Mobile ApplicAtion AssurAnce on the AlcAtel-lucent 7750 service router Mobile GAtewAy

Optimize netwOrk resOurces, enrich and persOnalize user experiences and mOnetize the services
applicatiOn nOte

tAble of contents
abstract
/

1
/

deep packet inspection in wireless networks

introduction / 1

Basic ip flows, shallow packet inspection and deep packet inspection / 2

main use cases for l4-l7 traffic inspection in mobile networks

monitoring, reporting and optimizing the use of network resources / 5 protecting network resources
/

using l4-l7 traffic inspection to enable new services and revenue generation / 6 l4-l7 dpi as part of a larger policy control and management framework / 7

the alcatel-lucent 7750 sr as a mobile gateway

mobile Gateway - integrated services module / 10

mobile application assurance

how mobile aa works / 12 modes of deployment / 13

10

application identification and policy enforcement / 14 key deployment scenarios

/

15
/

mobile aa: deployment architectures and Benefits

deployment architectures / 16 Benefits
/

16

17

architectural advantages of the alcatel-lucent 7750 sr for mobile aa / 17

conclusion references

18 19
/

abbreviations

19

AbstrAct
This application note explains the technology basics and main deployment options of Mobile Application Assurance (AA), an Alcatel-Lucent innovation in the area of Layer 4-Layer 7 mobile IP traffic processing (also referred to as deep packet inspection [DPI]), as implemented on the Alcatel-Lucent 7750 Service Router (SR) Mobile Gateway. Using Mobile AA, wireless service providers are able to optimize their network resources and use detailed knowledge about mobile network applications to enrich and personalize end-user experiences and further monetize data services.

Deep pAcket inspection in wireless networks

introduction
The unprecedented and exponential growth of users, smart communication devices and new usage patterns enabled by these powerful portable computing platforms is increasingly an area of concern for many mobile service providers and network operators. The phenomenon of always-on data connectivity imposes a heavy toll on all network resources from the Radio Access Network (RAN), across the backhaul and backbone networks, across the wireless packet core, all the way to the application domains and the Internet. Ensuring guaranteed Quality of Experience (QoE) to end users becomes a paramount goal and a benchmark of success for wireless service providers. Because wireless environments can scale from hundreds of thousands to millions of users and connected devices, ensuring the right levels of QoE to all users often becomes a balancing act that must take into consideration current network load levels, users eligibility for the use of network resources, their service plans, and their content-based charging and URL-based charging. To keep all the vital network resources under control, wireless service providers may want to gain additional knowledge about the traffic in their network by going beyond understanding basic traffic patterns as referenced by IP flows. The additional traffic knowledge can be obtained from layers 4-7 through real-time processing capabilities in the form of traffic inspection and analysis that is performed on the user or application traffic (payload) while observing user privacy and maintaining anonymity. This knowledge about network traffic can be used in a variety of ways, from providing better network monitoring and reporting, to ensuring fair use of network resources and improving network security. Network traffic knowledge can also be used to facilitate faster creation and quicker introduction of new services with improved charging models, such as personalization of services with enhanced content-based charging and URLbased charging.

mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note

This application note provides an overview of the integrated approach to advanced L4-L7 wireless traffic processing capabilities, referred to as Mobile Application Assurance (Mobile AA), on mobile gateways based on the Alcatel-Lucent 7750 SR.

basic ip flows, shallow packet inspection and deep packet inspection

As wireless network environments evolve toward 4G, most communication protocols become based on the IP protocol stack. At the same time, network applications are also based on the set of IP protocols, and for this reason the the evolved mobile network environment (LTE/4G and beyond) is referred to as all-IP. In the all-IP environment, application traffic traverses the network in the form of IP flows unidirectional communication paths, passing the IP packets from one endpoint to another. An IP flow is a unidirectional sequence of IP packets that share the following information: Source IP address Destination IP address Source port number Destination port number Protocol These five elements uniquely define an IP flow and are commonly called a 5-tuple or a quintuplet. To describe a two-way communication, two unidirectional IP flows are required. In 2G, 2G+, 3G and 3G+ mobile environments, IP flows are mapped to Packet Data Protocol (PDP) contexts data containers that exist between Serving GPRS Support Nodes (SGSNs) and Gateway GPRS Support Nodes (GGSNs). In Long Term Evolution (LTE) environments, the equivalent term for an IP flow is a Service Data Flow (SDF) while a data structure container carrying the flows with the same QoS characteristics is called a bearer. For the purpose of this application note, we use the term IP flows, understanding that their network treatment and processing is actually performed on the data structures carrying them: PDP contexts and bearers. A lot of network knowledge can be obtained from examining the information about IP flows and analyzing the associated traffic levels (volumes). For this reason, many network monitoring tools look at IP flows. These tools are used for overall network monitoring and planning as well as individual applications and/or user devices, for security analysis, accounting and billing and also for additional network traffic data warehousing and mining. The network traffic intelligence gathered from basic understanding of IP flows based on quintuplets in many ways resembles tracing IP crop lines but does not necessarily provide much detail about the network traffic. In its simplest implementations, packet inspection is based on extracting basic protocol information from the IP header. This technique, shown in Figure 1, is called shallow packet inspection (SPI).

mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note

Figure 1. Shallow packet inspection: Looking at the information in IP headers

IP packet ow

Time

IP header

IP payload

IP header

However, it is difficult or impossible to come to application-related conclusions using only this basic inspection process. As IP applications proliferate and become more sophisticated, they also introduce additional complexity by providing support for new and advanced protocols and/or by offering a plethora of masquerading and obfuscation capabilities. As a result, a large number of different protocols and application techniques, including encapsulation, are being used for many different traffic types. Service providers cannot easily obtain detailed traffic information just by analyzing basic flow information. In the simplest cases, looking at the standard ports (for example, Port 25 for Simple Mail Transfer Protocol [SMTP] and Port 80 for Hypertext Transfer Protocol [HTTP]) may be sufficient to detect the application as either email or a web browser. However, the assumptions for mapping standard ports and protocols may not always be true because the protocols may be using non-standard ports while the standard ports may be used for non-standard protocols. For example, the HTTP can be used for web browsing and also for video encapsulation (HTTP video streaming). In addition, a number of other applications may appear to be HTTP by using standard HTTP ports. Therefore, to fully understand end-user traffic types and data volumes in order to optimize and improve services while protecting and monetizing network resources, some additional knowledge about network traffic is required. This knowledge can be obtained by examining the traffic characteristics of the payload (user or application traffic) carried as IP flows using DPI. DPI examines the content of IP (Transmission Control Protocol or User Datagram Protocol [TCP/UDP] flows), reassembles IP datagrams, TCP data streams and UDP packets, and performs additional traffic analysis in real time. As in the OSI Reference Model (OSIRM) the application layer represents Layer 7 and this inspection is sometimes referred to as L7 traffic inspection or L7 DPI.

mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note

Application-specific flows are identified by their unique digital signatures. The digital signatures can be considered as the application fingerprints. Although a special and unique digital signature is required to uniquely and positively identify an application or a protocol, in many cases the static definition of a signature is not precise enough to consistently identify all instances and variations of an application. This is because certain applications, such as peer-to-peer flows change pattern and apply encryption to remain unidentified. Figure 2 shows a collection of these digital fingerprints using DPI techniques and looking beyond IP headers into IP packet payload. Signature definition is the first and most important step toward any DPI implementation. There are many methods identified for signature construction and definition, ranging from basic port analysis classification of the applications according to the ports they should normally be using to string matching, to complex behavioral and heuristic algorithms, which may take into consideration, for example, variations of packet arrival times and payload sizes over time. Having a solid base of digital signatures and maintaining it regularly to add support for new applications is essential to successfully implement DPI. Using the L4-L7 traffic knowledge about various network applications, further actions can be taken to optimize network resources, such as preventing certain application traffic from unfairly using the network resources that could be made available to others users and applications and thereby contributing to congestion.
Figure 2. Using DPI to examine IP packet payload
Signatures examined over several packets

Time

IP header

mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note

MAin use cAses for l4-l7 trAffic inspection in Mobile networks

Common uses of L4-L7 traffic inspection in mobile networks vary from static monitoring and reporting to using information obtained from L4-L7 traffic inspection for further network actions.

Monitoring, reporting and optimizing the use of network resources

One of the most common uses of L4-L7 traffic inspection is to collect information on traffic types, volumes and temporal variations by a specific user, device, application and network part or through a specific network element. Depending on the type of knowledge and statistics required about network traffic, the traffic inspection techniques required may be employed to track and monitor, as an example, network application usage levels on aggregate levels for all applications of the same type in the network. Such aggregated and statistical information can be obtained, assembled or pre-processed, then arranged and passed to a collection, archival or reporting system for further analysis. From this analysis, a service provider can obtain useful knowledge about usage patterns in the network on both the individual and aggregate (network) level. One example of using this knowledge is getting periodic views of specific network devices and associated applications. Further actions can be taken to optimize the use of network resources. This information can also be very useful for network planning.

