Agility 2018 PRESENTED BY: • • • • • • • • • • • • • • • • • • • • • • • • • • • • Gi LAN Architecture Consolidating L4-L7 network services on the Gi LAN VAS layer Static port 80 steering EPC PGW/ RTR TCP Policy URL CGNAT Firewall Internet GGSN/PGWGGSN Opt. Enforcement Filtering CONSOLIDATION VAS layer Dynamic & intelligent steering Service Chaining VIPRION EPC PGW/ Internet GGSN/PGW DNS GGSN Devices & Connections Exponential Growth Security Smartphones, Of Data and Evolving and Increasing Applications, Internet Signaling Traffic Threats and Attacks of Things • Scale and performance • Scale and performance • Scale and performance • IPv4→ IPv6 transitions • Control plane and data plane • L4-L7 security • DDoS mitigation • Signaling overload protection • Programmability and flexibility 80 Gbps – 1.12 Tbps 80M – 1,440M sessions 1M – 23.6M CPS 10 Gbps – 320 Gbps 14M – 300M sessions 125K – 4M CPS Up to 10 Gbps 10M sessions 100K CPS 25M, 200M, 1G, 3G, 5G, 10G Planned: 40G & 100G Virtual Editions BIG-IP Appliances VIPRION blade-based chassis NAT44 IPv6 transitions • • • • • • • • • • • • • • Address/Port Allocation Mechanisms High High NAPT – RANDOM ALLOCATION OF PORTS • Efficient usage of public addresses • Large logging infrastructure needed Port Block Allocation • Less efficient usage of public addresses • Possible to tune the ratio logging/users-per-IP (block size/number of blocks) Logging Efficiency Deterministic NAT • Pre-allocated blocks for subscribers • Logging very small (only configuration storage needed) Low Low Monitor and Baseline L3/L4 • DDoS attacks are more complex – now multi-vector • Detection of complex multi-vector attacks is limited with static/single dimensional vectors • Aggregate rate-limiting “catches” good traffic with bad • Per-SrcIP ineffective with spoofed IP’s or “wide” botnet attacks • Attack detection in both inline and out-of-band deployments • Sub-second attack detection • Detects anomalies compared against historical baseline • Statistical method baselines 3,000+ L3/4 metrics • Dynamically generates “signatures” (vectors) upon attack detection • On-demand/real-time “signature” creation and sharing • Targeted “signatures” = Low false positive rate AFM • Detect-only mode allows review before enforcement The following metrics are monitored to detect anomalies and to generate multi-dimensional vectors Layer3/4 Metrics Number of packets Number of fragments Packet size IP header size IP, TTL, TOS, IP flags Source IP (SrcIP) and destination IP (DstIP) (v4 and v6) Source port (SrcPort) and destination port (DstPort) TCP flags and TCP window size Dynamic Protection Policy Deployment incl. Baselines and Attack DDoS Characteristics Anomaly Detection Attack Ended! Mitigation Enforcement Clean Config and Stop Traffic Diversion Traffic Diversion via BGP Route Injection DDoS Mitigation [ attack path ] [ clean path ] Flow Data Collection Learning Baselines [ protected object 1] [ protected object 2] Service Provider Core [ Internet ] • • • • Attach profiles to AFM rules to Protocol checks can be updated optimize performance outside of TMOS release • • • • • User Equipment PCRF IMS APN SGi Firewall + CGNAT Query PCRF for Subscriber’s Policy. (Firewall policy only) Internet APN eNodeB SGW PGW Security PE Internet Administrative APN Enrich Logs with Subscriber ID. (Firewall and CGNAT logs) Log Enterprise APN Servers • • • User Equipment IMS APN SGi Firewall + CGNAT Internet APN eNodeB SGW PGW Security PE Internet Administrative APN Enrich Logs with Subscriber ID. (Protocol Inspections & Traffic Intelligence) Log Enterprise APN Servers Content Server Radio Internet Access PGW/ GGSN TCP-SYN TYPICALLY USES TUNE SEND/RECEIVE BUFFERS TO INTERNET STANDARD TCP CHOOSE CONGESTION CONTROL TO INTERNET SETTINGS OF THE TCP-SYN/ACK ENABLE S-ACK FOR ALL TCP CONNECTIONS OPERATING SYSTEM ENABLE OTHER TCP OPTIONS TCP-ACK TCP-SYN TUNE SEND/RECEIVE BUFFERS TO RADIO CHOOSE CONGESTION CONTROL TO RADIO TCP-SYN/ACK ENABLE RATE PACING TO RADIO ENABLE S-ACK FOR ALL TCP CONNECTIONS TCP-ACK ENABLE LOSS FILTER ENABLE OTHER TCP OPTIONS TCP PROFILE CLIENT-SIDE TCP PROFILE SERVER-SIDE Send Buffer Proxy Buffer Reassembly Queue INGRESS MANAGEMENT Receive Window BIG-IP Radio Access (advertised in TCP) CONGESTION Receive Window UE CONTROL & RATE PACING (advertised in TCP) Internet Receive Window Server Receive Window BIG-IP (advertised in TCP) CONGESTION (advertised in TCP) CONTROL & RATE PACING Reassembly Queue INGRESS MANAGEMENT Proxy Buffer Send Buffer Dynamic tuning: BIG-IP will change TCP parameters automatically as network conditions change (buffer sizes). Auto-send buffer, Auto-receive buffer, auto-proxy buffer (high low watermarks for TCP proxy buffers). Provides the ability to respond to network changes instantaneously. Dynamic TCP Tuning 2. UE continues to access the