Post on 16-Jan-2016
transcript
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1
Bart Brinckmanbbrinckman@jnpr.net
Juniper Carrier AAA roadmap
May 2008
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 22
The Current Identity and Policy Management portfolio
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 33
The Identity and Policy portfolio
Net
wo
rkP
olic
yS
ervi
ce
IPTVHome VoIP
InternetVideo Telephony
Mobile VoIPVideo Roaming
FMCPush to Talk
FR VPNATM VPN
PSTN
ProviderUnique
Services
CPE
WirelessAccess
WirelessAccess
Routing and Security PortfolioIndustry-leading packet handling and security solutions for thousands of customers worldwide
DataCenterCoreEdge
OPEN INTERFACES
OPEN INTERFACES
SignalingSpecificSecurity
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 44
AAA functions today: different products aimed solving different problems
SBR/SIM
SBR/MIM
SBR/SPE
SBR/HA
SBR/SLM
Po
licy
Network Attachment
Resource Assignment
Network Mobility
Service Delivery
Network Identity
Charging & Billing
xDSL
PublicWi-Fi
GPRS/UMTS
CDMA1XRTT/EvDO
WiMAX(simple IP & proprietary)
UMAFemtocell
Access Network
IMS AAA
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 55
Policy Engine: Any Service - On Demand
Subscriber Initiated – Self Service
Application Initiated
SRC ServiceProfile Initiated
• Activate on Login• ToD Activated• Volume/Time Controlled
Portal Server with SRC-PE portal API• Turbo• Tiered Internet
• VoD• Games• Streaming Media• Video Conferencing
Network DetectionInitiated
DPI or IDP Platforms• P2P Controls• Threat Mitigation
IMS Service Complex
• VoIP• Video Telephony• Multi-media
SOAP DIAMETER
Core
Walled Garden + Over the Top (Web 2.0)
Acces
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 66
Carrier AAA Roadmap
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 77
Legal statement
This product roadmap sets forth Juniper Networks’ current intention and is subject to change at any time without notice. No purchases are contingent upon Juniper Networks delivering any feature or functionality depicted on this roadmap.
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 88
AAA Evolution to FMC and WiMAX
Wireline
WiFi/UMACDMA
GSM/UMTS
SBR/SPE
SBR/SIM
SBR/MIM
WiMAX
SBR/SPE
SBR/HA
SBR/HA
SBR/Carrier
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 99
One AAA to Manage All Access A centralized AAA
Architecture that supports all access technologies and user credentials is an important element of the NGN network
A benefit of centralizing AAA is that it allows for the centralization of subscriber session information on the networks
Enhancement to service delivery and new services can be delivered by leveraging this active subscriber database.
LDAPPKI
Sessions
Applications/
Services
DSL
GPRS/UMTS
UMACDMA
WiMAX
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1010
Authentication modules
GUIGUILDAPLDAPSNMPSNMP
SQLSQL
LDAPLDAP
HLR Gateways
HLR Gateways
Proxy RADIUSProxy
RADIUS
RADIUSRADIUS
SMSauthSMSauth
SIMauthSIMauth
CDMAMobilityCDMAMobility
SBR Carrier CoreSBR Carrier Core
Step 1:SBR Carrier v 7.0(target August 08)
Modular AAA for Wireless and Wireline carriers• Standalone AAA server• combining all previously existing Juniper AAA carrier functionality into 1 modular product• Adding a mobile WiMAX module
OSS Interfaces
Fro
nt-E
nds
Bac
k-E
ndsMobility modules
CLICLI
WiMAXMobilityWiMAXMobility
Optional modules
ScriptingScripting
*CDMA mobility and SMS auth EFT only in v7.0
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1111
SBR Carrier Core SBR Carrier CoreSBR Carrier Core
Built on Industry-proven SBR SPE technology!•Open and flexible AAA functionality regardless of end user access technology (through RADIUS, EAP, Http-digest), integrated into 1 platform•Supports SQL or LDAP based user repository, regardless of DB schema•Advanced service delivery features•Carrier grade proxy engine and filtering features•Virtualization support•Network integration features
