f5 solutions for service providers
TRANSCRIPT
© F5 Networks, Inc 2CONFIDENTIAL
Complex network architectures
InternetRTRFWDPI/TDFL2 SwitchRTR
EndUsers
Video optimization Transparent caching URL filtering
Value-added services (VAS)
Control Plane
DNS PCRF IMS AAA HSS OCS DRA
Challenges
• Complex architecture, hard to scale
• Resulting high CapEx and OpEx
• Difficulty adding new services
LDNS
Static port80 based steering into VAS complex
Multiple point product solutions inline in the data path
CGNATGGSN/PGW
BRAS/BNG
© F5 Networks, Inc 3CONFIDENTIAL
The new network should focus on …
Monetize SecureOptimize
Quality of Experience mgmt
Flexible opt-in/opt-out services
Flexible charging
Intelligent steering to VAS
Consolidate L4-L7 functions
TCP Optimization
Migrate to NFV-based solution
Network Security (Gi FW)
Dynamic subscriber security
DNS Security
IPv4/IPv6 Transition
© F5 Networks, Inc 4CONFIDENTIAL
A Consolidated Approach with F5Simplifying the delivery of L4-L7 network services
BEFORE F5
WITH F5
PGW/
BNG
FirewallPGW/BNG
Policy Enforcement
CGNAT Internet
Internet
LDNS URL Filtering
RTR
VAS layer
Static port 80 steering
Dynamic & intelligent steering
VAS layer
VIPRION
© F5 Networks, Inc 5CONFIDENTIAL
Consolidate L4-L7 Network Functions with F5
L2 switchingMPLS L2 PE
L3 routingMPLS L3 PE
BRAS/BNG
Full Proxy(TCP opt,
HHE)
Firewall
L3/L4 Steering
Policy Enforcement
CGNAT
TCP OPTIM
DPI/PCEF
L7 STEERING
FW/CGN
HTTP HE
2010–20142005–2010 L2–L3 L4–L7
IP ROUTING
MPLS L2 PE
MPLS L3 PE
BRAS/BNG
Multi-servicerouter
Dedicated platforms,different vendors
Single platform,L2–L3 consolidation
Dedicated platforms,different vendors
Unified platform,L4–L7 consolidation
© F5 Networks, Inc 6CONFIDENTIAL
0
1,000,000
2,000,000
3,000,000
4,000,000
5,000,000
6,000,000
7,000,000
8,000,000
9,000,000
10,000,000
BIG-IP Virtual EditionBIG-IP 2000 Series BIG-IP 4000 Series BIG-IP 5000 Series BIG-IP 7000 SeriesBIG-IP 10000 SeriesBIG-IP 11000 Series VIPRION 2200 VIPRION 2400 VIPRION 4480 VIPRION 4800
L7 R
eq
ues
ts P
er
Se
co
nd
(In
f-In
f)
BIG-IP 110502.5M L7 RPS1M L4 CPS
40/42G L7/L4 TPUT
Purpose Built Platforms for L4-L7 Services
BIG-IP 4200v850k L7 RPS300K L4 CPS10G L7/L4 TPUT
VIPRION 2400
8M L7 RPS4M L4 CPS320G L7/L4
TPUT
VIPRION 4480
10M L7 RPS5.6M L4 CPS160/320G L7/L4
TPUT
BIG-IP 10200v2M L7 RPS1M L4 CPS
40/80G L7/L4 TPUT
BIG-IP 2200s425K L7 RPS150K L4 CPS5G L7/L4 TPUT
BIG-IP 5200v1.5M L7 RPS700K L4 CPS
15/30G L7/L4 TPUT
BIG-IP 7200v1.6M L7 RPS775K L4 CPS
20/40G L7/L4 TPUT
BIG-IP Virtual EditionUp to 325K L7 RPSUp to 100K L4 CPS
10G L7/L4 TPUT
VIPRION 22004M L7 RPS2M L4 CPS
160G L7/L4 TPUT
VIPRION 4800
20M L7 RPS10M L4 CPS
320/640G L7/L4TPUT
© F5 Networks, Inc 7CONFIDENTIAL
BIG-IP®
Advanced
Firewall
Manager
(AFM)
BIG-IP®
Applicatio
n
Security
Manager
(ASM)
BIG-IP®
DNS
Modules
(GTM)
BIG-IP®
Local
Traffic
Manager
(LTM)
BIG-IP®
Carrier
Grade NAT
(CGNAT)
BIG-IP®
Policy Enf.