protecting network resources

L4-L7 traffic inspection techniques can be used to ensure the fair use of network resources and to protect network resources from unauthorized or excessive and uncontrolled usage. While SPI techniques with their limited traffic knowledge are restricted to facilitating basic per-flow traffic counting and bandwidth measurement in a protocol-agnostic manner, L4-L7 traffic inspection can be used to allocate resources properly among network users or different classes of network services. For example, L4-L7 DPI techniques can be used to identify users, devices and applications that are consuming significant network resources for peer-to-peer file transfers, and by doing so, may be jeopardizing their agreed service plans or allocation of network resources for other, possibly premium, users and applications. Once identified, heavy users/devices and associated applications can be governed, through associated service plans and applicable network policies, to acceptable usage levels or can be prioritized or de-prioritized to indicate premium or non-premium Quality of Service (QoS) treatment. The result is fair allocation of network resources among users, devices and applications, in accordance with their service eligibility and subscription plans. It becomes clear that L4-L7 traffic inspection techniques can extend their applicability to both the protection of network resources and protection of the network traffic itself in some cases, to the protection of content. For example, sophisticated algorithms and techniques can be combined to identify copyrighted or criminal content and to notify copyright owners or legal authorities. While DPI techniques can deliver advanced traffic processing abilities, they are just a tool for advanced processing of network traffic, upon which further functionality can be built in important areas such as security, QoS, application optimization, content delivery networks (CDNs), monitoring, and reporting and charging.

mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note

using l4-l7 traffic inspection to enable new services and revenue generation
Increasingly, service providers and network operators are looking at L4-L7 DPI techniques to further identify, sort and filter types of user- and application-related data and correlate this information to their service packages. They also want to provide real-time, context-sensitive links with their billing and charging systems. Many service providers and network operators see the opportunity to use this knowledge about network traffic obtained through DPI techniques to increase revenues by addressing specific users or market segments and to increase market share by differentiating themselves from their competitors. Service provider ability to provide differentiated charging for specific URLs (web domains) or specific traffic types has become increasingly important to improve customer satisfaction as well as to improve competitiveness. Critical reasons for using L4-L7 DPI techniques for additional network monetization of traffic flows reside in the operators ability to obtain detailed intelligence about user, application and usage patterns from the network itself. This imposes stringent requirements to provide real-time analysis of high volumes of traffic and high numbers of concurrent traffic flows while providing detailed per-flow, per-user and perapplication information. The ability to fully address network architectural demands for scalability while retaining desired performance and reliability becomes a very important test for DPI techniques and a success factor that can help elevate the overall service provider value. DPI techniques are elevated from a tool for aggregate traffic control to an instrument that allows per-user (perdevice) service management, and a driver for further revenue generation (see Figure 3).
Figure 3. Key benefits of L4-L7 traffic inspection and analysis

Per-user management

Per-user reporting

Revenue generation Per-ow QoS Per-application QoS Per-user/device QoS

Service provider value Network protection Cost control fair-use (P2P) Network usage reports

End-user security

URL ltering

Aggregate trafc control

Network architectural demands (scale, performance, reliability, network integration)

mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note

l4-l7 Dpi as part of a larger policy control and management framework

L4-L7 DPI technology can provide strong insight into network traffic for service providers. Essentially, it is just a powerful toolkit that must be integrated in the network as a part of a larger service-focused framework. Specifically, the application of DPI needs to be integrated in the overall network operations to be able to perform monitoring, planning, and preventive and corrective activities. This larger framework is the area of policy control and management. Wireless network environments are largely migrating from static user- and device-based access and usage control and charging to real-time, policy-based, network-wide control and charging. With the evolution of policy and charging to 3GPP Policy Charging and Control (PCC) architecture, wireless service providers and network operators can extend the application-level insight and enforcement capabilities provided by DPI technology by looking at DPI as one additional element of their PCC architecture. 3GPP TS23.203 specifies the PCC functionality for Evolved 3GPP Packet Switched domains, including 3GPP access (GSM/Edge Radio Access Network [GERAN], UMTS Terrestrial Access Network [UTRAN] and Evolved Universal Mobile Telecommunications System Terrestrial Radio Access Network [E-UTRAN]) and non-3GPP access, according to TS23.401 and TS23.402. As such, PCC encompasses two main functions: Flow-based charging, including charging control and online credit control Policy control, including gating control, QoS control and QoS signaling The PCC architecture introduces dedicated network entities that perform the Policy and Charging Rules Function (PCRF) and the Policy and Charging Enforcement Function (PCEF). The PCRF collates subscriber and application data, authorizes QoS resources and instructs the user (data) plane element how to further process data traffic. The PCEF is a functional entity that implements the enforcement function in a data plane element most often in a mobile gateway. The PCEF uses PCC rules to classify traffic by service data flows and apply the appropriate QoS and charging mechanisms as instructed by the PCRF (see Figure 4).
Figure 4. Alcatel-Lucent 7750 SR as a PCEF in PCC architecture (simplified)
Sh/ LDAP Sy Subscriber prole repository PCRF Gx Online (OCS) and ofine (FCS) charging systems 7750 SR GGSN/PGW Subscriber prole repository 5780 DSC Gx Online (OCS) and ofine (FCS) charging systems Sh/ LDAP Sy