•All 3GPP support built into SBR Carrier Core•Comes with all EAP methods enabled out of the box (except SIM/AKA): MD5, LEAP, GTC, POTP, PEAP, TLS,TTLS, FAST•Supports unlimited virtualization (directed realms)•Multiple additional optional features available
+
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1212
Flexible sub-TLV support• Support for sub-TLV’s in the core AAA engine• allow any sub-TLV requirement to be configured in the AAA core
Location based profiles• Enables policy granularity on location basis• Access technology based policy
Available in 2 flavors:• Location based profiles for users• Location based profiles for groups
SBR Carrier 7.0 core new features
Improved Management• Web delivered Administration UI
• Downloadable to any station• No permanent UI install• A browser is sufficient
• UI managed EAP configuration• UI based filter management• Administration audit logs ensuring administration accountability
Enhanced scripting features• Enabling precise implementation of custom service and business logic• Providing unparalleled flexibility in implementing and growing service and business logic
• JavaScript realm selection and JavaScript filter selection can:
• Query and modify any AVP • Query LDAP or SQL databases
SBR Carrier 7.0
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1313
SBR Carrier: Authentication Modules, Mobility Modules and Optional Modules
SIM authentication methods for PWLAN and UMA SIM authentication and authorization (against HLR over SS7 or SIGTRAN) Kineto INC S1 interface (UMA & Femtocell)
SMS OTP provisioning and authentication methods
CDMA Mobility module CDMA mobility, resource assignment and prepaid features CDMA RevA QoS support
SMSauthSMSauth
SIMauthSIMauth
CDMAMIM
CDMAMIM
JavaScripting module LDAP JavaScripting JavaScripted Filters Core routing JavaScriptingScrip
tingScripting
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1414
WiMAX in SBR Carrier 7.0
Modular approach, SBR Carrier Core +• WiMAX Module for wireline integration (EAP-TLS, EAP-TTLS)• WiMAX module + SIM authentication module for GSM/UMTS integration
(EAP-AKA)• WiMAX Module + CDMA mobility module for CDMA integration
WiMAX mobility management:• Mobile IP v4 support• ASN and CSN authentication authorization• ASN and CSN key management
WiMAX resource management• Home Agent Management• Home Address (IP-address) Management
WiMAX QoS support Charging Roaming: H-AAA and V-AAA Standards: WiMAX Forum NWG Stage 3 rev. 1.0, 1.1 and 1.2
compliant
WiMAXWiMAX
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1515
Optional modules
* Only in combination with Session control module
Step 2:SBR Carrier v 7.2 (target Q1 09)
Modular Carrier Grade AAA• Available standalone or with HA cluster• combining all previously existing carrier functionality into 1 product• Adding central address allocation, concurrency and Session Control modules
DBDB DBDBHA ClusterSession DB
Authentication modules
GUIGUILDAPLDAPSNMPSNMP
SQLSQL
LDAPLDAP
HLR Gateways
HLR Gateways
Proxy RADIUSProxy
RADIUS
RADIUSRADIUS
SMSauthSMSauth
SIMauthSIMauth
CDMAMobilityCDMAMobility
SBR Carrier CoreSBR Carrier CoreFro
nt-E
nds
Bac
k-E
ndsMobility modules
CLICLI
WiMAXMobilityWiMAXMobility
ScriptingScripting
SQL*SQL*Xml/
https**Xml/
https**
SessionControlSessionControl
Concurrency
Concurrency
AddressAllocationAddress
Allocation
OSS Interfaces
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1616
Net
wo
rkP
olic
y &
Co
ntr
ol
Ser
vice
IPTVHome VoIP
InternetVideo Telephony
Mobile VoIPVideo Roaming
FMCPush to Talk
FR VPNATM VPN
PSTN
ProviderUnique
Services
CPE
WirelessAccess
WirelessAccess Data
CenterCoreEdge
SQL/LDAP/CLI/Https