Manager
(PEM)
BIG-IP®
Access
Policy
Manager
(APM)
Plugin
Eco
Syste
m
Service Provider
Security
Cloud
Orchestration
ADC
BIG-IQ
Security™
BIG-IQ
Cloud™
BIG-IQ
ADC
BIG-IQ
Device™
BIG-IQ Platform™
BIG-IP®
Acceleratio
n
Manager
(AM)
iRules®, iApps®, iCall, iStats and iControl®
KVM / AWS / Xen
VMWare / HyperV
L3/Routing, UDP, IP, IPSec, IPv6, SCTP, TCP, HTTP, SSL,
FIPS, Tunneling, BWC, Stats, Certifications
CMP, VCMP, ScaleN, Firmware, HAL, Sizing Guides
BIG-IQ
MAM
Programmability
Core Protocols
Performance / Scalability
TMOS
Operating System
AppliancesChassis Software
RBAC, Logging, SNMP, CLI, GUIManageability
MobileSaf
e
and
WebSafe
(Versafe)
TMOS
Fabric
BIG-IP / BIG-IQ – Technology Suite
Cisco
APIC
VMWare
Microsoft
SCVMM
OpenStack
AWS
Open
Connector
© F5 Networks, Inc 8CONFIDENTIAL
Key F5 network services – Optimize, Monetize, Secure
A unified platform and single management framework
Intelligent Traffic Steering
CGNAT and IPv6 Migration
ICSA Certified Network Firewall
Per-SubscriberPolicy Enforcement
TCP Optimization
Local DNS
DPI &URL Filtering
© F5 Networks, Inc 9CONFIDENTIAL
Key F5 network services – Optimize, Monetize, Secure
A unified platform and single management framework
Intelligent Traffic Steering
CGNAT and IPv6 Migration
ICSA Certified Network Firewall
Per-SubscriberPolicy Enforcement
TCP Optimization
Local DNS
DPI &URL Filtering
© F5 Networks, Inc 10CONFIDENTIAL
Policy Name BronzePREC 10 CLASSIFIER RULE_10 POLICY ACTION RULE_10
PREC 20 CLASSIFIER RULE_20 POLICY ACTION RULE_20
PREC 30 CLASSIFIER RULE_20 POLICY ACTION RULE_30
Rule 1
Rule 2
Rule 3
Policy Name SilverPREC 10 CLASSIFIER RULE_10 POLICY ACTION RULE_10
PREC 20 CLASSIFIER RULE_20 POLICY ACTION RULE_20
PREC 30 CLASSIFIER RULE_20 POLICY ACTION RULE_30
Rule 1
Rule 2
Rule 3
Policy Enforcement Manager – Policy Definition
Policy Name GoldCLASSIFIER RULE_1 POLICY ACTION RULE_1
CLASSIFIER RULE_2 POLICY ACTION RULE_2
CLASSIFIER RULE_3 POLICY ACTION RULE_3
Rule 1
Rule 2
Rule 3
POLICY TYPE
• Global Policy
• Unknown Subscriber Policy
• Subscriber Policy
SUBSCRIBER TYPE
• Static subscriber
• Dynamic subscriber
• Radius
• DHCP
• Unknown IP SA
POLICY ASSIGNMENT
• Diameter Gx
• Predefined
• Dynamic (gate, QoS)
• Radius
• Custom
ANALYTICS & CHARGING
• Syslog
• IPFIX
• Radius
• Gy
• Gx Usage Monitoring
© F5 Networks, Inc 11CONFIDENTIAL
Classification & Policy Actions
APPLICATION CLASSIF.
