Contents Executive Summary... 1 Overview... 2 IP Tunneling for Network Hand-off... 2 The Advantage of Freeform Policy... 2 Zero-rating and QoS mapping between networks... 3 Protocol Stacks in LTE... 3 Sandvine IP Tunneling Use Case Examples... 5 Bill Shock Prevention Case Study... 5 A revenue gain instead of a revenue loss... 6 Deployment... 6 Implementation details... 7 SandScript-enabled use case... 8 Video streaming over VPN Detection... 9 SandScript-enabled use case... 9 LTE QoS: Fairshare Traffic Management... 10 SandScript-enabled use case... 11 Conclusion... 11 Executive Summary Communications service providers want greater control over their networks and the services they offer, and subscribers want charging-awareness for the services they purchase. A key differentiator of the Sandvine Solution is how the SandScript policy language supports a freeform method of creating policy for accurate and efficient IP tunnel handling. SandScript is a use case-enabler that brings an autonomous and robust thinking component to on-wire decision and enforcement, allowing Sandvine s customers to field revenuegenerating, cost-saving and regulatory-compliant solutions that other solution designs cannot support. This paper explores the application of policy to tunneling environments, with specific examples and use cases to illustrate the key concepts. It also demonstrates how Sandvine s freeform policy creation model supports a broad range of use cases enabled by the ability to define a policy that inspects both the inner-tunnel and outer-tunnel in real time.
Overview For today s communications service provider (CSP), building an intelligent broadband network that maximizes revenue-generation and cost-saving potential while complying with regulations is about creating intelligent policies. A Network Policy Control solution s baseline approach to policy creation and execution determines the limit of a network s ability to meet regulatory requirements, support next-generation use cases, and anticipate future change. To manage subscriber hand-off, mobile networks use IP tunneling in which the outer IP identifies the serving network, and the inner IP identifies the user. A solution should accurately identify conditions both outside and inside tunneled traffic, especially in cases such as data roaming. IP Tunneling for Network Hand-off This document refers to H-PLMN as the home network (the one run by the operator to which the subscriber pays a fee) and the V-PLMN as the visited network (the one the subscriber is currently attached to while roaming). The normal case is that the H-PLMN and V-PLMN are the same, and the subscriber is not roaming. Much of the baseline framework for mobile network Quality of Service (QoS) and hand-off was defined in 3GPP R7, as shown by Figure 1. Figure 1: Typical infrastructural roaming, 3GPP R7 For a detailed review of LTE QoS issues and roaming hand-off in the boundary interchange between different network types, see the Sandvine Whitepaper Quality of Service in LTE. The Advantage of Freeform Policy A key differentiator of Sandvine technology is the way it approaches the creation and execution of policy. Sandvine s hardware platforms host software products that execute the if condition, then action network policy paradigm using an open and highly-configurable policy language called SandScript. As such, Sandvine supports the unrestricted ability to define and associate an infinite set of fully-interactive, logic-based policy statements, any of which can affect a particular entity in the Page 2
desired context, such as specific subscriber traffic encapsulated in an IP tunnel. The technical term for this is the ability to handle multiple orthogonal aggregates in policy, but Sandvine simply refers to this as freeform policy to contrast the capability from more restrictive rigid-form approaches. Freeform policy creation allows, for example, the stateful inspection and counting of specific subscriber data usage encapsulated within an IP tunnel while simultaneously inspecting the outer-tunnel IP to invoke a roaming policy with real-time communication and enforcement (as shown by Figure 2). Figure 2: Example Sandvine Tunnel Inspection, 3GPP R7 For a detailed explanation of the benefits of freeform policy, see the Sandvine whitepaper SandScript: The Advantage of Freeform Policy. Zero-rating and QoS mapping between networks Another benefit of freeform tunnel inspection is the ability to mediate application or page-specific QoS policies and zero-rating for charging services in the hand-off between networks. Roaming between LTE and HSPA networks is possible, as is roaming between 3GPP and 3GPP2 networks, and this has a consequence on QoS and mapping between capabilities. In addition, despite the number of levels supported in