Vous êtes sur la page 1sur 39

Broadband Networks Overview

and Best Practices

Ananth Nagarajan
Feb 2005, SANOG V, Dhaka, Bangladesh

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

Agenda
Subscriber Management BRAS Basics
Subscriber Management Applications

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

Subscriber Management
BRAS Basics

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

BRAS Overview
BRAS Broadband Remote Access Server
First network element that provides IP services to
subscribers

BRAS means Subscriber Management


Subscriber Management

Subscriber provisioned in the OSS database


Useronline, in session
Fully dynamic per user
Each individual user is authenticated
IP address assignment
Policies (next-hop, rate-limit, TOS, etc.)
QoS traffic classes/queues
Accounting

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

Typical BRAS Network (DSL)


DSL today
means ATM
PC client with
Popular
AccessDSLModels DSLAM (Digital Subscriber Line Access MUX)
PCI-based
DSL lines aggregation and
Client
(PPPoE, PPPoA)
modem
termination
Runs network
PPPoA
Access
(B-ETH)

L2 Bridge
Uplink (today) is DS3/OC-3/OC-12

L2 Switch

L2 switch
PPPoA
AAL5 to a DSL Connected
PC
DSL
modem
BRAS
1483-R
Modem runs 1483-B
ATM
AAL5 Home Gateway
(LAN
DSL
interfaces)
Runs PPPoE
Connected
to DSL-modem
PPPoE
DSLAM
1483-B
DSL-modem runs 1483-B
AAL5

Home GW

Copyright 2003 Juniper Networks, Inc.

Radius

DSL

Proprietary and Confidential

L2 Access
IP Edge
IP Core

DHCP

www.juniper.net

Typical BRAS Network (DSL)

BRAS
DSL
today means ATM
L2 termination
L3 forwarding
Popular
Accessand
Models
Radius client for user
Client
(PPPoE, PPPoA)
authentication, accounting, IP
Access
network (B-ETH)
address assignment
DHCP server/proxy/client for IP
address assignment

PC

PPPoA
AAL5
DSL

1483-R
Radius AAL5
Proxy/Server
DSL

L2 Access
IP Edge
BRAS

IP Core

ATM

Authenticates user against DB


Returns parameters applied to
PPPoE
the users
IP interfaceDSLAM
(IP
1483-B
address, AAL5
DNS, VR, policies)
DSLattributes or VSA
in standard
Home GW
Collects accounting data

Router

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

Radius

DHCP

www.juniper.net

Typical BRAS Network (DSL)

DSL today means ATM


Popular Access Models
Client (PPPoE, PPPoA)
Access network (B-ETH)

PPPoA
AAL5
DSL

PC

Router

Home GW

PPP

1483-R
AAL5
DSL

BRAS

IP Core

ATM

PPPoE
1483-B
AAL5
DSL

Copyright 2003 Juniper Networks, Inc.

L2 Access
IP Edge

Radius

PPP
DSLAM

Proprietary and Confidential

Radius

DHCP

www.juniper.net

BRAS Service Activation


Internet

1
7

4
2

1. User initiates PPP session


and provides
identification and
password
2. Services Router detects
PPP initiation and
formulates RADIUS
query
3. RADIUS queries directory
to validate user-id and
password. If valid,
RADIUS also queries the
directory for the users
RADIUS profile
Copyright 2003 Juniper Networks, Inc.

3
6
RADIUS
Server

Repository

Service Provider Back-office

4. The RADIUS profile is


returned to the Services
Router to configure the
connection

Proprietary and Confidential

Registration
Rating &
Billing
Server

5. Services Router configures


the connection
6. The RADIUS server starts
an accounting usage
record
7. The user can now access
services such as the
Internet

www.juniper.net

BRAS Service Deactivation & Accting


12

Internet

DSLAM
9

11

10
RADIUS
Server

Repository

Service Provider Back-office

Registration
Rating &
Billing
Server

8. User terminates PPP session


9. Services Router notifies
RADIUS server of PPP
termination
10. RADIUS creates an
accounting stop record
Copyright 2003 Juniper Networks, Inc.