• Application Category (eg. P2P)
• Application (eg. bittorrent)
• Some applications are using F5 signatures, other applications rely on third party DPI signature engine
URL CLASSIF. FLOW CLASSIF. CUSTOM CLASSIF.
• URL Category (eg. Gambling)
• URL database from third party
• Ability to create custom DB
• Used for HTTP and HTTPS (SNI check)
• DSCP
• Protocol (TCP/UDP)
• IP source address range & port
• IP destination address range & port
• Incoming VLAN
• irule / TCL script
• Examples
• Other fields in the traffic flow (ip header, http header, ... )
• Other fields stored in the PEM sessionDB for that subscriber (RAT-type, roaming, tower-id)
REPORTING
QUOTA MGMT
GATE (FWD)
HTTP REDIRECT
STEERING (NH)
SERVICE CHAIN
HTTP HDR ENR.
STEERING (ICAP)
QOS MARKING
BW CONTROL
CUSTOM / TCLPOLICY ACTIONS
© F5 Networks, Inc 12CONFIDENTIAL
Intelligent Traffic Steering – Optimize VAS Utilization
INTELLIGENT STEERING
PGW/BNG
Internet
VIPRION
RTR
Data Center
Video
Optimization
Transparent
Caching
Parental
Controls
WAP
Gateway
Context-aware & policy-driven steering & intelligent service chainingCONTEXT
SUBSCRIBERDEVICE-TYPERAT-TYPECONTENT (VIDEO, URI, ... )CONGESTION
PCRFDiameter Gx
Radius
© F5 Networks, Inc 13CONFIDENTIAL
Service Provider VAS
Parental ControlVideo Optimization
STEER TOVIDEO OPT
POOL
POOL 1 POOL 2
STEER TOPARENTAL CTRL POOL
ASSIGN FLOWTO SERVICE CHAIN
Internet
LBLB
UserHTTP
HTTP ICAP
HTTP
LOAD BALANCING
TRAFFIC STEERING
SERVICE CHAINING
SERVER HEALTH CHECKING
VAS BYPASS
ICAP
HEADER ENRICHMENT
PEM
Policy Controlled Service Chaining –Beyond SDN
Bandwidth and QoE management
Even if subscriber is entitled for more by
subscriber bandwidth policy his P2P traffic
gets reduced to configured value (512kbps)
Gold Subscriber (20 Mbps)
Silver Subscriber (10 Mbps)
Bronze Subscriber (5 Mbps)
PER-SUBSCRIBER BANDWIDTH CONTROL
PER-SUBSCRIBER PER APPLICATION BANDWIDTH CONTROL
PGW/GGSN VIPRION
PGW/GGSN VIPRION
Gold Subscr total (20 Mbps)
Gold Subscr p2p (512 kbps)
PCRF
OTT MONETIZATION & FLEXIBLE CHARGING
DPI inspection for OTT Identification & Monetization
PGW/GGSN VIPRION
Gold Subscr total (acct only)
OTT Service (acct + DSCP mark) PCRF
• Subscription models / bundles for OTT or specialized service
• Bundled into subscription for a lower fee
• OTT traffic excluded from volume bundle
• OTT traffic marked/tagged for differential treatment at radio layer
SPECIALIZEDSERVICE
(MNO BRAND)
© F5 Networks, Inc 16CONFIDENTIAL
URL Categorization for filtering & parental control
• URL Filtering
• Built-in Webroot DB (20M most popular sites)
• Custom DB
• SNI based URL categorization
• Categorizing SSL traffic (HTTPS)
Customer Benefit: Set categories based on regional preferences and categorization on HTTPS
PGW/GGSN
Internet
RTR
2. Integrated WebrootURL Filtering / Blacklist
1. Trying to access blocked URL
3. Access Denied
© F5 Networks, Inc 17CONFIDENTIAL
Content Injection for toolbar injection / ad insertion
• Insert javascript for branded toolbar
• Use it for Ad Insertion
• Subscriber policy to control frequency of insertion
• Policy selects insertion position
Insert-content
• Position <prepend/append>
• Tag-name <tag>
• Value-type <string/tcl-snippet>
• Value <abcd>
• Frequency <once/once-every/always>
BNG/BRAS Internet
2. Javascript insertion about quota max
1. Content being sent back to subscriber;
data maxed out
3. Subscriber realizes they have maxed out
data
© F5 Networks, Inc 18CONFIDENTIAL
