Beruflich Dokumente
Kultur Dokumente
Optimize netwOrk resOurces, enrich and persOnalize user experiences and mOnetize the services
applicatiOn nOte
tAble of contents
abstract
/
1
/
using l4-l7 traffic inspection to enable new services and revenue generation / 6 l4-l7 dpi as part of a larger policy control and management framework / 7
10
15
/
16
17
conclusion references
18 19
/
abbreviations
19
AbstrAct
This application note explains the technology basics and main deployment options of Mobile Application Assurance (AA), an Alcatel-Lucent innovation in the area of Layer 4-Layer 7 mobile IP traffic processing (also referred to as deep packet inspection [DPI]), as implemented on the Alcatel-Lucent 7750 Service Router (SR) Mobile Gateway. Using Mobile AA, wireless service providers are able to optimize their network resources and use detailed knowledge about mobile network applications to enrich and personalize end-user experiences and further monetize data services.
mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note
This application note provides an overview of the integrated approach to advanced L4-L7 wireless traffic processing capabilities, referred to as Mobile Application Assurance (Mobile AA), on mobile gateways based on the Alcatel-Lucent 7750 SR.
mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note
IP packet ow
Time
IP header
IP payload
IP header
However, it is difficult or impossible to come to application-related conclusions using only this basic inspection process. As IP applications proliferate and become more sophisticated, they also introduce additional complexity by providing support for new and advanced protocols and/or by offering a plethora of masquerading and obfuscation capabilities. As a result, a large number of different protocols and application techniques, including encapsulation, are being used for many different traffic types. Service providers cannot easily obtain detailed traffic information just by analyzing basic flow information. In the simplest cases, looking at the standard ports (for example, Port 25 for Simple Mail Transfer Protocol [SMTP] and Port 80 for Hypertext Transfer Protocol [HTTP]) may be sufficient to detect the application as either email or a web browser. However, the assumptions for mapping standard ports and protocols may not always be true because the protocols may be using non-standard ports while the standard ports may be used for non-standard protocols. For example, the HTTP can be used for web browsing and also for video encapsulation (HTTP video streaming). In addition, a number of other applications may appear to be HTTP by using standard HTTP ports. Therefore, to fully understand end-user traffic types and data volumes in order to optimize and improve services while protecting and monetizing network resources, some additional knowledge about network traffic is required. This knowledge can be obtained by examining the traffic characteristics of the payload (user or application traffic) carried as IP flows using DPI. DPI examines the content of IP (Transmission Control Protocol or User Datagram Protocol [TCP/UDP] flows), reassembles IP datagrams, TCP data streams and UDP packets, and performs additional traffic analysis in real time. As in the OSI Reference Model (OSIRM) the application layer represents Layer 7 and this inspection is sometimes referred to as L7 traffic inspection or L7 DPI.
mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note
Application-specific flows are identified by their unique digital signatures. The digital signatures can be considered as the application fingerprints. Although a special and unique digital signature is required to uniquely and positively identify an application or a protocol, in many cases the static definition of a signature is not precise enough to consistently identify all instances and variations of an application. This is because certain applications, such as peer-to-peer flows change pattern and apply encryption to remain unidentified. Figure 2 shows a collection of these digital fingerprints using DPI techniques and looking beyond IP headers into IP packet payload. Signature definition is the first and most important step toward any DPI implementation. There are many methods identified for signature construction and definition, ranging from basic port analysis classification of the applications according to the ports they should normally be using to string matching, to complex behavioral and heuristic algorithms, which may take into consideration, for example, variations of packet arrival times and payload sizes over time. Having a solid base of digital signatures and maintaining it regularly to add support for new applications is essential to successfully implement DPI. Using the L4-L7 traffic knowledge about various network applications, further actions can be taken to optimize network resources, such as preventing certain application traffic from unfairly using the network resources that could be made available to others users and applications and thereby contributing to congestion.
