Решения mobile backhaul и mobile backhaul security
TRANSCRIPT
Juniper Mobile Backhaul Solution and Mobile SecurityJuniper Partner Summit, Moscow, April 21, 2015
Denis Zotov
EMEA CoE
LSP
Services
Mobile
Backbone
Datacenters
IP/Internet
Universal
Edge
Universal
Access
Universal Access extends the intelligence from edge to access, creating a seamless end-to-end service delivery system, with scale and financial viability.
Single OSSingle control planeSeamless end-to-end serviceOperational simplicity and scale
Residential
BroadbandEdge
Introducing Universal Access
BusinessEdge
MobileEdge
ACX
Service providers have traditionally deployed separate networks for business, residential and mobile customers
Business
UniversalEdge
MX 3D
JUNOS SPACE
End-to-end Service Provisioning, Troubleshooting, Performance Management
Access and Aggregation
Network
3 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
JUNIPER NETWORKS’ SOLUTION FOR UNIVERSAL ACCESS, AGGREGATION, EDGE
Pre-Aggregation
MX960
MX480
10GE
Access
ACX 4000
ACX 2x00
MX104
ACX500
Aggregation
MX2010
MX2020
Edge
TCA8x00
TCA6x00
SEAMLESS MPLS
NETWORK TIMING
100GE
MX240
MX80
ACX5048
ACX5096
ACX 1x00
vMX
ACX2100
ACX-series
ACX2000
ACX1100
ACX1000
ACX4000
ACX5048
ACX5096
Juniper’s Universal Access router for mobile backhaul (LTE, 2G/3G), business Ethernet services and residential access
Complements Universal Edge
Fixed and modular platforms all running JUNOS
Integrated precision timing for highest QoE (IEEE1588v2, SyncE)
Embedded SLA packet generator (RFC 2544)
Hardened fan-less design
Support for POE++ (up to 65 W)
10 Gig interfaces for converged access
Seamless MPLS provides most flexible service architecture
Extensive end-to-end network monitoring: Latency, jitter, OAM
Open system for innovation (JUNOS SDK and JVAE)
Satellite Node to MX/MX104 (Junos Node Unifier)
THE NEW BENCHMARK FOR ACCESS NETWORKS
ACX500 indoor
ACX500 outdoor
ACX2200
ACX500
Introducing the ACX500 family of Routers
Highlights• Specifically designed to meet the SmallCell
market deployment needs
• Support Carrier Ethernet and MPLS Access
• MEF CE2.0 Compliant
• Line Rate on all ports
• Scalable H-QoS support
• IPSec support for secure transport over non-
trusted backhaul
• Built-in DHCP Server for Small Cells
• Zero Touch Provisioning
• Automated Configuration / Image download
using Junos Space
• Supports convergence of Wireline and
Mobile Networks
• Low Power consumption
• Multiple product variants including support
for POE/POE++
ACX500 Indoor
ACX500 Outdoor
ACX500
• 2x 1GE (SFP) + 4x 1GE (Combo, 3x PoE+ support)
• Temp. Hardened (-40 to +65 C), Passive cooling
• 10.7 in. (W) x 1.75 in. (H) x 11 in. (D) (TBD)
• Advanced Timing – GPS receiver integration, GM capability
• Advanced Security – IPSec, NAT, MacSec and TPM
• Advanced SLA management – RFC2544, Y.1564, TWAMP
• 3x 1GE (SFP) + 3x 1GE (Cu, PoE+ support)
• IP65 compliant, Passive cooling, Power Budget: 45W
• 9.47 in. (W) x 15.8 in. (H) x 5.6 in. (D) (TBD)
• Advanced Timing - GPS receiver integration, GM capability
• Advanced Security – IPSec, NAT, MacSec and TPM
• Advanced SLA management – RFC2544, Y.1564, TWAMP
ACX500 – INDOOR SKU
ACX500-O & ACX500-O-POE - OUTDOOR SKUs
ACX500 Indoor and Outdoor Variants / Licensing
Variants Indoor (Avail Today) Outdoor (Avail-3Q15)
AC - ACX500-O-AC
DC - ACX500-O-DC
AC with POE* ACX500-AC ACX500-O-POE-AC
DC with POE* ACX500-DC ACX500-O-POE-DC
Services Licensing Indoor
ACX500-LIC-GPS ACX500 License for GPS Receiver
ACX500-LIC-SEC ACX500 License for IPSec and NAT features
Note: * 3 ports capable of supporting POE / POE++, max 80 Watts power across 1 or 3 ports combined
ACX 500 Use Case - Smallcell Backhaul
NAPT for Smallcell