PEM – Wide range of use casesPer-subscriber Application & URL
Bandwidth Control & Filtering
• TCP-friendly rate limiter
• Separate up/down rates
• Highly scalable solution
• TCP Optimization as a bonus
Subscriber Application Analytics
• Subscriber ID / Rate Plan
• Charging rules
• Application Usage Reporting
Intelligent Traffic Steering& Service Chaining to VAS
• Steer traffic based on subscriber profile to Value Added Services & Optimization Services
• Intelligent Service Chaining
Online Charging (Gy)
• Flexible rating group definitions based on applications and/or URI
• Redirect or block upon quota expiration
URL Filtering & Parental Control
• Government lists
• Per-subscriber parental control opt-in/opt-out service
• For HTTP & HTTPS
OTT Identification & Monetization
• Per-subscriber OTT application detection
• Per-OTT bandwidth, marking and charging rules
Header Enrichment & WAP offload
• HTTP HE for content-based charging
• WAP GW bypass/offload and replacement
Content Injection / Toolbars
• Java-script based content injection
• Targeted advertisements
Lightweight BRAS/BNG
• DHCP-based BNG model for wifi and wireline deployments
• Radius AAA client
© F5 Networks, Inc 19CONFIDENTIAL
Key F5 network services – Optimize, Monetize, Secure
A unified platform and single management framework
Intelligent Traffic Steering
CGNAT and IPv6 Migration
ICSA Certified Network Firewall
Per-SubscriberPolicy Enforcement
TCP Optimization
Local DNS
DPI &URL Filtering
© F5 Networks, Inc 20CONFIDENTIAL
Optimized DNS Solutions for Service Providers• Faster DNS responses to provide for 4G/LTE subscriber growth
• Manage existing traffic to DNS server infrastructure with BIG-IP
• Enhanced performance through transparent caching, offloading DNS infrastructure
Authoritative
Infrastructure
• Reduce the DNS servers by offloading the DNS infrastructure
• High performance DNSSEC validation, offload DNSSEC computations and consolidate services
• Proactively manage DNS client traffic for greater availability and stability
• Enhance the subscriber experience by making intelligent DNS and GSLB decisions
• Enable high availability and performance for subscribers by managing UE/MME PDP sessions
• Intelligent GSLB with ENUM support for IMS / EPC interoperability and NAT64 delivery
• Provide reliable, fast access to online services for in network subscribers
• Highly scalable authoritative DNS name server
• Simplify deployment using existing DNS infrastructure to manage the zones
DNS Load Balancing
Transparent Cache
Caching Resolver
Local DNS
© F5 Networks, Inc 21CONFIDENTIAL
Denial of Service Attacks against DNS
“Cybercrime is a
persistent threat in
today’s world and,
despite best efforts, no
business is immune.”
Network Solutions
DNS is now the second most targeted protocol after HTTP.
DNS DoS techniques range from:
• Flooding requests to a given host
• Reflection attacks against DNS infrastructure
• Reflect / Amplification attacks
• DNS Cache Poisoning attempts
APPLICATION LAYER ATTACKS TRADITIONAL DDOS MITIGATION
86%
70%
37%31%
17%
9% 10%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
HTTP DNS HTTPS SMTP SIP/VoIP IRC Other
Of the customers that mitigate DDoSattacks, many choose a technique that inhibits the ability of DNS to do its job
• DNS is based on UDP
• DNS DDoS often uses spoofed sources
• Using an ACL block legitimate clients
• DNS attacks use massive volumes of source addresses, breaking many firewalls.