Gy, Gz PCEF

Gy, Gz

mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note

QoS control is applied on a per-bearer level in the PCEF. As already mentioned, a bearer is a virtual data container aggregating all service data flows that require the same QoS treatment. PCC rules can be predefined (preprovisioned) on the PCEF or provided dynamically to the PCEF from the PCRF. Dynamic PCC rules are derived within the PCRF, taking into consideration the subscriber profile as well as additional real-time and dynamic information, such as requested bandwidth, requested QoS and other subscriber or traffic flow-specific data, if available. It is obvious that policy control and management extends the basic use of L4-L7 traffic processing technology, which must be looked at as a subset of PCEF functionality and as a part of the larger policy and control management framework that is required for real-time, dynamic, large-scale, policy-based control of network resources. The deployment of advanced policy control and management architectures in wireless environments delivers the synergy of real-time interaction between the PCRF and the PCEF. The ease with which L4-L7 techniques can be employed within the network and integrated as a part of the overall architecture becomes a critical success factor for service providers as they look for new and innovative ways to monetize their network through more personalized services and with more precise service control. With Alcatel-Lucent, wireless operators are able to quickly realize the benefits of this synergy by leveraging the advanced in-line traffic processing capabilities of the Alcatel-Lucent 7750 SR Mobile Gateway. As a next-generation mobile gateway and a PCEF element in the PCC architecture, the Alcatel-Lucent 7750 SR enables the delivery of new and innovative services with the ability to deliver advanced L4-L7 traffic processing for high-aggregate volumes, processing large number of flows while also providing detailed per-flow, per-user and per-application information. Implementation of the PCEF using the Alcatel-Lucent 7750 SR Mobile Gateway allows wireless service providers to be more competitive, create new revenue streams and raise their revenues and profits while maintaining granular control of network resources.

mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note

the AlcAtel-lucent 7750 sr As A Mobile GAtewAy

The Alcatel-Lucent 7750 SR delivers LTE Evolved Packet Core (EPC) gateway functionality (serving gateway and/or PDN gateway) as well as next-generation GGSN functionality. Engineered for the further evolution of mobile broadband to address the exponential increase in the number of users and applications as well as higher bandwidth usage, lower latency and longer duration of data sessions, the Alcatel-Lucent 7750 SR Mobile Gateway (see Figure 5) can converge and consolidate LTE and 3G+ mobile cores as the next-generation data-plane platform with exceptional performance and scalability and with high operational flexibility. The mobile gateway application is enabled through the Mobile Gateway - Integrated Services Module (MG-ISM), a card that fits into the Alcatel-Lucent 7750 SR and allows deployment of the 7750 SR as a GGSN, a Serving Gateway (SGW), a Packet Data Network Gateway (PGW) or a combined GGSN/PGW. Combining the LTE PGW and GGSN application in a single system results in converged wireless IP anchor functionality for 2G, 3G, 4G and LTE deployment. Common IP anchoring is critical to ensure seamless 2G/3G and 4G/LTE interworking and roaming in environments where RAN coverage is achieved over multiple radio access technologies (RAT). Based on the industry-leading service edge platform, the Alcatel-lucent 7750 SR Mobile Gateway delivers: High reliability (>99.999 percent): Needed to preserve end-user QoE, achieved using intra-shelf and inter-shelf redundancy, with full redundancy of control and switching elements and line cards High aggregate throughput: Over 100 Gb/s at the mobile layer, with support for high-speed line interfaces up to 100 Gb/s Full isolation of the mobility control plane from the L3 IP control plane Service awareness with advanced IP traffic management capabilities with per-user, per-application, per-flow hierarchical QoS Advanced policy enforcement (PCEF) functionality and full integration with the PCRF, including integrated, in-line DPI functionality with L4-L7 advanced traffic processing capabilities
Figure 5. Alcatel-Lucent 7750 SR Mobile Gateway

mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note

Mobile Gateway - integrated services Module

The Mobile Gateway Integrated Services Module (MG-ISM) is a hot-swappable module that fits into any of the input/output (I/O) slots of the Alcatel-Lucent 7750 SR to provide SGW or PGW functionality for LTE or GGSN functionality for 2G/3G. User-plane traffic bearers in LTE or Packet Data Protocol (PDP) contexts in 3G/2G is directed to the MG-ISM through the 7750 SR backplane and switching fabric, eliminating the need for the MG-ISM to directly support external connections and maximizing its packet processing performance. The MG-ISM ensures service continuity at the user (data) plane for Service Data Flows (SDFs), carried over bearers and PDP contexts. The MG-ISM supports flow detection and communicates with the PCRF and, as instructed by the PCRF or according to its local, statically pre-configured policy rules, performs the PCEF. The MG-ISM also facilitates flow-based charging through interfaces toward offline and online billing and charging systems. Data flows are identified by the MG-ISM and subjected to a set of QoS policy rules comprising match-and-action criteria that determine the QoS treatment and subsequent traffic processing by the mobile gateways. The Alcatel-Lucent 7750 SR equipped with the MG-ISM delivers high-performance mobile gateway functionality with the ability to: Ensure per-user, per-flow and per-application QoS performance Allow passive monitoring and reporting Provide active bandwidth and/or flow policing while performing flow-based QoS re-marking to guarantee the required end-to-end QoS The MG-ISM performs all mobile gateway related functions for both the control plane and the data/user plane. It is instrumental in ensuring separation and isolation of L3 mobile control plane functions from L3 IP control plane functions (building and maintaining an L3 routing information base [RIB]), which is also performed by the 7750 SR. These L3 IP control plane functions are normally performed by routers external to mobile gateways.

Mobile ApplicAtion AssurAnce

In addition to mobile gateway data plane and control plane functions, the MG-ISM performs sophisticated L4-L7 in-line traffic processing. The term in-line refers to the capability of performing additional L4-L7 traffic inspection, analysis and processing without additional equipment (external or internal to the Alcatel-Lucent 7750 SR) and as a part of user (data) plane processing. When L4-L7 traffic inspection techniques are used, the processing and integration capabilities of the MG-ISM and the Alcatel-Lucent 7750 SR Mobile Gateway deliver much more than basic traffic inspection and identification. The ability to extract additional knowledge about traffic directly results in service awareness and allows acting on this knowledge in real time and processing an extremely large number of traffic flows with very high aggregate traffic volumes. The result is an increased operational ability to deliver assured levels of consistent, high-quality services.

mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note

10

Alcatel-Lucent refers to the refined set of capabilities of the Alcatel-Lucent 7750 SR to perform massive, real-time L4-L7 traffic inspection and processing as Mobile Application Assurance (Mobile AA). The MG-ISM delivers Mobile Application Assurance (AA) for applications where the Alcatel-Lucent 7750 SR is deployed as a mobile gateway, either as a GGSN or as an LTE PGW. Mobile AA leverages MG-ISM hardware capability to identify different network applications by comparing traffic patterns extracted from real-time, stateful traffic inspection of traffic payload against a library of digital signatures, which is kept locally on the Alcatel-Lucent 7750 SR Mobile Gateway. Once a particular network application is identified, the MG-ISM can promptly perform additional actions in accordance with policies that are locally configured on the Alcatel-Lucent 7750 SR Mobile Gateway. Figure 6 shows a functional diagram of Mobile AA on the MG-ISM. In the PCC environment, once the PCRF provides enforcement and charging instructions to the Alcatel-Lucent 7750 SR Mobile Gateway, the instructions are kept as local rules on the Alcatel-Lucent 7750 SR and are used on all future packets in the flows that satisfy the applicable enforcement rules. Depending on the service provider strategy and policies, different QoS models can be applied to different data flows. A service provider can define a number of applications they are interested in, and have additional flexibility by allocating these applications to a number of application groups. By doing so, for example, specific applications can be partly or completely blocked and/or their QoS can be decided based on policy and guaranteed on a per-application or per-user basis.
Figure 6. Functional diagram of AA on the MG-ISM
User plane trafc subject to 5-tuple classication User plane trafc subject to L4-L7 protocol analysis

Physical interface 7750 SR switching fabric (centralized) Physical interface

MG-ISM AA

mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note

11

how Mobile AA works

There are two major steps involved in Mobile AA: application identification and taking adequate QoS policy actions.
Application identification