Figure 2. Using DPI to examine IP packet payload
Signatures examined over several packets
Time
IP header
mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note
mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note
using l4-l7 traffic inspection to enable new services and revenue generation
Increasingly, service providers and network operators are looking at L4-L7 DPI techniques to further identify, sort and filter types of user- and application-related data and correlate this information to their service packages. They also want to provide real-time, context-sensitive links with their billing and charging systems. Many service providers and network operators see the opportunity to use this knowledge about network traffic obtained through DPI techniques to increase revenues by addressing specific users or market segments and to increase market share by differentiating themselves from their competitors. Service provider ability to provide differentiated charging for specific URLs (web domains) or specific traffic types has become increasingly important to improve customer satisfaction as well as to improve competitiveness. Critical reasons for using L4-L7 DPI techniques for additional network monetization of traffic flows reside in the operators ability to obtain detailed intelligence about user, application and usage patterns from the network itself. This imposes stringent requirements to provide real-time analysis of high volumes of traffic and high numbers of concurrent traffic flows while providing detailed per-flow, per-user and perapplication information. The ability to fully address network architectural demands for scalability while retaining desired performance and reliability becomes a very important test for DPI techniques and a success factor that can help elevate the overall service provider value. DPI techniques are elevated from a tool for aggregate traffic control to an instrument that allows per-user (perdevice) service management, and a driver for further revenue generation (see Figure 3).
Figure 3. Key benefits of L4-L7 traffic inspection and analysis
Per-user management
Per-user reporting
Service provider value Network protection Cost control fair-use (P2P) Network usage reports
End-user security
URL ltering
mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note
Gy, Gz PCEF
Gy, Gz
mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note
QoS control is applied on a per-bearer level in the PCEF. As already mentioned, a bearer is a virtual data container aggregating all service data flows that require the same QoS treatment. PCC rules can be predefined (preprovisioned) on the PCEF or provided dynamically to the PCEF from the PCRF. Dynamic PCC rules are derived within the PCRF, taking into consideration the subscriber profile as well as additional real-time and dynamic information, such as requested bandwidth, requested QoS and other subscriber or traffic flow-specific data, if available. It is obvious that policy control and management extends the basic use of L4-L7 traffic processing technology, which must be looked at as a subset of PCEF functionality and as a part of the larger policy and control management framework that is required for real-time, dynamic, large-scale, policy-based control of network resources. The deployment of advanced policy control and management architectures in wireless environments delivers the synergy of real-time interaction between the PCRF and the PCEF. The ease with which L4-L7 techniques can be employed within the network and integrated as a part of the overall architecture becomes a critical success factor for service providers as they look for new and innovative ways to monetize their network through more personalized services and with more precise service control. With Alcatel-Lucent, wireless operators are able to quickly realize the benefits of this synergy by leveraging the advanced in-line traffic processing capabilities of the Alcatel-Lucent 7750 SR Mobile Gateway. As a next-generation mobile gateway and a PCEF element in the PCC architecture, the Alcatel-Lucent 7750 SR enables the delivery of new and innovative services with the ability to deliver advanced L4-L7 traffic processing for high-aggregate volumes, processing large number of flows while also providing detailed per-flow, per-user and per-application information. Implementation of the PCEF using the Alcatel-Lucent 7750 SR Mobile Gateway allows wireless service providers to be more competitive, create new revenue streams and raise their revenues and profits while maintaining granular control of network resources.
mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note
mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note
mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note
10
Alcatel-Lucent refers to the refined set of capabilities of the Alcatel-Lucent 7750 SR to perform massive, real-time L4-L7 traffic inspection and processing as Mobile Application Assurance (Mobile AA). The MG-ISM delivers Mobile Application Assurance (AA) for applications where the Alcatel-Lucent 7750 SR is deployed as a mobile gateway, either as a GGSN or as an LTE PGW. Mobile AA leverages MG-ISM hardware capability to identify different network applications by comparing traffic patterns extracted from real-time, stateful traffic inspection of traffic payload against a library of digital signatures, which is kept locally on the Alcatel-Lucent 7750 SR Mobile Gateway. Once a particular network application is identified, the MG-ISM can promptly perform additional actions in accordance with policies that are locally configured on the Alcatel-Lucent 7750 SR Mobile Gateway. Figure 6 shows a functional diagram of Mobile AA on the MG-ISM. In the PCC environment, once the PCRF provides enforcement and charging instructions to the Alcatel-Lucent 7750 SR Mobile Gateway, the instructions are kept as local rules on the Alcatel-Lucent 7750 SR and are used on all future packets in the flows that satisfy the applicable enforcement rules. Depending on the service provider strategy and policies, different QoS models can be applied to different data flows. A service provider can define a number of applications they are interested in, and have additional flexibility by allocating these applications to a number of application groups. By doing so, for example, specific applications can be partly or completely blocked and/or their QoS can be decided based on policy and guaranteed on a per-application or per-user basis.
Figure 6. Functional diagram of AA on the MG-ISM
User plane trafc subject to 5-tuple classication User plane trafc subject to L4-L7 protocol analysis
MG-ISM AA
mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note
11
Application identification is based on positive matching between a traffic flow and a locally kept database of application filters. Application filters are numbered rule entries analogous to IP filters that define the use of protocol signatures and other criteria that define an application. The following criteria can be assigned to an application rule filter entry: Protocol signature String-based matching: for HTTP, Wireless Application Protocol (WAP), Session Initiation Protocol (SIP) and Transport Layer Security (TLS) Flow set-up detection Network IP address Network port number IP protocol number Unique application name Unique entry ID number Identification and service provider management of network applications of interest are performed through a very structured approach, which allows quick and easy configuration. This process allows for the organization of applications into groups, and for customization of application filters and associated policy actions.
Application QoS Policy actions
Once an application flow is identified and matched to a specific application filter, the flow is checked against a provider-defined set of Application QoS Policies (AQPs). An AQP is a set of rules defining the match criteria and actions to be taken on the identified traffic. Multiple actions are supported for each rule entry. The statistics for this flow, with subscriber and application context, can also be recorded. Examples of AQP actions include: Bandwidth rate limiting Flow set-up rate limiting Flow count limiting QoS re-marking: discard priority and forwarding class Discard (drop) None: for monitoring and reporting only Charging instructions
mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note
12
Modes of deployment
Mobile AA using the Alcatel-Lucent 7750 SR Mobile Gateway can be deployed in two modes: In a non-PCC (no PCRF) environment (see Figure 7), Mobile AA is performed by the 7750 SR Mobile Gateway and associated rules are kept locally. In a PCC environment (where a PCRF is deployed), Mobile AA becomes an integral part of the PCC architecture and is performed by the Alcatel-Lucent 7750 SR Mobile Gateway. The PCRF maintains QoS and charging rules and communicates the handling instructions to the Alcatel-Lucent 7750 SR Mobile Gateway over the standard Gx interface.
Figure 7. Deploying Mobile AA in a non-PCC environment
GERAN
Iu-PS Iu-PS RNC Direct tunnel (optional) SGSN Gn S3 Gn SGi Packet data network Mobile AA
UTRAN
S1-MME
MME S11 S5 S5
7750 SR PGW/GGSN
E-UTRAN
Figure 8 shows deployment in a PCC environment, where the PCRF is implemented using the Alcatel-Lucent 5780 Dynamic Services Controller (DSC).
Figure 8. Deploying Mobile AA in a PCC environment
GERAN
Iu-PS Iu-PS RNC Direct tunnel (optional) SGSN Gn S3 Gn SGi Packet data network 5780 DSC PCRF Gx Mobile AA
UTRAN
S1-MME
MME S11 S5 S5
E-UTRAN
mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note
13
Figure 9 shows AA on the Alcatel-Lucent 7750 SR Mobile Gateway as PCEF and the Alcatel-Lucent 5780 DSC as PCRF.