Traffic
DHCP Server
IPSec 1588v2 Grand Master
WAN IP Static or
DHCP
ACX1100
EX2200c
L2/L3
switch with
PoE
TCA6500 Timing client
with Integrated GPS
receiver
GPS
POE
capable
SmallCell
Device
Management
IPSec Tunnel
SmallCell Traffic
with or without
IPSec enabled
POE
capable
NAPT for Smallcell
Traffic
DHCP Server
IPSec
1588v2 Grand Master
WAN IP Static or
DHCP
Integrated GPS
GPS
ACX500-O-POE
(Outdoor)
ACX500 (Indoor)
Junos Space
+ Config Server
OSS/BSS
1588v2 GMGPS
Aggregation NW
SEG (SmallCell)
SEG (Dev Mgmt)
Core Network
CE
PreAgg
Avail. today
Avail. 1H2015
Field Area Network (FAN)
• ACX500 is certified for the following standards required for utilities and railways
• NEBS GR 3108
• IEEE 1613
• IEC 61850-3
• EN 50121
Substation
NOC
ACX500
IP/MPLS
Network
CTP150
Junos Space
Juniper Routers:
M Series
MX Series
SRX Series
WLA632 Rugged
Outdoor Wireless AP
IED
Surveillance Camera
RTU
PLC
RTU
PLC
IED
Private WAN
T1/E1
T1/E1
Ethernet
MPLS Edge Devices
ACX5000
ACX5000 seriesACX5048
48 x 1/10GbE SFP+
6 x 40GbE QSFP uplinks
1.44 Tbps throughput
1U fixed form factor
ACX5096
96 x 1/10GbE SFP+
8 x 40GbE QSFP uplinks
2.56 Tbps throughput
2U fixed form factor
E-LINE, E-LAN with full E-OAM, Comprehensive L2 Multicast Solution over IP/MPLS InfrastructureIP-VPN Services
Reliable Networking: ISSU, MC-LAG, Flexible Virtual Chassis DeploymentsSync: 1588 TC
Introducing the ACX5000 family of Routers
Highlights• Specifically designed to meet the Pre-Aggregation /
CRAN market deployment needs
• Support Carrier Ethernet and MPLS Access
• MEF CE2.0 Compliant
• Line Rate on all ports
• Low Latency ~.6us
• IPsec support for management
• Supports convergence of Wireline and Mobile
Networks
• Built-in x86 processor supports Service Virtualization
on a KVM-compliant Virtual Machine
• High-Availability features like ISSU, MC-LAG, Virtual
Chassis
• Low Power consumption
• 1588v2 Transparent Clock*
ACX5048
ACX5096
ACX5K VALUE PROPOSITION
1GE to 10GE Network and Service Migration
High density & capacity 1GE/10GE Platform
Graceful Migration From 1GE to 10GE
Flexible Service Offerings
Low Latency
(Finance, Front-haul)
MEF Services (ELINE, ELAN, E-Tree, ENNI)
Ethernet OAM
802.3ah, 802.1ag,
Y.1731 PMRFC2544
IP-VPNVM
Architecture
Added Value Applications –
Firewall, Analytics, User Defined Apps)
Flexible Network Deployment
Ethernet IP/MPLS
High Availability and Scalable Networking
JUNOS for building highly reliable and scalable networks
G.8032, RSVP 1:1, FRR, BFD, IP LFA, PWE Red., VRRP
ISSU, Virtual
Chassis, MC-LAG
Seamless MPLS
Networking Solution
ACX5000APPLICATIONS – METROE AGGREGATION (BUSINESS)
MetroE Aggregation (No Residential access)
E-OAM, E-LINE/E-LAN (Ethernet and MPLS)High Capacity, IP-VPN/IP Support
SP Market
MSO
ACX5000APPLICATIONS – METROE CPE (BUSINESS)
High Capacity CLE/CPE – EAD Device
E-OAM, E-LINE/E-LAN (Ethernet and MPLS)High Capacity, IP-VPN/IP Support
SP Market
MSO
Connectivity Services Director & Cross Platform Provisioning
Service Lifecycle Management
Service Design & Provisioning
• Templates for service design and rapid
provisioning
Validation & Troubleshooting
• Network performance and SLA assurance
Service Decommissioning
• Decommission and release service
resources
Resource Management
• Maintain service inventory and resources
Transport Provisioning - Design, provisioning,
and deployment of static and dynamic P2P and P2MP and full mesh LSPs
Network Service Provisioning - Provisioning, validation and troubleshooting of MPLS, L2/L3VPN, MEF and TDM/ATM services
QoS Provisioning - Provisioning of QoS profiles for bandwidth management, traffic shaping and congestion management