signaling, individual equipment types vary in the number of queues supported, and in the queuing behavior (strict vs. fair). As a consequence, many distinct marks map to the same behavior and it is important to understand the internal queuing support provided by each piece of network equipment along each possible path. Protocol Stacks in LTE One of the design goals of LTE was to be entirely IP (including carrying voice over IP). As a consequence, QoS must be understood in both the context of the inner-tunnel, which interoperates with the packet core and radio network, and the outer-tunnel, which uses traditional IP traffic engineering techniques. The various tunneling and encapsulation protocols that are required are shown by Figure 3. Page 3
Figure 3: LTE major transport encapsulations In IP-based networks, differentiated service is performed on a per-hop basis. The most common techniques used are Differentiated Services (DiffServ, RFC 2474, RFC 2475, RFC 3260), which uses the 6-bit Differentiated Services Code Point (DSCP) field in the IP header, and Multiprotocol Label Switching (MPLS), which also uses the DiffServ architecture but with different marking techniques (RFC 3270). In particular, MPLS supports 3-bits (8-levels) in the EXP field. In 3GPP, the QoS Class Indicator (QCI) maps directly to DSCP. The basic classes defined by DiffServ are default, expedited forwarding, and assured forwarding. Of these, expedited forwarding is used for strict priority (e.g., video and voice), and assured forwarding is used for business differentiation (e.g., weighted-fair priority). One of the long-standing complexities of DiffServ has always been its behaviour in tunnels, and 3GPP is no different. In a 3GPP environment, the outer marking is only used by backhaul networks, and inner marks are ignored. DiffServ may be used to manage QoS on external networks and be mapped into 3GPP bearers. Examples of interchange between the two are proprietary per vendor, but include Cisco s ip user-datagram-tos copy feature, which copies the DSCP field from the inner IP packet to the outer GTP header, and Cisco s active-charging service feature, which maps un-tunneled packet DSCP fields into specific radio bearers by mapping them to a specific PDP context. It is common practice for an operator to use MPLS or other tunneling technique in 3GPP networks (see Figure 4), and in practical terms it is impossible to convey the QoS markings from inner-tunnels to outer-tunnels. A best practice in LTE networks is to engineer such that there is only one point of congestion (the enodeb). This may be difficult to achieve because the S1-U may be significantly oversubscribed. As a consequence, the usual requirement is to use outer-marks (DSCP, MPLS-EX) that are driven in conjunction with the inner marks (TEID). Page 4
Figure 4: Practical LTE deployment Sandvine IP Tunneling Use Case Examples The following are examples where the ability to inspect both the outer-tunnel and inner-tunnel enables CSPs to comply with regulations, improve subscriber quality of experience (QoE), reduce support costs, manage congestion, and protect CSP revenue. Bill Shock Prevention Case Study Bill shock is a common complaint for subscribers obtaining post-paid wireless service - not knowing the cost of the service being used can result in enormous bills that a subscriber is unprepared or unwilling to pay. In response, service providers may introduce bill shock management on their own accord or due to regulatory statutes. Recently, the European Union announced the following regulations governing charging for data roaming: 1. A roaming subscriber usage or cost limit for data roaming use shall be set in a subscriber database accessible by the subscriber care, billing and network systems. a. Default limit is not more than 50 or volume usage equivalent. b. Subscriber is allowed to change this limit or opt out of the European Union regulatory notifications. 2. If subscriber has not opted out of the roaming notification regulation, a. Subscriber shall be notified of data roaming charges on first use b. Subscriber shall be notified of reaching 80% of their usage limit. c. Subscriber shall be notified of reaching their limit, and be provided a mechanism (e.g., SMS, email, phone call or top up page) to be able to accept further usage of data roaming and associated charges. I. Until the subscriber accepts the data roaming charges that will be incurred for further data usage, the subscriber shall be blocked from data access while roaming. To enable compliance with these regulations, Sandvine worked with European Union customers to lead the implementation of a data roaming bill shock management solution. In the specific example described here, the CSP developed the subscriber configuration interfaces for setting the data roaming limits and the ability to change, opt-in or opt-out of the limits. The solution interfaced with the service Page 5