Internet, but over better condition 1. UE moves BIG-IP Platform to better 4. Data is sent back to UE using 3. BIG-IP detects change network new receive window buffer condition and automatically sizes changes buffer sizes More efficiently utilize your network by mitigating buffer bloating • TCP optimization is a key entry point use case in the Gi LAN for Service Providers across the globe – improved performance and Quality of Experience (QoE) drivers • Integration with PEM for Subscriber Awareness is perceived to be of great value • TCP profile selection based on RAT type • Native support for TCP optimization as a PEM built-in action • Improved TCP troubleshooting/analytics to provide an indicator for TCP experience degradation is of key interest (TCP stats, congestion indicators like goodput, jitter, delay, etc.) Radius Radius Control Plane (RAT-type Diameter Gx updates) Other API PCRF GGSN John PGW User Service Policy Internet TCP John RAT-Type=3G, select TCP- profile-3G RAT-Type=4G, select TCP- profile-4G IoT platforms • Transport Security Zone 1 • Revocation • Inspection SSL Security Zone 2 offload • Traffic steering Application SSL Traffic tunnels Security Zone 3 • Authentication Secure zones based on • Zone management device attributes • Protocol ... all of this makes up an IoT Firewall for your IoT applications and services IoT Features Protocol Support Transport Support Traffic Management • • • • • • • • • Security Management Advanced Features • • • • • • • • • Verticals MQTT CoAP AMQP XMPP HTTP HTTP 2.0 WebSkt LWM2M Manufacturing Factories, Mining Utilities Energy Smart Spaces Home, Building, City Transportation Cars, Public Transit Platform Providers Cloud, Service, Integration MQTT ‒ Message Queuing Telemetry Transport CoAP ‒ Constrained Application Protocol XMPP ‒ Extensible Messaging and Presence Protocol AMQP ‒ Advanced Message Queuing Protocol Dynamically manages traffic and subscribers in real time • Analytics Centralized Policy Control • HSL, IPFix • Provisioning (Gx) • Usage Reporting Subscriber Aware Traffic Steering DNS CSCF PCRF AAA OCS • Service chaining (Gx / Gy) VAS VAS VAS……VAS VAS • NSH • Optimization Subscriber Discovery RTR PGW/GGSN Internet F5 Subscriber awareness Traffic optimization Application visibility Application Visibility Automation Security Scale Intelligent traffic steering Analytics Use Case: Ability to categorize HTTP traffic based on URLs and domain names • Enforce traffic policy based on HTTP URI attribute categorization • Improved iRules capability for obtaining/setting categorization results • Local database, custom database and cloud based 1. Trying to access blocked URL Internet PGW/ RTR GGSN 3. Access Denied 2. Integrated Webroot URL Filtering / Blacklist Customer benefit: Operators can offer URL categorization, parental control plans to subscribers. Subscribers get better control of traffic; operators get monetization benefits. Use Case: Ability to steer traffic through different value-added services and network elements Service Provider VAS Control Plane Video Parental • Intelligent traffic steering Optimization Control to VAS servers PCRF AAA Emma Radius • Leverage Diameter Gx Other API subscriber/application http (3G) GGSN awareness for steering John PGW Radius BNG Internet • Steering on response http Paul User Service Policy • Analyze response and apply John Video Optimization “LTE steering policy for flow/ Subscriber bypass” transaction Parental Control “No” Paul Video Optimization “Always” Parental Control “Yes” Customer benefit: A fixed or mobile solution for optimizing subscriber and application traffic through VAS and network elements. Use Case: Sponsered content insertion for free internet access Policy and Subscriber VAS Content Provider Solution Management • Traffic steering upon 3G /4G • Toolbar content insertion via PEM PCRF WAP Toolbar VAS / Content OTT 3G PGW RTR Internet BIG-IP PEM - Viprion 4480 4G Benefits • Monetize new services • Optimize subscriber QoE • Total applications covered: 2440 • Issued first signature update package for v12.1 • • • • • • • • • • • • • • • • • • • • • • • • LDNS Authoritative Infrastructure • Faster DNS for 3G and 4G LTE • Robust, scalable portal • Intelligent DNS for Evolved • Enhanced performance through and service access Packet Core transparent cache • Exponential DNS • Proactively monitor for • Caching resolver for server performance and DDoS service-level adherence consolidation security protection • Enhanced subscriber • Mitigate DNS threats by blocking • Optimize global service experience access to malicious IPs delivery ENTERPRISE / SERVICE PROVIDER SERVICE PROVIDER Subscriber Management Billing/Self Service IP Multimedia Subsystem (IMS) DNS HSS/HLR DHCP ENUM Activation
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages45 Page
-
File Size-