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
© F5 Networks, Inc 22CONFIDENTIAL
DNS The F5 way
• Performance = Add DNS boxes
• Weak DoS/DDoS Protection
• Firewall is THE bottleneck
• Strong DoS/DDoS protection
• Consolidation
• Protects “Back-End” servers
CONVENTIONAL DNS THINKING
F5 DNS DELIVERY REIMAGINED
InternetExternal Firewall
DNS Load Balancing
Array of DNS Servers
Internal Firewall
Hidden Master DNS
Authoritative DNSCaching Resolver
Transparent Caching
DNS Firewall
DNS DDoS Protection
Protocol Validation
High Performance DNSSECDNSSEC Validation
Intelligent GSLB
F5 PARADIGM SHIFT
InternetMaster DNS Infrastructure
BIG-IP
© F5 Networks, Inc 23CONFIDENTIAL
Authoritative DNS: Scale with DNS Express
• High-speed response and DDoS protection with in-memory DNS
• Authoritative DNS serving out of RAM
• Configuration size for tens of millions of records
• Scale and Consolidate DNS Servers
Manage
DNS
Records
NIC
OSAdmin
Auth
Roles
Dynamic
DNS
DHCP
Answer
DNS
Query
Answer
DNS
Query
Answer
DNS
Query
Answer
DNS
Query
Answer
DNS
Query
DNS Express in BIG-IP GTM
DNS Server
Internet
Answer
DNS
Query
Answe
r
DNS
Query
Answe
r
DNS
Query
Answe
r
DNS
Query
Answe
r
DNS
Query
Answe
r
DNS
Query
© F5 Networks, Inc 24CONFIDENTIAL
The Business Case
• Need to decrease DNS latency and offload
DNS resolvers
• Implement transparent DNS caches close
to the subscriber
• Deliver DNS scale without impacting
service
DNS Resolver
Infrastructure
The F5 Advantage
• Scale DNS transparent caches as demand
increases. Offloads existing DNS
infrastructure
• Provides a simple upgrade path to a full
caching resolver
- Eliminate the need for centralized DNS
F5 DNS Services in Mobile Core F5 DNS Services in Mobile Core
BIG-IP Platform
BIG-IP Platform
Distributed DNS Transparent Caches
BIG-IP Platform
BIG-IP Platform
Distributed DNS Transparent Caches
LDNS : Scale with transparent cache
© F5 Networks, Inc 25CONFIDENTIAL
Competitive Analysis: DNS Cache PerformanceInfoblox Platform by Platform Comparison with F5
0
200000
400000
600000
800000
1000000
1200000
1400000
2000S InfobloxTrinzic1420
2200S InfobloxTrinzic2210
4000S InfobloxTrinzic2220
7000S InfobloxTrinzic4010
7200V InfobloxTrinzic4030 Platforms are grouped by like pricing
RP
S
© F5 Networks, Inc 26CONFIDENTIAL
The Business Case
• Need faster and scalable query response
• Desire lower CapEx and OpEx. No need for
additional DNS resolver farms
• BIG-IP delivers high performance, scalable
DNS Caching and Resolving on one
platform
The F5 Advantage
• Faster Web browsing and reduced DNS
latency
• Hardened appliance consolidates 10s or 100s
of servers
• Greater reliability through resiliency, HA
• Simplified management, lower cost of
ownership
• Consolidate and offload DNS for immediate
ROI
BIG-IP Platform
BIG-IP Platform
BIG-IP Platform
BIG-IP Platform
Distributed DNS Caching Resolvers
F5 DNS Services in Mobile Core F5 DNS Services in Mobile Core
Distributed DNS Caching Resolvers
LDNS : Scale and offload with caching resolver
© F5 Networks, Inc 27CONFIDENTIAL
Prevent malware and sites hosting malicious content from ever communicating with a client.
Internet activity starts with a DNS request. Inhibit the threat at the earliest opportunity.
