Technology Showcase: Intelligent NAT Integration

Transcription

1 Contents Executive Summary... 1 Overview... 2 The Need to Maintain Subscriber Awareness.. 2 Seamless NAT Integration... 3 A New Point of Reference... 3 Pre-NAT Integration Session Qualifiers... 3 Sandvine before the NAT... 4 Signal flow... 4 Post-NAT Integration Port-Range Mappings.. 5 Sandvine after the NAT... 5 Signal flow... 6 The Advantage of SandScript for Seamless Integration... 6 The Role of Business Intelligence for IPv6 Transition... 7 Executive Summary As the Internet moves to the use of IPv6 addressing, each communications service provider (CSP) is presented with various challenges and choices in making the transition. IPv4 address exhaustion is an issue for many network operators. Networks can accommodate overlapping IPv4 addresses by using Network Address Translation (NAT) to manage the translation of private and public IP addresses. However, this complicates the process of obtaining subscriber-awareness for accurate service innovation and advanced traffic optimization. Subscriber-awareness is essential for modern network policies that generate revenue and save costs. A standalone network policy control solution should seamlessly integrate with the network s NAT operations so it continues to deliver subscriberaware policy according to the primary benefits of its design. This paper explores Sandvine s approach to enabling modern Layer-7 use cases with full subscriber-awareness in the presence of NAT and overlapping IPv4 addresses through seamless integration. Conclusion... 8

2 Overview Today s communications service provider (CSP) is either working on, or planning, the transition to IPv6. The last blocks of IPv4 addresses were allocated by the Internet Assigned Numbers Authority (IANA) in February By using Network Address Translation (NAT), CSPs can meet the demands of applications and devices that are expected to continue to use IPv4 addressing for the foreseeable future. Using NAT allows a CSP to translate one public IPv4 address into many private addresses that are closed within a specific sector of the network. But there are consequences to employing NAT in the network to deal with the temporary problem of IPv4 address exhaustion, especially when a CSP has or plans to deploy a modern network policy control solution. NAT breaks the end-to-end addressing required by many applications, and eliminates a network policy control s ability to be continuously aware of which subscribers are utilizing specific data flows in the network what Sandvine calls subscriber-awareness. For this reason, the use of NAT is often perceived as an imperfect solution to a transient problem as the Internet transitions to IPv6 addressing for Layer-3 data transport. In terms of network policy control, subscriber-awareness is crucial for anything but the most basic business intelligence, service creation, and traffic optimization policies. Without it, services cannot be offered to subscribers not even simple speed tiers. Operators need new services and traffic optimization technologies to remain competitive. When it comes to the use of NAT in managing the transition to IPv6, many CSPs are faced with the prospect of having to gut the functionality and benefits of even the most basic subscriber-aware solutions. The approach to maintaining subscriber awareness in the presence of NAT and overlapping addresses determines a CSP s ability to support next-generation use cases and anticipate future change. A standalone network policy control solution should seamlessly integrate with the network s NAT operations so it continues to deliver the primary benefits of its design: A dedicated policy control application function for the network Deployment flexibility independent from network transport architecture Full traffic visibility with consistent, network-wide policy application The Need to Maintain Subscriber Awareness Modern network policy control use cases, such as usage management based on Layer-7 application quotas and automated network congestion management, require the ability to accurately associate Internet data traffic with the specific subscribers that are generating it. The most common method of achieving subscriber awareness is to associate a subscriber s IP address with a unique network login identifier tied to the subscriber s specific account. In a standalone solution, as an element intersects and inspects the network data stream it associates specific data flows with specific subscribers using the coupling of IP address and network identifier. A modern network policy control solution maintains the subscriber-aware state in real time, which in some cases means tracking millions of flows per second while associating each one with the correct subscriber. When NAT is in use the subscriber s IP address is no longer an end-to-end passport for determining their identity for the purposes of network policy control. There is no longer a direct method of obtaining the public IP currently assigned to a specific subscriber data session. To integrate properly with the NAT function, a network policy control solution must extend the model that associates data sessions with subscribers to use more than just a subscriber s IP address at the moment of network attachment. Page 2

