cisco service exchange framework and policy management€¦ · what is ip multimedia subsystem...

1© 2005 Cisco Systems, Inc. All rights reserved.Service ExchangeFramework_1205 Cisco Public

Cisco Service Exchange Frameworkand Policy Management

March 2006

2© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicService ExchangeFramework_1205

Agenda

Service Provider Marketand the Service Exchange

Cisco Service Control EngineReview and update

Service Exchange FrameworkPolicy Management and services


Representsa CompoundAnnual GrowthRate (CAGR)of 95.6% from2002–2007

2001 2002 2003 2004 2005 2006 2007

SP Business Model Dilemma

81K

180K

500K

750K

1.5M2.6M

5.2M

0

400K

700K

1M

3M

5M

100K

50K

Terabits per Day

75K

400B

350B

300B

250B

200B

100B

150B

50B

0

$ Billions

Total Retail Calls

Total Retail Dataand Internet

Source: Gartner 2003 95.6%

Service Providers are Turningto New Service Platforms for

Business Growth


Market is Primed…Consumers are Spending Heavily on Communications

Evolution of Household Spending in OECD Countries, 1990–2000

Source: OECD 2003

CommunicationsIndex: 1990=100

1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000

Health

Education

Water, Electricity & Gas

Recreation and Culture

Transport

Restaurants & Hotels

Alcohol, Tobacco & Narcotics

Household Equipment

Clothing & Footwear

Food

160

150

140

130

120

110

100

90

80

70

60


…And are Willing to PayMore for Valued Services

SecuritySimplicityIntegration

PersonalizationControl

Speed ReliabilityLow Cost

VoiceData

Video

WiredWireless

Innovation

Share households spent on communications rose by50% in developed countries over the past decade


More Than Just RevenueOther Tangible Benefits Can Be Measured

MarketShare

CompetitivePosition

CustomerRetention

Advancing Upthe Value Chain

with theCustomer

Servicescrossing overinto othersegmentstraditionalareas

Deployingservices asdefensivemove versuscompetitors

Moreservices percustomerreduces churn

Deployingunique servicesfends againstcommoditizationor beingrelegated to‘only transport’for applicationproviders


Today’s Universe of ApplicationsRequires Support for SIP and Non-SIP Applications

Session BasedNon-Session Based

Web, HTML P2P

Business IP - VPN

Messaging–SMS, MMS

Voice Push-to-Talk

Push-to-Video

StreamingVideo

IM

Group Chat

Video onDemand

OnlineGames

IPTV

DualMode

EnterpriseIntegration

E-Commerce

SIP (IMS) OnlyApps

SIP (IMS)OR

Non-SIPApps

Non-SIP OnlyApps

Rea

l Tim

eN

on-R

eal T

ime


What is IP Multimedia Subsystem (IMS)?

• Layered architecture—separates transport,control and application functions

• Access-agnostic—initially defined formobile carriers, but allows convergence offixed and mobile networks and applications

• Real-time IP applications—Enhances and“blends” SIP-based services

A standards-based effortdeveloped as a means for

voice-centric mobileoperators to more efficiently

deploy and handle SIPservices


Service Exchange FrameworkComprehensive Support for BOTH IMS and Non-SIP Apps

Intelligent Networking

Video &Gaming

DataCenter

Presence-Based

TelephonyWeb

ServicesMobileApps

IPContactCenter

IntelligentEdge

CustomerElement

MultiserviceCore

Access/Aggregation

App

licat

ion

Laye

rSe

rvic

eLa

yer

Net

wor

kLa

yer

Transport

Ope

ratio

nal L

ayer

ServiceExchange

OpenFrameworkfor Enabling

‘Triple Play onthe Move’(Data, Voice,

Video, Mobility)