11. Accounting start and stop


records make up a usage
record for feeding into the
rating and billing server

Proprietary and Confidential

12. Invoices are generated


and sent to the subscriber

www.juniper.net

BRAS Service Activation w/


Service Portal

Internet

Content
Provider A

1
5

DSLAM

Content
Provider B

4
2
7
3
1. User initiates PPP
session and provides
identification and
password

6
Service
Selection
Portal
Server

RADIUS
Server

2. Services Router detects PPP


initiation and formulates RADIUS
query

3. RADIUS queries directory to validate


userid and password. If valid, RADIUS
queries directory for the RADIUS profile
which will contain an Service Portal profile.
Copyright 2003 Juniper Networks, Inc.

Repository

Service Provider Back-office


4. The RADIUS profile is returned to
the Services Router to configure the
connection.
5. Services Router Configures the
connection to allow access to
Service Portal only (or Service
Portal+Internet Only)

Proprietary and Confidential

Registration
Rating &
Billing
Server

6. The RADIUS server starts an accounting


usage record for the xDSL BRAS session
7. The user can only access services
granted (in this example - Service
Portal Only)

www.juniper.net

10

BRAS Dynamic Service


Selection w/ Service Portal

Internet

Content
Provider A
DSLAM

1
SSP
4

Content
Provider B

5
3
1. Subscriber accesses the
Service Selection Portal
URL with a web browser
2. SSP server queries repository Service
Selection
for list of services available to
Portal
subscriber using LDAP. Each
Server
service and its corresponding
COPS commands are cached.
3. SSP server builds a web page with
the relevant service choices and
returns this to the subscriber

Copyright 2003 Juniper Networks, Inc.

6
RADIUS
Server

Repository

Service Provider Back-office


4. Subscriber selects a service from the portal
by clicking on the service in the browser. In
this example, Content Provider B
5. SSP server uses COPS to configure the
Services Router to allow connection to the
selected service (Content Provider B) with a
given Qos level

Proprietary and Confidential

Registration
Rating &
Billing
Server

6. SSP server notifies RADIUS


accounting to generate a start
record for the selected service
7. RADIUS writes accounting
start record into the repository

www.juniper.net

11

BRAS
Building Blocks

Retail, wholesale
Business/consumer
services

Value-added
Services
Subscriber Management

Per subscriber
queuing, low
latency, traffic
shaping
Integrated edge
router and
subscriber
management
BGP, MPLS, virtual
routers

Personal TV, Video on


Demand, VoIP, gaming

Corporate VPN

PPP, PPPoE, IDAS,


Radius, DHCP, COPS

E.g. routing, multicast,


L2TP, policy-enabled
networking, MPLS
traffic engineering,
fine-grained stats

High subscriber
aggregation and
density, fault tolerant,
wire-speed redundancy

Quality of Service

Network
Awareness

Network
Services

Network Scalability

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

12

Subscriber Management
Applications

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

13

L2 Access
Service Provider Edge must:

Dial-up

Terminates a variety of access methods


and protocols

DSL

Handle both IP and non-IP traffic


Routes packets in wire-speed over a
common IP Transport

Cable
GSM/GPRS
LMDS
WLAN
802.11

IP Backbone

Ethernet
(VLAN)

Service Provider
Edge Router

Leased Line
IP or L2

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

14

BRAS DSL Access


PPP/PPPoE termination and subscriber management using Radius, DHCP and COPS
IP SA validation and policy management
Offerings such as tiered bandwidth, premium/business/consumer services

Storage
Network
B-RAS

Gaming
Network

PPPoE/DSL
DSLAM

Video
Services

PPP/DSL
DSLAM
RADIUS

Policies
DHCP

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

15

BRAS DSL Access


Dynamic Service Selection
SP designs policy-based service offerings, stores them
in directory
Subscriber selects services from a customized portal
Policy Manager

BRAS shares with Policy Manager the user id/domain


Services are instantaneously activated
Flexible accounting models (e.g. per service, per
usage, volume, time, event)