Live updates
CA
CH
E
RE
SO
LVE
R
PR
OTO
CO
L
VA
LID
ATIO
N
IRU
LE
S
IPV
4/V
6
LIS
TE
NE
R
REPUTATION DATABASE
SPECIAL HANDLING
BIG-IP GTM
Client Protection with DNS RPZPrevent subscribers from reaching known bad domains
RPZ live feed
© F5 Networks, Inc 28CONFIDENTIAL
DNS IP and Name Reputation Choices
RESPONSE POLICY ZONES
URL FILTERING
IP INTELLIGENCE
Screens a DNS request against domains with a bad reputation.
Intercept a DNS request in iRules. Categorize & make a decision.
Intercept a DNS response in iRules. Categorize & make a decision.
INHIBITS THREATS BY FQDN
INHIBITS THREATS BY IP
INHIBITS THREATS BY FQDN
POLICY CONTROL BY FQDN
Ingress DNS path
Any IP Protocol with iRules
HTTP, HTTPS and DNS with iRules
© F5 Networks, Inc 29CONFIDENTIAL
SP Layered Client Protection
QUERY: WWW.DOMAIN.COM
DNS iRules (Request / Response)
CA
CH
E
RE
SO
LVE
R
iControl iQuery
Subscriber Policy
RP
Z
IP Intelligence
URL Filtering
EGRESS DNS PATH
INGRESS DNS PATH
• Response Policy Zones (RPZ) filters out and provides NXDOMAIN / Redirect for know bad domains.
• URL Filtering further provides granular policy controls using categories.
• IP Intelligence blocks based on the resolved IP.
• It can also be used in the data path for other protocols.
RPZ Feed IPI Feed URL Feed
iRule
DNS Request Path
DNS Response Path
© F5 Networks, Inc 30CONFIDENTIAL
DNS Tunneling: Prevent it with iRules
Clie
nt
A
Clie
nt
B
Clie
nt
C
Clie
nt
D
Clie
nt
E
Clie
nt
F
DropThreshold
Classify the traffic:
Determine the SLA for RPS and allowed response size.
When a client sends in a query:
Is the query for a blocked domain? (A tunnel host)
Is the query rate above allowed rate? Increment score.
Client previously above allowed rate? Increment score.
Resolve request and analyze response.
- Factor in the response size to the score.
Take an action:
Is the client above the score threshold?
- Drop the request
- Suspend DNS service for a period.
SuspendThreshold
RESPONSE SIZE SCORING
QUERY RATE SCORING
© F5 Networks, Inc 31CONFIDENTIAL
Key F5 network services – Optimize, Monetize, Secure
A unified platform and single management framework
Intelligent Traffic Steering
CGNAT and IPv6 Migration
ICSA Certified Network Firewall
Per-SubscriberPolicy Enforcement
TCP Optimization
Local DNS
DPI &URL Filtering
© F5 Networks, Inc 32CONFIDENTIAL
Пересечение технологий
NAT44
NAT64
DS-Lite
Ускорение WEB
SSL и IPsec VPN
Масштабирование и
безопасность DNSIP QoS
IP пиринг
(обработка на базе сессий)
Балансировка
Traffic steering
Безопасность L4-L7
L2 VPN
L3 VPN
Управление
абонентами
F5 BIG-IPМаршрутизатор(пакетная обработка)
32 © F5 Networks, Inc.
© F5 Networks, Inc 33CONFIDENTIAL
NAT4(6)4
Carrier Grade NAT (44, 64)
Публичное адресное
пространство IPv4 / IPv6
Частное адресное
пространство
VIPRIONPGW/GGSN
RTR Internet
NAT4(6)4
• Динамический NAPT, Deterministic NAPT, Port Block Allocation
• Расширенные возможности ALG, hairpinning, поддержка EIF/EIM
• Беспрецедентное масштабирование и производительность (Gbps, cps, max conns)
• Высокопроизводительное логирование в любом требуемом формате (syslog, Netflow); возможно изменение формата полей, например добавление Radius ID, http Url и т.п.
© F5 Networks, Inc 34CONFIDENTIAL
Вопрос 1: Какое максимальное количество пакетов в секунду может быть в 1 Gbps канале?