Identity Policy Billing

Mobility

SelfService

Traffic Traffic EngineeringEngineering MulticastMulticast SecuritySecurity

CoS/QoSCoS/QoS MPLSMPLS

PeeringPeering

L2L2//L3 VPNL3 VPN

VPLSVPLS

FastFastReroutingRerouting

Routing ProtocolsRouting Protocols

IPoDWDMIPoDWDM

PPP/FR/ATM/EthernetPPP/FR/ATM/Ethernet

IPv4/IPv6IPv4/IPv6

IMS Non-IMS


Cisco IP NGN ArchitectureAchieving a Whole Greater Than the Sum of the Parts

Intelligent Networking

GamingData

Center

Presence-Based

TelephonyWeb

ServicesMobileApps

IPContactCenter

IntelligentEdge

CustomerElement

MultiserviceCore

Access/Aggregation

App

licat

ion

Laye

rSe

rvic

eLa

yer

Net

wor

kLa

yer

Transport

Ope

ratio

nal L

ayer

ServiceExchange

OpenFrameworkfor Enabling

‘Triple Play onthe Move’(Data, Voice,

Video, Mobility)

Identity Policy Billing

Mobility

SelfService


Service Exchange FrameworkEnabling Personalized Rich Media Services

MOBILITY SERVICES MANAGEMENTDevice RoamingService MobilityUser Mobility

MULTIDIMENSIONAL IDENTITY MANAGEMENTUser / Device IDSubscriber AwarenessLocation / PresenceService RegistrationAudit / LoggingAssured Authentication

DYNAMIC SESSION MANAGEMENTCall ControlSession Border ControlRich-Media ControlDiff Bandwidth & QoS per SessionAccounting / Billing

POLICY AND RESOURCE MANAGEMENTSubscriber PolicyApplication / ChainingPer-Sub ServiceService Invocation

Who?• Who is the user?

• Devices• Profile• Location• Presence

What?• What can the user do?

• Within what timeframe• To what extent• Under what rules

How?• How can I dynamically control resources?

• Interwork & provide rich media control• Monitor & charge on a per

service / per user basis• Enable application awareness

Where?• Where can the user roam?

• Track/recognize user devicesacross carriers

• Maintain user sessions acrossmultiple networks

• Offer all services in all locations

ServiceExchange

Framework


Cisco Service Exchange FrameworkCase Studies

GreaterEfficiencies

Efficient Management ofVideo Oversubscription

• Preserves quality of experience• Provides network-based graceful busy

signal when demand exceeds capacity• In trials at major MSO, critical for IPTV

Video Call Admission Control• Enable new business models between

content and service providersDetect and manage affiliatedapplications and align QoSCo-branding and fee sharing

Service Prioritization viaDeep Packet Inspection

Reduced TransitCosts

Web

P2P

Actual Customer

Data

Actual Customer

Data

220,000200,000180,000160,000140,000120,000100,00080,00060,00040,00020,000

0

KB

ITS

/SE

C

Week #1 Week #3 Week #5

Hourly Total Bandwidth (Kbits/Sec) Per Serv ice

Managing P2P Applications


Cisco Service Exchange FrameworkCase Studies

Implement Fair Use Policy

• Eliminates bandwidth bottlenecks• Enhanced user experience

User quota based on 7-day timeframe16 kbps28 kbps28 kbps48 kbps P2P

48 kbps65 kbps128 kbpsNo Limitaudio /video streaming

256 kbps

256 kbps No LimitNo Limite-mail + WWW

over 5.6 GB

less then 5.6 GB

less then 4.2 GB

less than 2.8 GB

Usage

16 kbps28 kbps28 kbps48 kbps P2P

48 kbps65 kbps128 kbpsNo Limitaudio /video streaming

256 kbps

256 kbps No LimitNo Limite-mail + WWW

over 5.6 GB

less then 5.6 GB

less then 4.2 GB

less than 2.8 GB

Usage

BetterControl

Enhanced Security Services• DDoS service provider

infrastructure protection• Peering edge DDoS

protection• Managed service models

DefendDefend

DetectDetectMitigateMitigate

InjectInject DivertDivert

Infrastructure

ProtectionClean diverted

Traffic using

Cisco guard

Re-inject

cleaned

traffic

Proactive threat

Detection

Enhanced Security-DDoS Protection


Typical Tiered Service Model Pricing ExampleAdding Value to Differentiate Services