ISP

B-RAS

PPPoE

Corporate
VPN
DSLAM

Content
Provider

PPP
DSLAM

RADIUS

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

Policies
DHCP

www.juniper.net

16

BRAS Access Wholesale LAC

Physical link termination (LAC)


Tunnel assignment through Radius or local domain-map
PPP-session forwarded to LNS in L2TP tunnel/session
Hand-off PPP session to retail ISP
L2 Access
IP Edge LNS

PC

PPPoE

IP Core

LAC

PPPoA

L2TP Tunnels

Access
DSLAM

ISP
1

BRAS

LNS

ISP 2

Home GW
Radius

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

DHCP

www.juniper.net

17

L2TP Tunnel Termination LNS


LNS == BRAS == subscriber management
LNS == ILEC managed service or ISP
Terminate L2TP tunnel/session and PPP session
BRAS as usual, e.g.
Authenticate user
Apply IP services

IP Edge
PC

PPPoA

Access
Provider

LAC

IP Core

LNS

L2TP Tunnels
PPPoE

Access LAC
Provider

BRAS

Home GW
Radius

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

DHCP

www.juniper.net

18

L2TP Tunnel Switching LTS

Scaling L2TP tunnels

LNS LAC Combination

Switch session across tunnels (could be in different VRs)

Tunnel assignment through Radius or local domain-map


Tunnel Switch

PC

PPPoA

LAC

LTS

L2TPLNS
Tunnels

LNS

PPPoE

LAC

LNS

LAC

ISP X

BRAS

Home GW
Radius

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

DHCP

www.juniper.net

19

ML-PPP over L2TP


L2TP
Dial
out
ML-PPP over L2TP
Dial-up PPP (modem, ISDN) sessions forwarded to BRAS using L2TP
ISDN -> 2nd B-channel: ML-PPP bundle is terminated at the LNS

L2TP dial-out
Network-initiated L2TP tunnel to NB-RAS
NB-RAS

LAC

L2TP
IP Edge

ML-PPP
over L2TP
L2TP
Dial-out

LNS

IP Core

MPLS-VPN Core
BRAS

Radius

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

20

Outsourced Access
(using Virtual Routers)
Each Virtual Router (VR) contains a separate instance of
the IP stack and IP applications (e.g. route table, routing
protocols, route policies, SNMP)
Each subscriber IP interface is associated with the VR of
the corresponding Retail ISP
Access
IP/PPP
ADM

ISP 1

IP Edge
VR

SONET

ISP 2

ETH

IP/Frame Relay

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

21

Secure Remote Access

Microsoft is pushing for L2TP/IPSec for remote VPN Access; integral part of Windows

BRAS acts as a VPN server, terminating L2TP/IPSec

A simple machine-level certificate (no need for a user certificate, no need for strong
identity proof, no need for revocation procedures)

This solution works for ANY access network, including IP backhaul via another ISP
IP over PPP/L2TP (name/pwd)

LAC

IPSec/IKE (machine certificates)


Local access (PPP,
DHCP, whatever)

L2TP/IPSec Tunnel
PC

Access

BRAS

LNS/
VR
A A
IPSec LNSVPN VPN
VR
Transport

Access

VR
VPNVPN
B B

Home GW
Radius

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

Radius

www.juniper.net

22

DSL Service Integration (with PPPoE)


Users simply treated like ordinary DSL subscribers
No special features required for W-LAN network operation
PPPoE client software required on users PCs (not a typical assumption,
cf. business users & PDAs are usually DHCP-based)

Laptop PC

PPPoE
Client

PPPoE

Wireless
Access
Point

Laptop PC
PDA

Broadband
Aggregation
Router

R
Va ad
lid ius
ati
on

Service Provider
Network
L2TP

PDA

HotSpot Location

Radius
Server

Wholesale model provided through L2TP


(as with DSL & Metro Ethernet)

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

Broadband
Aggregation
Router

ISP
or Content Provider

www.juniper.net

23

PPP/L2TP/IPSec down to the BRAS

A BRAS could act as a VPN server, terminating L2TP/IPSec

Client configuration (ok for Windows laptops; less clear for MacOS/Linux):
A simple machine-level certificate (no need for a user certificate, nor a certificate directly issued by
VPN/ISP organization, no need for strong identity proof, no need for revocation procedures)
DNS hostname or IP address of IPSec endpoint. If BRAS terminating IPSec is the local edge, then use
a virtual address identical for all edge BRAS. Hide it behind a DNS name.
Then configure a secured VPN remote access via Microsoft wizards. Reasonably user-friendly.