Ответ:
~1.488.096 пакетов в секунду в гигабитном канале
© F5 Networks, Inc 35CONFIDENTIAL
Вопрос 1: Какое максимальное количество пакетов в секунду может быть в 1 Gbps канале?
[1,000,000,000 b/s / (84 B * 8 b/B)] == 1,488,096 f/s (maximum rate)
Frame Part Minimum Frame
Size
Inter Frame Gap (9.6 ms) 12 bytes
MAC Preamble (+ SFD) 8 bytes
MAC Destination Address 6 bytes
MAC Source Address 6 bytes
MAC Type (or length) 2 bytes
Payload (Network PDU) 46 bytes
Check Sequence (CRC) 4 bytes
Total Frame Physical Size 84 bytes
© F5 Networks, Inc 36CONFIDENTIAL
Вопрос 2: Какое максимальное значение CPS может быть достигнуто для 1Gbps канала?
Ответ:
~1.488.096 Соединений в секунду
Потому что каждый пакет может инициировать соединение (SYN, первый UDP пакет в сессии)
© F5 Networks, Inc 37CONFIDENTIAL
Вопрос 3: Сколько CPS может обработать межсетевой экран F5 Networks?
Connections per second
0
2
4
6
8M
illi
on
s
Juniper
(SRX 5800)
Cisco
(ASA 5585-X)
Check Point
(61000)
350k400k600k
21x
F5
(VIPRION 4800)
8M
© F5 Networks, Inc 38CONFIDENTIAL
Key F5 network services – Optimize, Monetize, Secure
A unified platform and single management framework
Intelligent Traffic Steering
CGNAT and IPv6 Migration
ICSA Certified Network Firewall
Per-SubscriberPolicy Enforcement
TCP Optimization
Local DNS
DPI &URL Filtering
© F5 Networks, Inc 39CONFIDENTIAL
Mobile Has Unique Challenges
Why is the web so slow on my mobile device?
Mobile Device
• TCP stacks are different
on different mobile OS
• JavaScript parsing and
execution is relatively
slow on mobile devices
Mobile Network
• Higher packet loss rate
• High network latency:
300ms via 3G vs <50ms
on LTE
• Connections are made
ad-hoc and frequently
dropped to preserve
spectrum and battery
life
Internet
• Low packet loss
rate
• Low latency (except
for intercontinental
traffic)
Application
• Different TCP stacks
being used on
servers, some of
which are not optimal
for mobile networks
© F5 Networks, Inc 40CONFIDENTIAL
Content Optimization – A Changing Environment
SSL / SPDY INCREASE
• In many countries, SSL traffic (HTTPS and SPDY) on mobile networks is currently reaching around 50% of total Internet traffic
• Top web sites such as Google, Facebook, and Twitter use SPDY
• HTTP 2.0 being standardized in IETF with browsers requiring TLS encryption when setting up HTTP 2.0 connections
RISE OF ADAPTIVE BIT RATE VIDEO STREAMING
• Top video sites such as YouTube, Netflix, Hulu, and BBC iPlayer have all embraced ABR video technology
• Video is encoded at different bit rates, client dynamically chooses or changes appropriate bit rate based on network conditions
© F5 Networks, Inc 41CONFIDENTIAL
• TCP is a connection-oriented protocol
• Client and server must establish a connection before any data can be transfered
• TCP provides reliability
• Knows that data it sends is correctly received by the other end
• Acknowledgements confirm delivery of data received by TCP receiver
• Ack for data sent only after data has reached receiver
• TCP implements flow control and congestion control
• Sender can not overwhelm a receiver with data
• Sender will "back off" when under congestion
TCP Protocol Review
© F5 Networks, Inc 42CONFIDENTIAL
Impact of Latency – Web Page Load Times
Source: Ilya Grigorik, Google
© F5 Networks, Inc 43CONFIDENTIAL
• TCP designed to probe the network to figure out available capacity
• TCP slow start is a feature, not a bug
Impact of Packet Loss – Throughput Degradation
Avg HTTP response
size 16 kB (3 round trips)
In mobile networks packet loss does not necessarily
imply congestion
Source: Ilya Grigorik, Google
© F5 Networks, Inc 44CONFIDENTIAL
TCP Optimization with F5
Minimal Buffer
Bloat
Flow FairnessHigh Goodput
VIPRION
Origin
Server
INTERNET
PGW/GGSN
RTR
2G/3G
LTE
Mobile
Client
TCPEXPRESSCell-optimized TCP stack WAN-optimized TCP stack
© F5 Networks, Inc 45CONFIDENTIAL
• Loss-based algorithms
• Reno, New Reno, High-Speed, Scalable, BIC, CUBIC
• Delay-based algorithms
• Vegas
• Bandwidth-estimating algorithms
• Westwood, Westwood+
• Hybrid delay/loss algorithms
• Illinois, Woodside (F5)
TCP Congestion Control Algorithms
RENO CUBIC
ILLINOIS
© F5 Networks, Inc 46CONFIDENTIAL
TCP Congestion Control Algorithms in 3G and LTE
TCP Woodside
• F5 created algorithm.