Application identification is based on positive matching between a traffic flow and a locally kept database of application filters. Application filters are numbered rule entries analogous to IP filters that define the use of protocol signatures and other criteria that define an application. The following criteria can be assigned to an application rule filter entry: Protocol signature String-based matching: for HTTP, Wireless Application Protocol (WAP), Session Initiation Protocol (SIP) and Transport Layer Security (TLS) Flow set-up detection Network IP address Network port number IP protocol number Unique application name Unique entry ID number Identification and service provider management of network applications of interest are performed through a very structured approach, which allows quick and easy configuration. This process allows for the organization of applications into groups, and for customization of application filters and associated policy actions.
Application QoS Policy actions

Once an application flow is identified and matched to a specific application filter, the flow is checked against a provider-defined set of Application QoS Policies (AQPs). An AQP is a set of rules defining the match criteria and actions to be taken on the identified traffic. Multiple actions are supported for each rule entry. The statistics for this flow, with subscriber and application context, can also be recorded. Examples of AQP actions include: Bandwidth rate limiting Flow set-up rate limiting Flow count limiting QoS re-marking: discard priority and forwarding class Discard (drop) None: for monitoring and reporting only Charging instructions

mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note

12

Modes of deployment
Mobile AA using the Alcatel-Lucent 7750 SR Mobile Gateway can be deployed in two modes: In a non-PCC (no PCRF) environment (see Figure 7), Mobile AA is performed by the 7750 SR Mobile Gateway and associated rules are kept locally. In a PCC environment (where a PCRF is deployed), Mobile AA becomes an integral part of the PCC architecture and is performed by the Alcatel-Lucent 7750 SR Mobile Gateway. The PCRF maintains QoS and charging rules and communicates the handling instructions to the Alcatel-Lucent 7750 SR Mobile Gateway over the standard Gx interface.
Figure 7. Deploying Mobile AA in a non-PCC environment

GERAN

Iu-PS Iu-PS RNC Direct tunnel (optional) SGSN Gn S3 Gn SGi Packet data network Mobile AA

UTRAN

S1-MME

MME S11 S5 S5

7750 SR PGW/GGSN

E-UTRAN

S1-U 7750 SR SGW

Control plane User (data) plane

Figure 8 shows deployment in a PCC environment, where the PCRF is implemented using the Alcatel-Lucent 5780 Dynamic Services Controller (DSC).
Figure 8. Deploying Mobile AA in a PCC environment

GERAN

Iu-PS Iu-PS RNC Direct tunnel (optional) SGSN Gn S3 Gn SGi Packet data network 5780 DSC PCRF Gx Mobile AA

UTRAN

S1-MME

MME S11 S5 S5

7750 SR PGW/GGSN (PCEF)

E-UTRAN

S1-U 7750 SR SGW

Control plane User (data) plane

mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note

13

Figure 9 shows AA on the Alcatel-Lucent 7750 SR Mobile Gateway as PCEF and the Alcatel-Lucent 5780 DSC as PCRF.
Figure 9. AA on the Alcatel-Lucent 7750 SR Mobile Gateway as PCEF and the Alcatel-Lucent 5780 DSC as PCRF
Flow identication

PCRF

Protocol signatures Wireless network intelligence

Device details Application lters

Subscriber proles Network details

Applications Applications

Application group

5780 DSC

Mobile AA on 7750 SR Mobile Gateway Application QoS Policy Actions

In both standalone application assurance deployment and in PCC environments, where Mobile AA becomes a sophisticated enhancement to PCEF, a number of use cases ranging from monitoring and reporting to per-application charging are possible.

Application identification and policy enforcement

Mobile AA delivers improved monitoring and reporting, and allows further optimization and protection of network resources. When deployed as a part of the PCC architecture, the PCEF implemented on the Alcatel-Lucent 7750 SR Mobile Gateway extends Mobile AA functionality to improve service agility by being instrumental in new service and charging offerings. For these offerings, Mobile AA provides: Identification of unknown or untrusted Internet traffic in L4 to L7 Monitoring and reporting when positive identifications are made and policies are enforced, with the ability to deliver service-level and user-level granularity Flexible QoS policy enforcement for both upstream and downstream directions and for all traffic of interest Mobile deployment scenarios where Mobile AA can be used range from enhanced service offerings for premium streaming video services, to application-based usage service tiers and practically any scenario that requires a combination of perapplication, per-device or per-user traffic monitoring, reporting and charging.

mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note

14

Mobile AA identifies end-user/device data traffic as specific protocols and applications, then correlates control information, such as the SIP and associated data flows (for example, Real-time Transfer Protocol [RTTP]) that belong to the same application. When identified, a flow is tagged as a known application and is treated according to the applicable policies (excluding application context) for traffic for a particular application profile and direction. As outlined earlier, Mobile AA employs the set of application filters that define a particular application through the use of protocol signatures and other criteria. The digital protocol signature database can be updated in service, using activity switches and the system management infrastructure, without any impact to system routing or the Alcatel-Lucent 7750 SR Mobile Gateway operation. In the PCRF environment, the Alcatel-Lucent 5780 DSC as a PCRF can send the PCEF rules (based on the application and subscriber) to the Alcatel-Lucent 7750 SR Mobile Gateway. The rules set by the Alcatel-Lucent 5780 DSC dictate actions to be taken on identified traffic according to the various service options and other defined input criteria. Actions are taken on all matching flows or until instructed otherwise. These local actions implemented by the Alcatel-Lucent 7750 SR Mobile Gateway consist of various traffic handling instructions that are applied to an identified flow, with multiple actions supported for each rule entry. Subsequent packets (for the identified flow) have an associated action (or actions) applied and are recorded with related statistics. Multiple policies can be applied to any given packet in a flow.

key deployment scenarios

Deployment scenarios for using Mobile AA on the Alcatel-Lucent 7750 SR Mobile Gateway are very wide and flexible. They range from monitoring and reporting cases, where certain types of applications are monitored and the details on their usage are reported, to advanced deployment scenarios where AA is used to facilitate dynamic, real-time policy enforcement. Generally, these deployment scenarios address three key areas of concern for mobile service providers and network operators.
Enabling new revenues

Subscriber excessive usage fees Application-aware zero rating Application or bandwidth boosting Monetized HTTP redirection Personalized service packaging Per-event, per-session or per-application charging Next-generation digital media distribution

mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note

15

Optimizing operations

Application or service intelligence gathering for service and capacity planning Application-aware and user/device-aware metering and charging Fair-share traffic optimization per device or per application
Protecting network infrastructure

Detection of application anomalies and heavy users Traffic management: peer-to-peer throttling Flexible usage caps Mobile AA enables mobile service providers and network operators to monetize their assets, optimize their operations and protect their network infrastructure.

Mobile AA: DeployMent Architectures AnD benefits

Deployment architectures
Deployment architectures for DPI in mobile networks are dependent on implementation choices for performing DPI on different network elements: On the packet core network elements: mobile gateways On packet core-facing multiservice edge routers (MSERs) On external, stand-alone DPI devices The Alcatel-Lucent 7750 SR is unique in its capability to address both the mobile gateway and the mobile edge router functionality using a common platform and operating system (see Figure 10).
Figure 10. Alcatel-Lucent 7750 SR: Converged edge routing and mobile core platform

Mobile packet core

IP/MPLS backhaul RAN Aggregation routers 7750 SR 7750 SR Mobile Gateway Internet

mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note

16

benefits
When the Alcatel-Lucent 7750 SR is deployed as a mobile gateway (GGSN or an LTE EPC gateway: SGW and/or PGW), its in-line Mobile AA functionality brings additional benefits. Table 1 shows key areas of applicability of Mobile AA and the advantages of using the Alcatel-Lucent 7750 SR instead of alternative overlay approaches based on external DPI devices.
table 1. key benefits of using the Alcatel-lucent 7750 sr Mobile Gateway and AA

Dpi iMpleMentAtion ApproAch feAtures multivendor mobile gateway environment multiple access technologies (ran) converged network environments selective traffic inspection based on the access point name (apn) advanced Qos control mechanisms for bearers and/or pdp contexts large-scale tunnel termination hierarchical Qos large-scale aggregate volume high reliability (l4-l7 traffic inspection resiliency/redundancy) in-service maintenance and signature database upgrades roaming awareness Operational agility based on platform reusability additional intrusion detection system(ids) and transactions per second (tps) security options ipsec support for traffic offloading Online and offline charging support integration in pcc environments (Gx interface) x x x x x x x x x x x x x x x x x x x x x 7750 sr Mobile GAtewAy externAl Dpi x

Architectural advantages of the Alcatel-lucent 7750 sr for Mobile AA

A Mobile AA deployment strategy based on the Alcatel-Lucent 7750 SR shows clear advantages over competitive SPI/DPI approaches based on external equipment, often referred to as the bump-in-the-wire approach. The Alcatel-Lucent 7750 SR supports both the mobile gateway with in-line Mobile AA and the edge router functionality on a single platform. The Alcatel-Lucent 7750 SR provides significant benefits over approaches with external DPI devices, with the most critical differentiation is in the areas of reliability, scalability (number of data sessions and traffic volume), operational agility and integration. The Alcatel-Lucent 7750 SR as a mobile gateway provides dedicated hardware for mobile user (data) and control plane processing as well as separation and isolation of regular L3 IP (router) control plane processing from mobile control plane functions.

mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note

17

As mobile traffic continues to grow in both data volume and control plane volume, service providers and network operators face the same challenges observed in residential broadband networks and in all-IP environments. There will be a huge number of cases where it is safest to assume that all traffic is untrusted and potentially rogue, particularly as mobile environments evolve to policy and charging architectures. To meet the need for efficient, real-time policy enforcement (PCEF) of all mobile traffic, which at times may require Mobile AA on most or all mobile traffic, the Alcatel-Lucent 7750 SR delivers in-house technology using a multicore central processing unit (CPU) that enables real-time, in-line, stateful flow inspection, application detection and QoS/ policy processing for all applicable flows. This CPU is not shared with the rest of the system and it is not involved in other control or user (data) plane activities except Mobile AA. Identification of network flows is fully independent of the ports they are physically arriving on, and this facilitates scaling of this functionality with uniform processing f all traffic and application of policies across all interfaces. As a result, the Alcatel-Lucent 7750 SR Mobile Gateway is able to handle extremely heavy packet processing loads and to provide additional value because of its ability to be granular and to enable differentiated charging even for the same web site, based on content or application type. For example, accessing text or images could be charged differently (or not charged at all) than accessing videos hosted on the same web site or referred to it. By being able to extend its vast set of traffic processing capabilities, including Mobile AA, and to provide detailed and direct support to charging and billing systems, the Alcatel-Lucent 7750 SR Mobile Gateway becomes an instrument for further personalization and monetization of mobile services. When used in conjunction with other packet core elements, particularly the Alcatel-Lucent 5780 DSC in the role of PCRF, this set of 7750 SR capabilities turns the packet core into a true business engine and a business instrument for mobile service providers.

conclusion
Advanced traffic processing capabilities are a technical prerequisite and also an imperative for next-generation mobile broadband networks. To enable additional technical and business benefits for service providers and network operators, L4-L7 IP packet inspection technology must be sophisticated in its real-time processing capability and configuration flexibility, and must be able to optimize and evolve existing business models and services by being a part of larger policy and management control framework. For mobile environments, Alcatel-Lucent delivers advanced, in-line L4-L7 traffic processing and traffic management capabilities on the Alcatel-Lucent 7750 Service Router Mobile Gateway through Mobile AA and makes it possible to easily integrate this functionality in the PCC architecture, where the Alcatel-Lucent 7750 SR Mobile Gateway performs the roles of the PCEF.

mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note

18

references
[1] Transforming Legacy HSI Networks and Services with the Alcatel-Lucent Triple Play Service Delivery Architecture. Alcatel-Lucent Application Note: July 2008. [2] Delivering Managed Online Services with Application Assurance: Realizing New Internet Opportunities. Alcatel-Lucent Technology White Paper: February, 2008. [3] Mobile Broadband: Including WiMAX and LTE, Mustafa Ergen, Springer: 2010, ISBN-13: 978-1441943279.

AbbreviAtions
aQp cdn dpi epc e-utran Geran GGsn http ip ipsec lte mG-ism Osirm pcc pceF pcrF pdn pdp pGw Qoe Qos ran riB sae sdF sGsn sGw sip spi tcp tls udp utran wap application Qos policies content delivery network deep packet inspection evolved packet core evolved universal mobile telecommunications system terrestrial radio access network Gsm/edge radio access network Gprs support nodes hypertext transfer protocol internet protocol internet protocol security long term evolution mobile Gateway - integrated services module Osi reference model policy charging and control policy and charging enforcement Function policy and charging rules Function packet data network packet data protocol packet data network Gateway Quality of experience Quality of service radio access network routing information base system architecture evolution service data Flow serving Gprs support nodes serving Gateway session initiation protocol shallow packet inspection transmission control protocol transport layer security user datagram protocol umts terrestrial access network wireless application protocol

www.alcatel-lucent.com alcatel, lucent, alcatel-lucent and the alcatel-lucent logo are trademarks of
alcatel-lucent. all other trademarks are the property of their respective owners. the information presented is subject to change without notice. alcatel-lucent assumes no responsibility for inaccuracies contained herein. copyright 2011 alcatel-lucent. all rights reserved. cpG1076110609 (august)