provider business support systems to obtain the subscriber limits, measure the usage, and trigger the notifications and subscriber portal redirections. The solution measured the subscriber roaming data usage and provided the usage data records to the service provider s charging mediation interface. These records were used to zero-rate any data usage associated with notifications and acceptance of further data roaming charges. Finally, the solution shaped or blocked the subscriber traffic upon reaching the roaming usage limits. A revenue gain instead of a revenue loss As previously described, mobile networks use GTP tunneling in which the outer IP identifies the serving network, and the inner IP identifies the user. A failure to evaluate these conditions accurately for roaming charge notification results in upset subscribers that contact customer support, generating negative press and word-of-mouth. There is also the risk of regulatory bodies looking into a CSP s network practices and levying fines. When subscribers contact their service provider to complain about bill shock, frequently the service provider waives the charge in question. These waivers represent lost revenue, but there is also the cost of the customer care call, as well as the cost of having provided the service. In the case of large bills due to data roaming, the loss to a CSP can be quite substantial. The ability to fully process all relevant conditions contained within tunneled traffic, combined with a trigger for real-time subscriber communication with service charging options, presents an opportunity for CSPs to generate additional revenue while empowering subscribers with choice. The European Union regulations summarized in this paper are minimal requirements. A mobile operator may include additional notifications, such as advice-of-charge or advice-of-usage, and provide limited data access after limits are exceeded with redirection to a subscriber Web portal for top-up purchases. Many subscribers feel more comfortable with a pay-as-you-use model that carefully meters what they spend on roaming, while others simply appreciate being notified when roaming charges apply. Subscribers are much less likely to challenge bills which contain charges that were anticipated in advance. On-wire, real-time flow evaluation Because it supports SandScript, a uniquely freeform policy language, the Policy Traffic Switch (PTS) makes real-time decisions about thousands or even millions of data flows per second by intersecting the network data stream. This allows Sandvine to trigger subscriber notification and/or enforcement actions, such as shaping or blocking, the instant a subscriber accesses a roaming network or depletes their purchased quota. Any delay in notification, even a delay of 15 minutes, can result in an expensive charge to the subscriber or an angry customer support call and waiver from the CSP. Deployment The Sandvine PTS tapped the real-time IP data traffic going out of the visited network where the subscriber is roaming. The PTS intersected the traffic either going out to the GGSN being accessed by the subscriber or coming in from the GGSN bound for the subscriber, and measured the data usage. Although this particular deployment was for a 3GPP HSPA network, the Sandvine implementation is both standards-compliant and access-technology-agnostic, and a similar solution is supported with other access technologies, including 3GPP2 and LTE. For example, in LTE networks Sandvine can intersect the S5/S8 interface to apply policy simultaneously for the serving network and subscriber. In HSPA networks, there is enormous benefit to having the PTS deployed on the Gn interface, as shown by Figure 5. From there it can also tap the Gp interface. Page 6
Figure 5: Sandvine European Union data roaming regulatory compliance implementation topology Implementation details Figure 6 provides a closer look at the Sandvine elements and their functions. Figure 6: Sandvine European Union data roaming solution element details Page 7