MEMBER SERVICE FAMILY SERVICE BUSINESS SERVICE•One IP Address•2MB Down•512K Uplink

•One IP Address•4MB Down•512K Uplink

•Three IP Addresses•6MB Down•1MB Uplink

•500 Minutes paid •Unlimited •Unlimited

$19.95 $49.95$9.95

•Email•Basic Internet•P2P Marked

•Email / Video•Full Internet•100 TCP Sessions•P2P Traffic Marking•Child-safe Internet•Pop-up Blocker

•Email / Video / Voice• Wireless Internet• No TCP Limits• P2P Traffic• Firewall• IPSEC VPN Speed Up

NEW

$29.95 $69.95$39.95

BetterControl


Enhanced VoBB Service ExamplesImproving the Quality and Control of the User Experience

Video on DemandTV on Demand / nPVR

Broadcast Television Video StreamingVideo Phone /Video Conferencing

Gaming / Interactive TV

“Over the Top”Video

ManagedVideo

Applications

VideoCommunications

Services

Video to Other Devices

BetterControl


• Geoff talk at latestApricot meeting in Perth.

• Can large incumbentimplement a convergedNGN network?

• Are they able toinnovate?

• Unfortunately, SP EMEAperspective is missingfrom this presetnation...

• Also listen to Geoffspeach at NANOG:http://www.nanog.org/mtg-0510/huston.futures.html

Apricot 2006 (http://www.apricot.net/)


• Service Control talk atApricot 2006 meeting inPerth.

• Exponential increase inpeering bandwidth andtransit costs.

• Need for P2Poptimization.

Apricot 2006 (http://www.apricot.net/)


Traffic Distribution Patterns

Network Usage by Traffic Type


What Do We Download?

Source: Leibowitz, N., Ripeanu, M., Wierzbicki, A. “Desconstructing the KaZaA network”

Images

Songs

Movies


Agenda





Service Control – Solution Components

AccessNetwork

Backbonenetwork

Reporting Tool

EngageConsole

SubscriberManager

AAA DHCP RADIUSBilling

PolicyServer

Service Portal

CollectionManager


SCE 1000 and SCE 2000

2,000,000100,0004 Gbps2 x 10/100/1000 RJ-45

8 x FE RJ-45SCE2020-4/8FE

2,000,000100,0004 Gbps2 x 10/100/1000 RJ-45

4 x GE

• SX (850 nm)

• LX (1310 nm)

SCE2020-4GBE

2,000,000Max flows (unidir)40,000Max # subscribers2 GbpsMax throughput2 x Eth 10/100 RJ-45Management

2 x GE

• SX (850 nm)

• LX (1310 nm)

InterfacesSCE1010


Key Advantage –Hardware Accelerated Platform

• Hardware only processingof most traffic (80%)

• Flexibility through CPUs andintelligent interaction with hardware

• Load balanced CPUs with zeroprocessor wait-states

• Fast-path for delay sensitive (e.g.voice) traffic. Average delay of lessthan 30micro-seconds

• 4Gbps of processing• No sampling; full processing of

every packet• Programmable inspection and

policies• Performance not dependant on

policy complexity

FF

CLS

DP0 DP1

Processing Unit 1

RX

PPC

Processing Unit 1

RX

PPC

Processing Unit 1

RX

PPC

Processing Unit 1

RX

PPC

TX

NIC (RX part)LIC0 LIC1

Port 3 Port 4

NIC (TX part)LIC0 LIC1

Port 1 Port 2

Port 3 Port 4Port 1 Port 2


Reliability

• L3/4 traffic filter (isolate traffic)Traffic filtering

• Electrical / Optical bypass• 1+1 Cascade redundancy• N+1 Cluster redundancy

System redundancy

• Redundant Power Supplies andfans

• Field replaceable PSU / FAN• AC / DC power dual-feeds• Redundant management port• No HD

• MTBF 80,890

Component Reliability


• First signature release: 1 week• Final signature: 4 weeks

Protocol: Skype (P2P VoIP Application)

• Development time: 3 weeks• Signature update after application ‘morphed’: 1 day

Protocol: Winny (popular Japanese P2P application)

Key Advantage: Programmability

• Flexible, bi-directional multi packet signatures• Programmable device core

• Dedicated team of experts focused on service-providerrequirements

Examples:


Network Analysis andSubscriber Intelligence

Bandwidth/Capacity Reports• What is eating up my network resources?• When do I need a capacity upgrade?• What is causing congestion?