3 Seamless NAT Integration To accommodate the presence of NAT a network policy control solution needs a method of qualifying data sessions to associate them with the correct subscribers. Sandvine s approach is to offer a solution that ensures seamless integration into the service provider s network and NAT architecture so that Layer-7 subscriber-aware policies continue to occur as they did before, without constraining either feature. This means using a new point of reference for situations where the network policy control solution must apply subscriber-aware policy to traffic in environments with overlapping IP addresses, or after the NAT function has been performed. A New Point of Reference In pre-nat deployments, where data is intersected prior to the NAT function taking place, the reference point should be based on partitioning the network and segmenting it into zones where IPv4 addresses are unique. These zones are expressed in the baseline network policy that governs subscriber awareness. For example, a site number associated with a specific part of the network can serve as the anchor value for determining and maintaining subscriber state. A key step is to determine unique sites within a network so they can be identified by a number. In the case where the translation function has already occurred when the PTS intersects the data stream, the network policy control solution must integrate with the NAT translation matrix, which is typically a mapping of IP addresses to TCP port ranges. This table of port mappings can be provided to the DPI device inspecting traffic to derive the actual source IP for an end-to-end awareness of subscriber data usage. The network policy control solution must be able to negotiate the new value or reference point in real time while continuing to inspect Layer-7 traffic at millions of flows per second. Pre-NAT Integration Session Qualifiers Beneath the product policy layer, Sandvine uses a reference point called a session qualifier that is configured in the field secure subscriber awareness. The session qualifier is a component of the Sandvine Policy Engine that expands the session model used for baseline subscriber awareness in policy. A session qualifier is an expressed value that commonly represents, though is not limited to, a site number or a VLAN tag mapped to a site number. This value is permanently stored, and then referenced along with an IPv4 address in real time by control and data plane elements to identify unique subscriber sessions in the presence of overlapping IP addresses. The session qualifier operates as a component of the Sandvine Policy Engine. The Policy Engine is installed on the Sandvine platform, which consists of the Service Delivery Engine (SDE), an element focused on control plane intelligence, and the Policy Traffic Switch (PTS), an element focused on data plane enforcement. The PTS includes the ability to make real-time decisions on-wire that handle the extremely fast transaction rates associated with Layer-7 traffic. The two elements work interactively to manage subscriber awareness in support of usage-based data services and traffic optimization policies. Session qualifiers are available on for existing Sandvine installations through a standard software maintenance update. The SDE and PTS use the IP address and session qualifier together, coupling them to a value contained in the initial authentication process (e.g., site number) to uniquely identify unique subscriber sessions when applying policy. Page 3

4 Sandvine before the NAT When the PTS is deployed before a NAT router has performed the address translation function, correct identification of a subscriber references the site number used during authentication (through RADIUS, DHCP or GTP-C). A simple scenario is one in which different network policy control elements are partitioned to specific network spaces that have no overlapping IP addresses. In this case, proprietary identifiers for the network policy control element or interface, including an IP address, can be used to define the address space and become the third point of reference to resolve and achieve subscriber awareness. A more complex example is where a single network policy control element or element cluster intersects all data plane traffic. In this case, overlapping IP addresses can reside on different VLANs of a trunk, with the VLAN tags and IP addresses together used to uniquely identify subscriber traffic For example, assume there are two networks sending traffic using IP addresses in the subnet range /8. Two subscribers in these networks may concurrently use the same IP address from that range, but the traffic of each subscriber resides on a different VLAN tag. Subscriber A sends a packet from , with VLAN tag 200 or 201. At the same time, subscriber B sends a packet from , with VLAN tag 300 or 301. In this case, all traffic with VLAN tag 200 or 201 can be assigned to a site, and all traffic with VLAN tag 300 or 301 can be assigned to a different site, as follows: VLAN tags 200 or 201 = site 1 VLAN tags 300 or 301 = site 2 Figure 1 shows Sandvine s deployment when the address translation has not yet occurred. Figure 1: Sandvine pre-nat deployment Signal flow 1. Networks of subscribers are using the overlapping IPv4 space. 2. The subscriber traffic comes in via multiple access networks. The subscriber is mapped to a private IPv4 address using RADIUS, DHCP or GTP-C at the time the subscriber joins the network. The different networks are on distinct VLANs when the traffic passes through the PTS. 3. The SDE receives the RADIUS or DHCP message and processes it to determine the private IPv4 address, user name and site. Any RADIUS or DHCP fields can be combined with arbitrary Sandscript Page 4

5 logic to determine the site. The SDE may receive the traffic from the multiple access network, or via a tee (real-time mirrored copy) from the PTS. The SDE passes on the private IPv4 address, user name and site number to the SPB, which stores the information in its database and forwards the information to the PTS. The VLAN-tagged packets come into the PTS cluster. The PTS translates the VLAN tags into site numbers according to the PTS element s configuration. The PTS uses the private IPv4 address and site number to uniquely identify subscribers, and then performs subscriber-aware policy. If the PTS does not know to which subscriber the IP address/site number mapping belongs, it looks up the information on the Subscriber Policy Broker (SPB the solution storage layer). One or more NAT routers translate the traffic to public IPv4 addresses. Packets continue on to their Internet destinations. Post-NAT Integration Port-Range Mappings When the PTS is deployed outside the NAT, the source and destination IP of traffic has changed. For internet-bound packets, source IP and source port are changed by the NAT before PTS inspection, and for subscriber-bound packets, the destination IP and destination port are altered after the PTS element inspects traffic. In this case Sandvine s SDE and PTS elements achieve subscriber awareness using the subscriber s private IPv4 address, network identifier and a unique TCP port number referenced from a lookup table on the NAT device. Sandvine supports multiple NAT routers and both private and public addresses, with the subscriber mapping again occurring beneath the policy layer to facilitate consistent policy across the network. Sandvine after the NAT To accommodate a post-nat environment, the network policy control solution must have the ability to integrate with the address translation architecture. Sandvine s SDE supports SandScript policies that can negotiate with the NAT device to segregate IP addresses according to the network s translation architecture, such as unique port numbers assigned to blocks of IPs. Figure 2 shows Sandvine's postnat deployment. Figure 2: Sandvine post-nat deployment Page 5