On the initial subscriber data session set-up, the PTS intercepted the messages for the accounting start and obtained the data session attributes such as the Public Land Mobile Network (PLMN). Based on the PLMN the subscriber was on, the PTS could determine if the subscriber was roaming and provide the home or visited service provider data roaming bill shock treatment. The GGSN could also have determined what PLMN a subscriber is on, however, it couldn t provide the other capabilities required for the data roaming bill shock treatment such as determining the subscriber notification preferences, sending of the usage limit notifications, and redirecting to a subscriber Web portal for data roaming top-ups. In addition, the GGSN could not implement the preferred method of the HTTP interjection for usage limit notifications. HTTP interjection is not only the most supported mechanism on subscriber devices as it works with both mobile handsets and tethered PCs, but is also the preferred notification method due to its visibility. In addition, with the PTS, WiFi hotspot usage that is counted as data roaming is also supported. Since Sandvine technology is access-agnostic, the solution can intercept the WiFi network links back to the home network and include the WiFi usage as part of the data roaming bill shock treatment when sending notifications, redirecting subscribers to a captive portal and processing subscriber data roaming top-ups. For visiting subscribers on the home network that are not subject to the EU roaming requirements, the PTS provided yet another roaming bill shock treatment. The PTS and Sandvine s freeform policy capability provided different roaming bill shock treatments for home subscribers roaming in visiting networks, EU-visiting subscribers roaming in the home network and non-eu-visiting subscribers roaming in the home network. In addition, since the PTS was able to determine the home network of the visiting subscribers, the solution also provided the different roaming bill shock treatment notifications and data roaming top-up policies desired by this customer s roaming partners. This was of immense value to the Sandvine customers who implemented this solution. Based on the thresholds for the subscriber that was retrieved from the home or visiting business support system, the PTS triggered subscriber notifications. The PTS was also able to redirect the subscriber to the portal for acceptance of further roaming data usage. Any data usage related to subscriber notifications and communications was zero-rated by the PTS as per the home or visited service provider policy. The PTS also forwarded the subscriber data usage to the Sandvine Service Delivery Engine (SDE) platform. SandScript-enabled use case The accuracy and effectiveness of this use case application, and its advanced capabilities, are the direct result of a key differentiator with Sandvine s technology SandScript s freeform ability to define and execute policies that simultaneously evaluate, and apply real-time enforcement based on, distinct conditions from the IP tunnel and each subscriber-specific data flow encapsulated within it. In contrast to Sandvine s unique freeform method, a rigid-form policy creation and execution model cannot achieve this use case even if a box is deployed on the required interfaces, the inability to inspect both inside and outside of the tunnel due to the lack of cascading conditions in policy means the traffic will be double-counted, if counted at all. If a solution based on rigid-form policy relies on AAA for the visiting network subscriber awareness, the time-lag will result in misapplied policy, counting errors, billing errors, and the visiting SGSN may not even have a 3GPP AAA extension enabled. Page 8
Video streaming over VPN Detection A major Multiple-Services Operator (MSO) approached Sandvine requesting the ability to determine the extent to which some users were streaming content outside of the network using VPNs, in violation of the license agreement. Figure 7 shows the solution deployment. In terms of policy, SandScript was used to specify the following within the same self-contained policy: Tablet VPN (PPTP + GRE) unpack, inspection, and classification Video CDN protocol classification HDS (HTTP Dynamic Streaming) and HLS (HTTP Live Stream) Real-time VPN and CDN bandwidth usage analysis specific pattern match indicates breach of usage policy (licensed content being served to non-paying user(s) over VPN) Count collect cross-referenced data for Network Demographics and Network Analytics reporting Figure 7: Sandvine Video Over VPN Detection Deployment The initial use case was focused solely on reporting this operator wanted to see how badly revenue was leaking through the unauthorized practice of content being served to non-paying users over VPN connections. From there, the MSO could move on to notifying abusers with a request to cease the practice, or any actions deemed appropriate when the abuse condition is detected (shaping, blocking, either across the board or specific protocols, etc.). SandScript-enabled use case This use case is only possible because freeform policy creation and execution enables the correlation of distinct conditions and measurements to define a specific meta-condition indicating a breach of the license agreement. Page 9