Subscriber Demographic Reports• What percentage is using P2P/gaming application?• What are the usage patterns of different subscriber groups?• What is the cost-impact of my top subscribers?

Server Activity• What are the popular web-hosts used?• What are the popular streaming sites?


Network Analysis andSubscriber Intelligence

Robust Collection Environment

Security Reports• Which subscribers are infected and attacking others?• Which subscribers are spamming?• Which subscriber is attacking network resources?

Voice Reports• Quality of experience of VoIP calls• Minutes spent on VoIP services• Total and concurrent calls per VoIP service• Compare managed vs. non-facility service

• Efficient and reliable usage export protocol

• Stand alone of integrated into upstream management or billing systems

• Scaleable collection software

• Powerful and easy to use, template-driven reporting tool


Intelligent Flow Management:BitTorrent Dormant Flows

• BitTorrent multiple connectionsSingle client creates 100’s ofconcurrent flowsFlow are frequently revisited but not alwaysusedBitTorrent signature only available on firstclient contact (flow start)Order of magnitude more than other P2Papplications

• DPI dilemma: How to manage flows?Slow aging: Exhaust DPI engine flow-table(1,000 active BT clients can consume hundredof thousand flows)Quick aging: Loose classification accuracy ofmost popular P2P application

• A choice between two “bad options”?Available as part of 2.5.6 and 3.0


Intelligent Flow Management—BitTorrent Dormant Flows

• Cisco SCE Solution: Dormant FlowRepository

• Main flow database holds active flows

• Compressed dormant flows db usedto age inactive flows

Dormant DB holds flow classification history

Flow reactivated when more packets areseen

Allows for quick aging without loss ofclassification information

• Result:Flow efficiency of quick aging

Classification accuracy of slow aging

SCE Flow Database

FL 0x1FL 0x2FL 0x3

FL 0xN

.

.

.

DF1 DF2 DF3 DF4DF5 DF6 DF7 DF8DF9 DF10 DF11 DF12

DFN DFN DFN DFN

.

.

.

Inactive Flows

ReactivatedFlows

Available as part of 2.5.6 and 3.0SCE Dormant

Flow Database


Intelligent Flow Management:BitTorrent Dormant Flows

• Dormant flow databasesupports 1M dormantflows in addition to mainflow database (1M flows)

• Unique Cisco solution andinfrastructure

Useful for other aggressiveapplications

• BitTorrent popularitynecessitates approach tomaintain effectiveness ofP2P solution

Other solutions forced toloose accuracy or cannot scale

29%(15%Misclassifiedas “Generic”)

240,000

DFDisabled

5min BTAging

47%45%BTClassifiedTraffic

240,000640,000Avg.ActiveFlows

DF EnabledDFDisabled

60min BTAging

Conclusion:40% Resource Savingwith No Sacrifices to

Classification

* Based on Production Network Data

Available as part of 2.5.6 and 3.0


Platformintegration andnext-generation

SCE

Deep packetinspection

engine

Integrationenhancements,

Provisioning andcontrol

IPv6,Integration

with ISG/IPS,Netflow v9,

Voice Control,MPLS VPN,Clustering

Voice Mgmt,MPLS VPN,

URL Filtering,Reporting

enhancements,Redundant

management

Stateful L7 applicationrecognition,

Dynamic PolicyControl

SCE2020 8xFE,Clustering,Enhanced

Policy Model,Quota

management

Solution Strategy and Evolution


New and Enhanced Classification model

• Structured, rich andflexible classificationprocess

Protocol Signature,ports, zones andflavors all usedfor determining aservice

• Protocol signaturelookup on all traffic(not restricted byport)


VoIP Functionality

• Continuing themomentum from 2.5.5

Enhanced protocolsupportSupport forTransaction UsageRDRs for MGCP andSIP sessions usingthe same SCA BBVoIP RDR templateused for the H.323protocol.