Sync Management - Configuration and management of PTP, SyncE and hybrid synchronization modes across the network
Troubleshooting and Performance Monitoring – Service fault and performance management using Y.1731, CFM, LFM, BFD
Key Requirements
Service Lifecycle
Management
Evolution to Connectivity Services Director
Junos Space
Services
Activation
• Released in 2011• Currently shipping R14.1• Used in both, SP and Enterprise
networks• Several live deployments in Tier-1
and Tier-2 networks
• Common UI, no discrete apps • Usability improvements• Flexible Services• Service Troubleshooting• Service Performance monitoring• Graphical topology views• Chassis viewer• Path computation through Northstar• FRS – Q2 2015
Connectivity
Services Director
• Customer and Partner inputs• Cross BU collaboration• Code reuse• Agile development
Multiple views or
perspectives
Services Types
Easy access to
customer list
Service-specific tasksOverall status of services
Improved search
Services List
Alarm summary
Port-specific information
Logical interfaces
and details
Port specific
configlets
CPP - High Level Architecture
ALU
5620 SAM
Junos Space EMS
CPP
Service Activation 1.0
E-LINE / E-LAN / L3VPN / IPTV L3VPN Services
Carrier Ethernet Network
REST API
SOAP Webservices(SAM-O)
Junos Space Platform
Alcatel LucentHardware
Juniper Hardware
Enhancements to Services Activation Director (Network Activate) to deploy and manage services in Space & ALU 5620 SAM
Uses Flex Services framework to design and provision services on Juniper and ALU devices
Uses SOAP API to manage ALU 5620 SAM services
Provides a script-driven approach to service template design for provisioning new services
Leverages Space platform features such as clustering, redundancy, etc.
Solution Highlights
Flex Services
Device and Service Lifecycle Management
CPP
Modify operations
(Device, Service)
Bulk Service Changes
(Device, Service)
Service Migration
(Port x to Port y)
MODIFICATION
Device Discovery
Service Discovery
DISCOVERY
Golden template on device using device Configlets
Service Provisioning
ELINE, ELAN, L3VPN, Network Peering
PROVISIONING
Device Validation Scripts
Device Troubleshooting OpScripts
Service Troubleshooting OpScripts
TROUBLESHOOTING
2
4
3
1
Mobile Backhaul Security
What is Mobile Sec GW
• What is Mobile Sec GW
• Mobile Security GW is introduced to protect the availability and integrity of the mobile network;
• Protect the EPC by permitting the sessions from the certified mobile base stations
• Protect the data integrity through transport network.
• Securing the management plane traffic of the backhaul devices
• What are the key functions
• IKE/IPsec VPN termination (HA in some case) from eNB directly to Mobile core (main)
• Firewall, SCTP rate limiting, IPS, DDoS, etc. (optional)
EPC
Where are the threats
Backhaul Network
-
UEs
• Signalling storms (not directly malicious)• Signalling plane attacks• Access to EPC nodes• Participation in botnets• Access to exploitable carrier services such as DNS or NTP
• Insecure physical locations giving easy access to backhaul network• Visibility of user information• IP access to backhaul nodes and EPC• Ethernet access could allow standard attack devices and tools to be used• Possible access to carrier services, e.g. DNS, NTP
• Commonly shared or leased – not under operator control and inherently insecure
• Risk of insertion points directly or via access to non-isolated backhaul
• Clear avenue to EPC and rest of mobile network for attack
Physical Deployment options
MPLS2G GSM /CDMA, 3G
UMTS,4G LTE
TDM, ATM/TDM, IP/Ethernet
Small Cells
SCG
AAA PCRF
Leased
Sec-GW
Sec-GW
Sec-GW
EPC
Sec-GW
• Many options to deploy Sec GW in a network; can be in 1 or multiple type of locations.