Figure 9. AA on the Alcatel-Lucent 7750 SR Mobile Gateway as PCEF and the Alcatel-Lucent 5780 DSC as PCRF
Flow identication
PCRF
Applications Applications
Application group
5780 DSC
In both standalone application assurance deployment and in PCC environments, where Mobile AA becomes a sophisticated enhancement to PCEF, a number of use cases ranging from monitoring and reporting to per-application charging are possible.
mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note
14
Mobile AA identifies end-user/device data traffic as specific protocols and applications, then correlates control information, such as the SIP and associated data flows (for example, Real-time Transfer Protocol [RTTP]) that belong to the same application. When identified, a flow is tagged as a known application and is treated according to the applicable policies (excluding application context) for traffic for a particular application profile and direction. As outlined earlier, Mobile AA employs the set of application filters that define a particular application through the use of protocol signatures and other criteria. The digital protocol signature database can be updated in service, using activity switches and the system management infrastructure, without any impact to system routing or the Alcatel-Lucent 7750 SR Mobile Gateway operation. In the PCRF environment, the Alcatel-Lucent 5780 DSC as a PCRF can send the PCEF rules (based on the application and subscriber) to the Alcatel-Lucent 7750 SR Mobile Gateway. The rules set by the Alcatel-Lucent 5780 DSC dictate actions to be taken on identified traffic according to the various service options and other defined input criteria. Actions are taken on all matching flows or until instructed otherwise. These local actions implemented by the Alcatel-Lucent 7750 SR Mobile Gateway consist of various traffic handling instructions that are applied to an identified flow, with multiple actions supported for each rule entry. Subsequent packets (for the identified flow) have an associated action (or actions) applied and are recorded with related statistics. Multiple policies can be applied to any given packet in a flow.
Subscriber excessive usage fees Application-aware zero rating Application or bandwidth boosting Monetized HTTP redirection Personalized service packaging Per-event, per-session or per-application charging Next-generation digital media distribution
mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note
15
Optimizing operations
Application or service intelligence gathering for service and capacity planning Application-aware and user/device-aware metering and charging Fair-share traffic optimization per device or per application
Protecting network infrastructure
Detection of application anomalies and heavy users Traffic management: peer-to-peer throttling Flexible usage caps Mobile AA enables mobile service providers and network operators to monetize their assets, optimize their operations and protect their network infrastructure.
IP/MPLS backhaul RAN Aggregation routers 7750 SR 7750 SR Mobile Gateway Internet
mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note
16
benefits
When the Alcatel-Lucent 7750 SR is deployed as a mobile gateway (GGSN or an LTE EPC gateway: SGW and/or PGW), its in-line Mobile AA functionality brings additional benefits. Table 1 shows key areas of applicability of Mobile AA and the advantages of using the Alcatel-Lucent 7750 SR instead of alternative overlay approaches based on external DPI devices.