RADIUS/RADIUS CoA
Applications
SBR SessionDB cluster
SBR Carrier Non-Stop AAA and Service Delivery
Node 1A Node 1B
Node 2A Node 2B
Node Group 2
Node 3A Node 3B
Node Group 3
Node Group 1
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1717
SBR Carrier 7.2: New Optional Modules
In-session service changes RADIUS CoA based XMLoverHttps and CLI (scripting) based interfaces Applications: In session Hotlining, Legal Intercept, Disconnect, Prepaid, Tiered Services
User/ Group based concurrency Requires HA Cluster session DB for enforcement across the network Concurrency limitations on a per-user basis Concurrency limitations on a configurable attribute Concurrency limitations on a group basis (wholesale)
Centralized IP-address allocation Requires HA Cluster session DB for central ip-address pool management All SBR Carrier Frontend AAA nodes use the same address pools Splitting of address pools per AAA no longer required
SessionControlSessionControl
Concurrency
Concurrency
AddressAllocationAddress
Allocation
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1818
SBR Carrier 7.2: Other features Session database query support:
• SQL• LDAP (limited scalability: 150 attributes/sec)• https (requires session control module)• CLI• GUI
Extendable session database both in HA mode and Standalone mode: • Service providers now have the ability to extend their session database with any attribute (available in HA
and standalone mode) EAP-TTLS secondary authentication support:
• It is now possible to perform a secondary authentication on a the content of a client certificate used during EAP-TTLS authentication as already supported in SBR Carrier 7.0 EAP-TLS implementation
Proxy enhancements: • Exclude-unknown in filters: The ability to filter out attributes that proxy server is not able to interpret when
proxying a message.• Disable strobe when target goes in fastfail: Allow the server not to use the strobe mechanism to detect if a
server is up, but solely rely on the timer mechanism SNMP proxy alarming improvements:
• SNMP trap when proxy target goes out of service• SNMP trap when proxy realm (all targets) goes out of service
Logging enhancements:• Time based SBR Log rollover: Next to already supported volume based log rollover, now a time based
rollover will also be supported • Session identifier in log files: allows easy correlation of messages belonging to the same session
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1919
SBR Carrier 7.x: Feature Candidates Charging Module:
• Accounting reconciliation, combination, pacing • CDR generation
LDAP:• Scalable and performant LDAP interface to the session database
Extended wholesale features (Group based concurrency)• Hard and Soft limits with notification• Time of day• Region support
Asynchronous Inter-cluster replication:
IMS-AAA session cluster integration SRC-PE Session Cluster integration Juniper Hardware (appliance) based solution
Node 1A
StatelessFront-end
AAA
Node 1B
StatelessFront-end
AAA
Node 2A
Node 2B
Node Group 2
Node 3A
Node 3B
Node Group 3
Node Group 1
DC1DC2
Node 1A
StatelessFront-end
AAA
Node 1B
StatelessFront-end
AAA
Node 2A
Node 2B
Node Group 2
Node 3A
Node 3B
Node Group 3
Node Group 1
Asynchronous replication
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 2020
A-RACF
Border Node
SPDF
AF
IP Edge
L2T Point
RCEFAMF
E4 (diameter)
Gq’
IaRa
Di Ds
Re
Rq
Po
lic
y &
Co
ntr
ol
Tra
ns
po
rtS
erv
ice
s &
A
pp
lic
ati
on
s
RCEF
Node 1A Node 1B
Node 2A Node 2B
Node Group 2
Node 3A Node 3B
Node Group 3
Node Group 1
SRC-PE
CLFSBR Carrier 7.x
CLF gateway
UAAF/NACFSBR Carrier 7.x
RADIUS node
AF
CSCF
E2
SRC-NASS
E2 (diameter)
A1 (DHCP)
A3 (RADIUS)
A1 (RADIUS)
UAAF/NACFSBR Carrier 7.x
RADIUS node
SBR Carrier 7.x: Feature candidate: NASS
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 212121