This solution works for ANY access network, including IP backhaul via another ISP
IP over PPP/L2TP (name/pwd)

Radius
RADIUS
Server(s)

IPSec/IKE (machine certificates)


Local access (PPP,
DHCP, whatever)
Radius
client

Laptop PC

Local
Network
PDA
PDA

Copyright 2003 Juniper Networks, Inc.

Remote
VPN

PPP
Access
Device

Laptop PC

Internet
Access

Proprietary and Confidential

BRAS

IP Network

www.juniper.net

24

Video Over IP
TV Servers

TV Servers

Services Router

IP Based Subscriber Management

Policy is enforced for each subscriber flow

Rate shaping, rate limiting, filters, queuing

Subscriber applications are treated according to policy

TV Servers

I.E. Napster downloads wont degrade home VPN connection

Extends subscriber based services across existing cable networks

Flexible billing models

Advanced IP Services

User-based bandwidth management

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

25

Video Services
Multicast Video Services
IP TV
NVOD (Near Video on Demand)
PC TV

Unicast Video Services


VOD (Video on Demand)
Network PVR (Personal Video Recorder)
Streaming Media
Surveillance
Video Teleconferencing

All Require Access and end-to-end QoS and Bandwidth Control

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

26

Video Streaming over Ethernet


Integrated subscriber management for Broadband Ethernet
VLANs (802.1q)
many VLANs and subscribers per chassis
Unique services per VLAN
VLAN to MPLS mapping
Extended LAN services across IP WAN
Individualized service profile per user
VPN membership
Access
QoS

IP Edge

Gigabit Ethernet
Services Router

VLAN 5

VLAN 1

VLAN 6

IP/ETH
PPPoE
Ethernet
Switch
(VLAN tagged)

VLAN 7

VLAN 2

RADIUS
Copyright 2003 Juniper Networks, Inc.

IP Core

Proprietary and Confidential

ASP A
ASP B
ISP B

Policies
DHCP
www.juniper.net

27

Multicast Services
Current Model for Content Broadcasting: Unicast
Consumes large amounts of Bandwidth and burns server resources
Only available model because network could not cope with
Multicast bandwidth requirements
Consumer PC

Layer 3
Service Delivery Point

FTTB / DSL

Layer 2
Access Network

ATM / FR /
PPP, etc.

OC-12 (MPLS)

IP Core

Ethernet

Edge
Router
PPP, F/R or ATM

Business
Customer

Copyright 2003 Juniper Networks, Inc.

Application
Server

Proprietary and Confidential

www.juniper.net

28

Multicast Services
Rolling out model for Content Broadcasting: Multicast at the IP Edge
Consumes small amounts of bandwidth and doesnt touch server resources
Available because Services Router is capable of wire-rate Multicast routing
Controlled and Billed on a Per Stream Basis through a Policy Engine
Consumer PC

FTTB / DSL

Layer 3
Service Delivery Point
Layer 2
Access Network

PPP, F/R or ATM

IP Core

IGMP
OC-12 (MPLS)

Services
Router
Edge
Router

DVMRP

Ethernet

IGMP

Policy Engine

Business
Customer

Copyright 2003 Juniper Networks, Inc.