SIP domain basedclassification


Reporting—Global VoIP MOS

Global VoIP MOSTime Span: 1998-03-03 09:50:43—2005-11-28 15:50:43

MO

S

Date and Time

New!(Available: 3.0.3)Reports to identifyand TroubleshootVoIP Quality Issues(MOS, Jitter, PacketLoss)

Highlight:VoIP Service Is Operating Well... Most Hours of the Day

ActualCustomer

Data


MPLS-VPN—Per VRF DPI

BGP

MPLS-TAGto

VPN Mapping

VPN A

VPN B

VPN A

VPN B

VPN CCE Routers

PERouters

PRouters

Example Network—Managed Corporate VPNs

SCEs

InternetCore

• SCA BB 3.0 supports insertion into MPLS-VPN with overlapping privateIP address spaces

• Each VPN (A, B,C) managed separately—VPN as a “subscriber”

• MPLS-VPN packet tags automatically extracted from PE BGP

• Flow concept is extended to contain MPLS tag—ensures consistency ofpacket to flow mapping


MPLS-VPN—Per VRF DPI

VPN-A VPN-B VPN-C10.1.1.1 10.1.1.1 10.1.1.1

Previous

SCA 3.0

10.1.1.1 <-> 10.1.1.2

[VPN-A] 10.1.1.1 <-> 10.1.1.2

[VPN-B] 10.1.1.1 <-> 10.1.1.2

[VPN-A] 10.1.1.1 <-> 10.1.1.2

???10.1.1.2 10.1.1.2

• DPI support for private/overlapping IP address spaces• Upstream/downstream VPN-tags mapped through

flow trackingSCE identifies new flow from VPN-A, and correlates return packet’sVPN tag


URL Filtering – General Approach

• API’s for dynamicallyintegrating with URL DBvendors

In addition to the built inURL lists mechanism

• Allows the solution to limita subscriber’s access toweb sites based on“categorization” of content

• Useful forValue added service forsubscribersLegal purposes (in somecountries legislationrequires that certaincontent is blocked)

3.03


Dual link BW control

• In 2.x release global controllers for 2 GBE links wereseparated for each link

In order to enforce 300Mbps limit on upstream P2P traffic, theuser had to configure 2 global-controllers, one for each link, whileeach enforces the P2P to 150Mbps

• On 3.0 a new mode is introduced, where the SCE enforces theglobal controllers policy on the aggregate traffic from the 2ports

A user can define a single P2P global-controller that will enforceaggregate of 300M limit for the upstream P2P traffic

• The old mode is still supported for backward compatibilitypurposes


Management—Network Navigator

• Group devices into sitesSCE, CM, SM, database

• Batch management ofdevices/sites

Apply configurationUpdate signaturesUpdate software

• Common managementoperations

View device statusRetrieve logActivate/bypass

Single Interface toManage All SolutionComponents


Signature Editor

• Customer definedsignatures

• GUI based

• Rich signaturelanguage

Multi-packet, Bi-Directional Patterns,Binary Characters, String-Match, HTTP

User-Agent, HTTP X-Header


Integrated Reporter

• Integrated Java-based reporting tool

• Works with Oracle,MySQL or SybaseCM backend

• Context sensitiveDrill down betweenreports andconfiguration

INTERACTIVE: Click on TopSubscriber to Activate Subscriber

Real-Time Report


Hitless Upgrade (3.03)

• Graceful phase-in ofnew protocol pack issupported by the SCOSinfrastructure

• This Complements theService Controlframework for ongoingprotocol support

Protocol upgrades areposted periodically onCCO (since 2.5.7)No service downtime isincurred to the operatorduring upgrade

3.03


Service Security Dashboard

• Integrated console tomanage servicesecurity functionality

View/load/editsignaturesConfigurationidentificationthresholdsSetup mitigationactionsView reports