LTE QoS: Fairshare Traffic Management Sandvine has always worked to ensure its QoS-handling capabilities function well for all network types and between networks types, while anticipating ongoing architectural evolutions. A good example is the Traffic Management product, which includes an advanced feature-set called Fairshare. Sandvine has widely deployed Fairshare Traffic Management in cable environments, as described in RFC 6057 1. PCMM is a direct analog of 3GPP PCC, being based on it (and with an explicit goal to harmonise together in Common-IMS (which brings together ETSI TISPAN, ETSI 3GPP, 3GPP2, and CableLabs). The general theory of operation of Fairshare Traffic Management is to do the following: 1. Identify links experiencing congestion 2. Identify the users on those links likely to cause disproportionate congestion in the next time interval 3. Reduce the scheduling priority of those users until either a. Congestion disappears (with some hold-down time or hysteresis to prevent oscillation) or b. The user is no longer causing disproportionate congestion The net effect is to shift congestion (and thus latency and loss) more towards the small minority of short-term heavy users who are the greatest contributors to congestion at times of congestion. If we bring this use case into the 3GPP environment that defines LTE, we run into the problem that the userequipment does not support being signaled in the same fashion as DOCSIS, and thus the upstream cannot be prioritized 2. However, prioritization for congestion management can be performed in the downstream. The second problem is recognizing which link (which mobile sector) the user is on. In DOCSIS this is signaled with DHCP/SNMP/IPDR protocols. In 3GPP this is only signaled on bearer creation (enabling the user equipment) and possibly on interim updates (e.g., User Location Update). In versions prior to LTE, the fix requires deploying complex probes in the IuB, IuPS, IuCS links. In LTE, it is possible to deploy the Sandvine PTS in the S1-U and thus become enodeb-aware in a very simple fashion (the outer-ip of the GTP tunnel is the enodeb). The three following possible mechanisms, all supported by Sandvine, exist for per-sector prioritization in LTE: 1. Signal to a PCRF to signal to the P-GW to create a dedicated bearer with a wildcard service flow. 2. Modify the tunnel-id (TEID) to match one that is statically created on the P-GW that has the requisite QoS parameters. 3. Deploy a marking mechanism on the SGi and have it hit a statically-provisioned, dynamic PCC rule using, for example, DSCP marking. Of the three methods, S1-U prioritization of both inner-tunnel and outer-tunnel offers the best overall performance as it handles both backhaul and radio congestion. As shown by Figure 8, the Fairshare Traffic Management policy measures top-users on busy sectors, and modifies the TEID of their 1 http://tools.ietf.org/html/rfc6057 In LTE, the UE can support multiple primary contexts, but this would mean it would have to understand in some proprietary fashion how to route traffic from one to the other. A primary context has a separate IP address. The intent is to standardise and use this for Voice over LTE, in which the UE knows how to select the right dedicated bearer. This may or may not work for generic over the top applications. 2 Page 10
traffic to match a pre-defined bearer that was statically created on the P-GW. In addition, DSCP marking or MPLS-EX marking can be performed on the outer tunnel to cause QoS prioritization in the ratio backhaul itself. Figure 8: Radio prioritisation via TEID modification Matching traffic will be de-prioritised in the enodeb radio scheduler. SandScript-enabled use case Sandvine s support for this use case is uniquely provided by the SandScript policy language and the freeform policy creation environment it enables, allowing the simultaneous inspection of both the inner-tunnel and outer-tunnel tunnel. Conclusion The ability to effectively handle IP tunneling is just one powerful example of how Network Policy Control works better for CSPs and subscribers when it can be freely created in an open environment that empowers use cases and anticipates change, rather than being pre-programmed in a factory. As shown by the example use cases presented in this paper, for CSPs building intelligent broadband networks, the effective management of IP tunneling maximizes revenue-generation and cost-saving potential while meeting both regulatory requirements and subscriber expectations. Page 11
Headquarters Sandvine Incorporated ULC Waterloo, Ontario Canada Phone: +1 519 880 2600 Email: sales@sandvine.com European Offices Sandvine Limited Basingstoke, UK Phone: +44 0 1256 698021 Email: sales@sandvine.co.uk Copyright 2013 Sandvine Incorporated ULC. Sandvine and the Sandvine logo are registered trademarks of Sandvine Incorporated ULC. All rights reserved. 2013-08-13