 specific application (e.g. Skype) 5. Portal CoA to ISG to enable a new service for the user (―prioritize Skype‖: e.g. mark Skype traffic so that it is put into the priority queue accounting records on ISG. 2 1 6 6. ISG receives the request, 3 7 determines it is for SCE – and BRAS (ISG) SCE forwards the request to SCE, where the new service policy is activated. Session Traffic Marking 7. User accesses the network. Skype Traffic Scheduling and Policing traffic is now handled with priority. Correlation of accounting info BRKOPT-2110 13621_05_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 59 Application Aware Data Services Example: Improve Over-the-Top-VoIP

Portal (e.g. BH SME) RADIUS Server CPE BRAS (ISG) SCE (e.g. CAR)

PPP start 1 Access Request 2 Authenticate; Access Accept (User-profile) Download 3 Access Request (Default Service) User Profile Apply 4 ISG portion of Access Accept (Parameters for Default Service) service policy 5 Provision Session Request Download Service 6 Create (GUID) Profile (if not already corresponding SCE available on ISG) 7 session

8 Activate Policy Request Apply (SCE-Default-Service) SCE portion of service policy 9 Integrated 10 accounting: ISG&SCE Accounting start 11 Accounting response 12 Select guaranteed access bandwidth for Application (e.g. Skype) 13 CoA Change Profile: 14 Activate Policy Request New profile for User: Skype-turbo) 15 (SCE-Skype-Turbo) 16

RADIUS Message Service-Type = Framed-User, Username-user123 Frammed-IP-Address=69.8.10.101 av-pair = "subscriber:auto-logon- service Internet-premium", Account-Info = AAA Server "QD;640000;16000;32000‖, av-pair = "ip:inacl#101=permit tcp any any eq www", av-pair = "ip:addr-pool=ppp-green", av-pair = "sce:policy-profile=51―

2 provisionSession: Framed-IP-Address=69.8.10.101 subscriber:service-name=51(fair-access) Username=user123 PPP session setup 1 3

BRAS (ISG) SCE ISG locally applies ISG-specific policy and passes SCE specific service policy to SCE

RADIUS Accounting

Service-Type = Framed-User, Acct-Status-Type=… Acct-Input-Octets=… AAA Server Acct-Output-Octets=… Acct-Input-Gigawords=… Acct-Output-Gigawords=… Cisco VSA 250, "N1‖ (p2p) Av -pair=―epd:acct-flows=15M‖

2 accountingData p2p-up-byte-c: 15M Premium-http-byte-c: 6M Voip-session-c: 12calls

BRAS (ISG) SCE

Enabling all Emerging Network Architecture Standards Application … Any IP Application IMS-enabled SIP Layer … Current and Future Applications … ―Over-The-Top-Applications‖ … ―Future Feature Attractions‖

Application Support Functions

Other SIP or Non-SIP SS ―Anything IP‖ Subsystem IMS Service Subsystem

ServiceLayer Generic Service SEF Common Service Subsystem Subsystems

Core Identity and Mobility Service Policy and Resource Session and Media Functions Management Management Management

ISG SCE SBC Optimal Interop with Intelligent NEs Network Element Service Control and Peering

Network Wireline Layer Access

Multiservice Wireless Aggregation Intelligent Edge Core Access

. ISG handles the key aspects of dynamic service delivery in BB aggregation networks: Subscriber identification Service and policy determination (Including AAA & Dynamic Service Updates e.g. RADIUS CoA, SGI/XML) Session policy enforcement Session life-cycle management Accounting for access and service usage . ISG adds Policy Management Capabilities to the Network Element Complements stand-alone Policy-Servers Towards a network policy plane: ISG-SCE Bus A key component of SEF . Platform Support ASR 1000, 7600 (SIP-400, ES40), ESR 10000, 7200, 7301