6 Signal flow 1. Networks of subscribers are using the overlapping IPv4 space. 2. The subscriber traffic comes in via multiple access networks. The subscriber is mapped to a private IPv4 address using RADIUS, DHCP or GTP-C at the time the subscriber joins the network. 3. The following steps can happen in either order: a. One or more NATs translate the traffic to public IPv4 addresses - the unique identifier for subscriber traffic from here is an IP address with an assigned port range. b. An SDE receives the RADIUS or DHCP message from the AAA server and processes it to determine the private IPv4 address and subscriber user name mapping. 4. An SDE receives the public NAT address and port range mapping from the CGN (can be a different SDE). The SDE maps the subscriber s private IPv4 address with the public NAT address and port range. 5. The SDE passes information to the Sandvine persistence layer (SPB) in two streams: a. the mapping of qualified private IPv4 address to subscriber user name b. the mapping of qualified private IPv4 address to public NAT address/port range mapping 6. The data streams and their associated relationships are stored separately, but the SPB joins the two data streams if and when necessary to notify the PTS of conditions requiring subscriber-specific actions. 7. The PTS uses the state information from the SPB to uniquely identify subscribers and perform subscriber-aware policy (e.g., metering, congestion management, service tiers). 8. Packets continue on to their Internet destinations. The Advantage of SandScript for Seamless Integration A key differentiator of Sandvine technology is the way in which it approaches the creation and execution of policy. Sandvine s hardware hosts software products that execute the if condition, then action network policy paradigm using an open and highly-configurable policy language called SandScript. Freeform policy supports the unrestricted ability to define and associate a complex set of fully-interactive, logic-based policy statements, any of which can affect a particular entity, such as a subscriber, in the desired context. SandScript is used to define feature-rich usage management and traffic management policies that can be infinite in both breadth and complexity. With the use of session qualifiers, SandScript policies can continue to be written once and deployed throughout the network as though the NAT issue does not exist. Examples of subscriber-aware policies include mobile congestion management and online gaming promotions. Session qualifiers and port-range mappings configured beneath the policy layer seamlessly integrate with NAT operations as an aspect of the baseline function that maintains state for subscriber awareness, and this allows CSPs to apply homogeneous SandScript policy to all network traffic, regardless of the IP version. Subscriber-aware state functions are maintained in a seamless fashion such that SandScript policies continue to operate as though the problem of overlapping addresses or NAT does not exist in the network. This is one advantage of having a freeform, script-based language to configure and execute real-time Layer-7 data flow evaluations and control plane decisions. Page 6

7 The Role of Business Intelligence for IPv6 Transition It is important to note that a fully functional network policy control can help smooth the transition to IPv6. CSPs can capitalize on opportunities that emerge by examining IPv6 adoption trends on the network to be ahead of the curve in enabling IPv6 content for subscribers. Sandvine s ability to flexibly integrate with NAT solutions while delivering the full suite of differentiated Layer-7 services and traffic management capabilities enables a complete view of IPv6related business intelligence. Network Demographics provides operational reports showing IPv6 and application usage. Network Analytics offers daily reports of pre-analyzed IPv6 trends for intelligent network planning, as shown by Figure 3. Figure 3: Network Analytics IPv6 Transition Analysis by Application Type Page 7

8 Conclusion This paper has shown that the best approach to enjoying the benefits of both NAT and advanced network policy control is to intelligently integrate with the network s ongoing transport evolution. A standalone network policy control solution should seamlessly integrate with the network s NAT operations so it continues to deliver the primary benefits of its design: A dedicated policy control application function for the network Deployment flexibility independent from network transport architecture Full traffic visibility with consistent, network-wide policy application Sandvine s use of session qualifiers provides a simple and elegant solution that seamlessly integrates network policy control functions with existing and future NAT operations. Sandvine s innovative technology allows CSPs to continue the effective management of transport operations, network congestion and advanced Layer-7 services while maintaining deployment flexibility using the same Sandscript policy across the breadth of the network. Page 8

9 Headquarters Sandvine Incorporated ULC Waterloo, Ontario Canada Phone: European Offices Sandvine Limited, UK Swindon, UK Phone: sales@sandvine.co.uk Copyright 2013 Sandvine Incorporated ULC. Sandvine and the Sandvine logo are registered trademarks of Sandvine Incorporated ULC. All rights reserved