• Candidate platforms from Juniper: SRX and MX• Two common terms:- ‘Centralised’ and ‘Distributed’ Security Gateway
‘Distributed’ SeGW ‘Centralised’ SeGW
Variable SeGW functionality
MME
SGW/PGW
eNodeB
Different set of security functions can be enabled depending on where the Sec GW is located
Other considerations:- centralised vs distributed
• Concentration of HW
• Reduced HW Capex
• Fewer nodes and sites
• Competence concentration
• Concentration of complexity
• Easier to grow/match capacity without geographical aspects
Ce
ntr
aliz
ed
• Supports high traffic volume
• Reducing transmission cost
• Enables efficient X2 transport
(Latency-critical functions)
• Enables CPG distribution
• Minimize affect of node failure
• Less number of users per node
• Less need of high capacity SeGWs
• Integrate SeGWs with IP router nodes
• Similarities to fixed broadband network architectures
Distrib
ute
d
Access Sites
Aggregation Sites
Core Sites
SRX5800
SRX5400SRX5600
Key Benefit:• Very mature and stable turnkey solution for end-to-end
backhaul security in conjunction with NSN or Ericsson• Dynamic scaling provides pay-as-you-grow model up to 80Gbps
(SRX5800) IMIX IPsec & stateful firewall• Stateful High Availability (HA) synchronises IPSec SAs, meaning
minimal downtime in the event of a SeGW failure• Stateful SCTP inspection can be enabled to protect signalling
plane • Full stateful firewall• Complete IPv6 support across IPSec, firewall, routing, and more• In-Service Software/Hardware upgrades (ISSU/ISHU)• JUNOS heritage functions (routing, QoS, commit confirmed,
rollback)• Single RAN security (2G/3G/4G IP protection)
Positioning SRX as SEGW
MX104 as distributed Security gateway (MS-MIC)
Key Benefit:• Satisfy X2 latency and performance requirements by
pushing security functions into access layer• Use router-integrated SeGW concept to reduce
CAPEX/OPEX• Reduced impact for node loss• Co-located access layer routing functions • Excellent IPSec performance (~3.5-4.5Gbps IPSec IMIX) in
a small form factor unit• Additional security functions on MS-MIC if required (e.g.
stateful firewall)
Centralised MX as Security gateway (MS-MPC)
MX960
MX480
MX240
Key Benefit:• Great performance for IPSec on MS-MPC (~27G for IPSec
IMIX)• Leverage existing MXs within transport network to provide
a transparent• Significantly reduced TCO• Router integrated solution allows flexibility in where to
deploy across the backhaul network• Distributed BFD provides a super-fast inter-site failover
design for dual tunnel topologies (becoming increasingly common) – negates the need for intra-site HA
Use case - LTE-A deployment
There are stringent requirements for X2 latency for reliable LTE-A deployment
Solution: Deploy IPsec termination on the Aggr router or Pre-aggr router
• Case-1: Only X2 communication being terminated the traffic at the edge of the network for latency reason, S1 will be sent back to central EPC
• Case-2: all S1 and X2 terminated at the D-Sec-GW in a secured location
Allow communication from macro cell to EPC from certified eNBs, provide data integrity from eNBs to a secured location;
Pre-aggregation
Aggregation/SecGW
Core/C-SecGW
MME SGW/PGW
CSR
CSR
CSReNB
eNB
eNB
HSS
Use case - Small Cell deployment
Small Cell
Small Cell
Small Cell
MME
SGW/PGW
eNodeB
Small Cell Home GW
X2
S1
S1u
S1
S1
X2
H
Macro Backhaul
S1c
Signaling, OAM, Data
Small/Pico/FemtoBackhaul
Sec-GW
Sec-GW(optional)
Session termination at the same location of small cell GW to• Reduce IPsec over head to the central site• To achieve low X2 latency• Better network level IPsec Scale If encryption is required from SmallCell GW site to EPC, then all traffic
can be aggregated and transferred to EPC. Benefit:• Improve overall network level tunnel scale
H
HH
Summary - Router-integrated Mobile Sec GW– Security is the integral part of the Mobile Backhaul solution, and MX is a critical
element of Juniper’s Mobile Backhaul solution offering;– Router-integrated SecGW simplifies the Mobile Backhaul solution also gives
great flexibility in Sec GW deployment; Can be deployed in Any part of the Mobile Backhaul network with Any MX platform with add-on services and IPsecsecurity
– CAPEX saving: Allow the provider to leverage the current MX platforms in the network, or getting new Mobile Backhaul infra with add-on SecGW function;
– Non-intrusive security introduction plan: with no requirements for any change in the current network design
– A small step into the big future: IPsec security is the first step of the distributed Mobile service vision
– Router-integrated solution also completes the toolkit (in addition to what Juniper’s winning product SRX can offer) which operator needs to secure the Mobile network;
Juniper Mobile Backhaul Value Proposition
End-to-End Solution
Cell site to core routing
Embedded timing and
synchronization
Strategic Partnerships
Operationally Efficient
Zero-touch
Junos Space
Seamless MPLS
Performance and Flexibility
Industry leading throughput
1/10/40/100 GE, TDM interfaces
POE++
Resilient
Enviromentally hardened
Fanless design
Carrier-grade Junos operating
system
Evolving
SDN enabled
NFV
Integrated Security Gateway
capabilities
Thank you