Availability: 3.0.3


Redundant Management Ports

• SCE2020/1010 managementinterface redundancy

• Protects from physical failure ornetwork partition

• Active/standby ports

• Transparent—Same IP/MAC forboth ports

• 300 ms failure detection with activeARP to expedite recovery

SubscriberManager

PolicyServer

CollectionManager

RADIUS DHCP Billing Portal

Not Available on SE1010 1.5UHardware (“P-Cube Box”)

Critical High-Availabilityfor Service CreationScenarios


Subscriber Management

• “Subscriber-aware” solutions• Manages Subscriber-contexts

Subscriber-ID: ID of subscriber-contextNetwork-ID: IP addresses used to map traffic to contextPolicy-ID: ID of policy (package) defining rulesSubscriber-quotas: set/add/read usage quota buckets

• Integration into back-office/AAARADIUS AAAPolicy Control Systems (Tazz Networks)

• Cisco Subscriber Manager (CSM) servesas integration point


Multi-Gig Cluster Solution

• Split flows between morethan two GBE links

• SCE(s) are hair pinned toredundant 6500/7600matching EtherChannels on6500/7600 ensure traffic ofsingle subscriber flows tosame SCE

Can use PBR as well

• Support for N+1configuration through ECfailover

BRASs/CMTSs

Core Routers

SCE 2000s

7600/6500

7600/6500


Agenda





Services (PDP)

Policy Control(PEP / PDP)

Access & Aggregation& CPE(PEP)

Policy Control Framework

PolicyServerAccounting Authorisation

Standards based transport protocol

Standards based transport protocol

Info

rmat

ion

Mod

el

WebPortal

PolicyServer

3.3. Application PlaneApplication Plane

2.2. Policy PlanePolicy Plane

1.1. Network PlaneNetwork Plane


Policy Server Components

Applications / portals via Northbound interface

Policy Engine = {Rules processor + Message Router}

Application schemas

Device schemas

COPS-PR Webservices:SOAP, BEEP / XML CORBA CLIRADIUS

COPS-PR Webservices:SOAP / BEEP, XML CORBA CLIRADIUS

Network devices via Southbound interface

PolicyPolicyRepositoryRepository


A. User self subscription with redirection

PolicyRepository

PolicyServer

AddressManagement AAA

Portal

Presence

Internet

VideoVoIP

Subscriber / Service Control Applications / Services

ISP

1 2

3

4

5

1. New session identified by SCE2. SCE applies HTTP redirect to

redirect user to web portal3. Portal captures credentials / user

authenticated4. Policy server confirms subscription5. Policy server pushes change to SCE

to remove L4 redirect for session6. User now has Internet access

61 2

3

4

5


B. User bandwidth selection

AAAPolicyServer

AddressManagement

PolicyRepository

Portal

Presence

Internet

VideoVoIP

Subscriber / Service Control Applications / Services

ISP

1

2

3

1. USER logs in to web portal and requests anasymmetrical 512Mbps/256kbps(downstream/upstream) non-meteredservice

2. Policy server confirms subscription3. Policy server pushes the respective QOS

policy to ISG / SCE that is applied to theuser session

1

2


Customer self-provisioning

• Customer subscribed to an-entry-level profile.

• All customer’s accesslines are identicallyprovisoned (i.e. DSL profileat max access speed).

• Service exchange enforcescurrent customer speedand traffic profile.

• Customers candynamically changeprofiles with no manualintervention.

• Profile change can bepermanent (new tariff plan)or time-limited (turbobutton, promotional offers).


To conclude …

• Cable, mobile, and DSL standards bodies are defining theneed for policy server functionality

• Policy control layer is of growing importance and is beingdefined in all evolving access technologies

Significant commonality between evolving access technologiesAdds intelligence to base network transport solution - theequivalent to the Intelligent Networks (IN) capability in the voiceworld

• Policy control layer server is becoming the access agnosticservice convergence plane

• Cisco Systems’ Service Exchange Framework provides theservice/application convergence layer for next generationnetworks

cisco service exchange framework and policy management€¦ · what is ip multimedia subsystem...

Documents