table 1. key benefits of using the Alcatel-lucent 7750 sr Mobile Gateway and AA
Dpi iMpleMentAtion ApproAch feAtures multivendor mobile gateway environment multiple access technologies (ran) converged network environments selective traffic inspection based on the access point name (apn) advanced Qos control mechanisms for bearers and/or pdp contexts large-scale tunnel termination hierarchical Qos large-scale aggregate volume high reliability (l4-l7 traffic inspection resiliency/redundancy) in-service maintenance and signature database upgrades roaming awareness Operational agility based on platform reusability additional intrusion detection system(ids) and transactions per second (tps) security options ipsec support for traffic offloading Online and offline charging support integration in pcc environments (Gx interface) x x x x x x x x x x x x x x x x x x x x x 7750 sr Mobile GAtewAy externAl Dpi x
mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note
17
As mobile traffic continues to grow in both data volume and control plane volume, service providers and network operators face the same challenges observed in residential broadband networks and in all-IP environments. There will be a huge number of cases where it is safest to assume that all traffic is untrusted and potentially rogue, particularly as mobile environments evolve to policy and charging architectures. To meet the need for efficient, real-time policy enforcement (PCEF) of all mobile traffic, which at times may require Mobile AA on most or all mobile traffic, the Alcatel-Lucent 7750 SR delivers in-house technology using a multicore central processing unit (CPU) that enables real-time, in-line, stateful flow inspection, application detection and QoS/ policy processing for all applicable flows. This CPU is not shared with the rest of the system and it is not involved in other control or user (data) plane activities except Mobile AA. Identification of network flows is fully independent of the ports they are physically arriving on, and this facilitates scaling of this functionality with uniform processing f all traffic and application of policies across all interfaces. As a result, the Alcatel-Lucent 7750 SR Mobile Gateway is able to handle extremely heavy packet processing loads and to provide additional value because of its ability to be granular and to enable differentiated charging even for the same web site, based on content or application type. For example, accessing text or images could be charged differently (or not charged at all) than accessing videos hosted on the same web site or referred to it. By being able to extend its vast set of traffic processing capabilities, including Mobile AA, and to provide detailed and direct support to charging and billing systems, the Alcatel-Lucent 7750 SR Mobile Gateway becomes an instrument for further personalization and monetization of mobile services. When used in conjunction with other packet core elements, particularly the Alcatel-Lucent 5780 DSC in the role of PCRF, this set of 7750 SR capabilities turns the packet core into a true business engine and a business instrument for mobile service providers.
conclusion
Advanced traffic processing capabilities are a technical prerequisite and also an imperative for next-generation mobile broadband networks. To enable additional technical and business benefits for service providers and network operators, L4-L7 IP packet inspection technology must be sophisticated in its real-time processing capability and configuration flexibility, and must be able to optimize and evolve existing business models and services by being a part of larger policy and management control framework. For mobile environments, Alcatel-Lucent delivers advanced, in-line L4-L7 traffic processing and traffic management capabilities on the Alcatel-Lucent 7750 Service Router Mobile Gateway through Mobile AA and makes it possible to easily integrate this functionality in the PCC architecture, where the Alcatel-Lucent 7750 SR Mobile Gateway performs the roles of the PCEF.
mobile application assurance on the alcatel-lucent 7750 service router mobile Gateway
AlcAtel-lucent ApplicAtion note
18
references
[1] Transforming Legacy HSI Networks and Services with the Alcatel-Lucent Triple Play Service Delivery Architecture. Alcatel-Lucent Application Note: July 2008. [2] Delivering Managed Online Services with Application Assurance: Realizing New Internet Opportunities. Alcatel-Lucent Technology White Paper: February, 2008. [3] Mobile Broadband: Including WiMAX and LTE, Mustafa Ergen, Springer: 2010, ISBN-13: 978-1441943279.
AbbreviAtions
aQp cdn dpi epc e-utran Geran GGsn http ip ipsec lte mG-ism Osirm pcc pceF pcrF pdn pdp pGw Qoe Qos ran riB sae sdF sGsn sGw sip spi tcp tls udp utran wap application Qos policies content delivery network deep packet inspection evolved packet core evolved universal mobile telecommunications system terrestrial radio access network Gsm/edge radio access network Gprs support nodes hypertext transfer protocol internet protocol internet protocol security long term evolution mobile Gateway - integrated services module Osi reference model policy charging and control policy and charging enforcement Function policy and charging rules Function packet data network packet data protocol packet data network Gateway Quality of experience Quality of service radio access network routing information base system architecture evolution service data Flow serving Gprs support nodes serving Gateway session initiation protocol shallow packet inspection transmission control protocol transport layer security user datagram protocol umts terrestrial access network wireless application protocol
www.alcatel-lucent.com alcatel, lucent, alcatel-lucent and the alcatel-lucent logo are trademarks of
alcatel-lucent. all other trademarks are the property of their respective owners. the information presented is subject to change without notice. alcatel-lucent assumes no responsibility for inaccuracies contained herein. copyright 2011 alcatel-lucent. all rights reserved. cpG1076110609 (august)