PIM

Video Server

Proprietary and Confidential

www.juniper.net

29

Deployed IP-TV Networks

IP Core Network

DSLAM
STM-1 (IP)

Fast Ethernet

TV

Set Top Box


+ADSL Modem

STM-1
ATM

Typical Subscriber

Services Router

GE

Authentication
Authorization Policies
Accounting (COPS)

DHCP

Network and Service


Management;
Billing

Ethernet
Switch

Video Server
IP HEAD-END

Directory
(LDAP)

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

30

Interactive Gaming
Requirements
Low-latency transmission of control data
Round trip delay <= 200 msec (<=100 preferred) for
Ultima as example

Support for both text and voice chat


simultaneous/unimpeded by control flow
Strong multicast capability
Emerging need for streaming and broadcast video
Must support both PC based and console based gaming
services
Peer to peer and subscriber to content models both
emerging
Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

31

Game Server
Feeding packets into
the Core
Server Farm

Game
Services

Gigabit
Ethernet
Switch

VLAN Separation
of Service

Router

Core
Network

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

1. VLAN Traffic rate


policed to prevent
interference with other
services
2. Packets Marked at
Ingress (Diff-Serv)
based on port number
3. Placed in low-latency
queue
4. Forwarded onto
bandwidth reserved
MPLS or ATM circuit

www.juniper.net

32

Low Latency Queuing


with
shared bandwidth
Core
Network

1. Broadband connection Traffic


rate policed to prevent
interference with other services
2. Packets Marked at Ingress
(Diff-Serv) based on port
number
3. Placed in low-latency queue

Service
Deployment
Broadband
System
Router

4. Forwarded onto bandwidth


reserved MPLS or ATM circuit

1. Users must log-in


through the Service
Deployment System
before choosing Game
Content
2. Policy Route, IP flow
rate, and low latency
queue is enabled on
the Router through
COPS or SNMP.

Access
Network
Broadband
Users

Copyright 2003 Juniper Networks, Inc.

DSLAM

Proprietary and Confidential

www.juniper.net

33

Controlled Access for any


device
Support for both PPPoE and IP
appliances in the same household
Ability to apply policies to the PC and the
gaming device independently
Can create guaranteed links between
different home appliances and network
servers

Services Sphere
VoD

VoIP

Gaming

Application Storage
Services

ISP 1

PPPoE
1M bW Best Effort QoS

BGP4, OSPF,
IS-IS, MPLS
Multicast

ATM
DSLAM

IP Core

IP/1483 Bridged

ISP 2
ISP N

1.5M bW Gold QoS

Access
Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

34

PPPoE based Hotspot


Service
Broadband
Router (BRAS)

LNS
Service
Provider
IP Core

ATM or Ethernet
Layer 2
Access Network
PC with 802.11
W-LAN cards

ISP 1

L2TP

Radius

802.11 Wireless
Access Point

PPPoE Client Software

ISP 2

Radius

No special features required for W-LAN network operation

Radius

- Wireless Ethernet is just another Layer 2 access method

Users simply treated like ordinary DSL or FTTB network subscribers


PPPoE client software required on users PCs
Supports retail and wholesale business models
Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

35

DHCP based Hotspot


Service
Edge
Router

ISP 1
Service
Provider
IP Core

ATM or Ethernet
Layer 2
Access Network
PC with 802.11
W-LAN cards

802.11 Wireless
Access Point

NO PPPoE
Client Software

Radius

Web Login

ISP 2

No PPPoE client software required on users PCs


Same as PPP-based service but simpler for users

Requires the use of DHCP Access Server


Provides Web Based Login for Subscribers

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

36

Sponsored HotSpot Model


Edge
Router
ATM or Ethernet
Layer 2
Access Network
PC with 802.11
W-LAN cards

802.11 Wireless
Access Point

Service
Provider
IP Core

Radius

Web Login

Users Web access is redirected to forced web page


Web Page advertises services of the location and
provides a click-through to login to a service provider
Email can also be directed to send a welcome email to
the user.
Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

37

Hotspot Service with


IPSec

IPSec used to encrypt


Access Network traffic

ATM or Ethernet
Layer 2
Access Network

PC with 802.11
W-LAN cards
IPSec Client
Software
(Built in to
Win 2000, XP)

802.11 Wireless
Access Point

IPSec or L2TP used to encrypt


Core Network traffic
IDC

Broadband
Router

Service
Provider
IP Core

Radius &
X.509 Certification

ISP 1

ISP 2

IPSec can be combined with the Hotspot service to provide secure,


encrypted traffic across the access network
This overcomes all of the (serious) security issues associated with
W-LAN networks.

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

38

Thank You