• Hybrid loss and latency based algorithm.
• Minimizes buffer bloat by constantly monitoring network buffering.
TCP Vegas• Emphasizes packet delay rather than packet loss
• Detects congestion based on increasing RTT values of packets.
TCP Illinois
• Targeted at high speed long distance networks
• Loss-delay based algorithm.
• Primary congestion of packet loss determines direction of window size change.
• Secondary congestion of queuing delay determines the pace of window size changes.
H-TCP• Targeted for high speed networks with high latency.
• Loss-based algorithm.
© F5 Networks, Inc 47CONFIDENTIAL
• Mobile networks have a large BDP
• Tune your TCP buffers accordingly
• Mobile networks can exhibit random packet loss
• Choose a TCP congestion control algorithm/technique that takes this into account (don’t get into slow start upon random packet loss)
• Mobile networks can suffer from buffer bloat issues
• Choose a TCP congestion control algorithm that does not rely solely on packet loss
• Enable TCP rate shaping to ensure ‘smoother’ delivery packets (less strain on buffers)
• Mobile networks have relatively high latency
• Tune your settings to increase performance and web page load times (window size, initial congestion window, ... )
• Real life mobile performance is very ‘variable’ – room for market
TCP tuning for mobile networks
© F5 Networks, Inc 48CONFIDENTIAL
Reducing Web Page Load Times with F5 TCP ExpressReal life test results – MNO in APAC
Business center
ShoppingMall
ResidentialArea
Business center
ShoppingMall
ResidentialArea
Business center
ShoppingMall
ResidentialArea
Business center
ShoppingMall
ResidentialArea
Case 1 – 100 * 64KB images Case 2 – 1 * 10MB image
Case 3 – Regular website 1 Case 4 – Regular website 2
Optimized (sec)
As-is (sec)
Improvement (%)
© F5 Networks, Inc 49CONFIDENTIAL
Large download: HTTP page with large images (throughput test)Small download: HTTP page with small objects (web browsing test)
HTTP Performance Tests – Radio Strength VariancesReal life test results – MNO in EMEA
0%
20%
40%
60%
80%
100%
120%
140%
160%
180%
200%
Poor coverage Good coverage
HTTP large download
HTTP small download
0%
5%
10%
15%
20%
25%
30%
35%
40%
Poor coverage Good coverage
HTTP large download
HTTP small download
3G 4G
TCP OPTIMIZATION BENEFITS INCREASE UNDER POOR RADIO COVERAGE
20% 28%38% 33%22% 14%196% 95%
© F5 Networks, Inc 50CONFIDENTIAL
TCP Optimization – Summary
Increases “goodput” on radio network and keeps latency under control
Works for > 90% of all Internet traffic regardless of encryption or
encoding
Lengthens life span of radio infrastructure and enhances user
experience
Deployed inline on Gi LAN, optionally consolidated with other L4-7
functions