Optimised redundancy for Security Gateway deployments

Transcription

1 Optimised redundancy for Security Gateway deployments

2 RECAP:- JUNIPER LTE SECURITY OFFERING Customer Priorities Core elements protection RAN and UE protection SCTP protection Scalability Mission critical availability Voice over LTE Coordinated protection Secure business and access to all services from any to any Juniper LTE Solution SRX Security Service Gateways TL 9000 certification In Service SW Upgrades NEBS III / DC Power CC EAL Hot Swap I/O Cards ICSA 120G FW 30G IPS 10M Sessions 350k SPS 21M pps (64B) 2 Copyright 2011 Juniper Networks, Inc. IP & GTP & SCTP Firewall QoS DoS Protection IPv6 IPSec High Availability

3 RESILIENCY CONSIDERATIONS FOR LTE/SEGW MME Cell sites eutran Security Gateway S-GW Evolved Packet Core Services/Internet Catastrophic Act of Nature/Criminality/Terrorism Geographic site distribution Highly available Security Gateway Clustered mode with IPSec tunnel and S1-U/S1-MME session synchronisation Redundant everything Inter-node cluster links, power feeds and PSUs, physical SeGWs Fast failover for latency-sensitive services like VoLTE Provide lowest possible failover times, under 0.5s Maintain signalling Ensure SeGW does not cause problems with common signalling failover times (800ms) Node maintenance Firmware and hardware upgrades with near-zero downtime 3 Copyright 2011 Juniper Networks, Inc.

4 ANATOMY OF A REDUNDANT SOLUTION Aggregation site 1 SRX5800 Rear BACKHAUL MME Cell-site Geographic Redundant 2+2 High L3 Active/Active redundancy Redundant Availability HA distribution VPN links power Requires Dual Synchronisation BFD Split SCTP used links power inter-site for to signalling supplies provide control of L2 IPSec on and link for dualhomed rapid HA per nodes at failover L3 site in ~300ms No Separate Resilient Failover Mitigates SCTP hard handles time distance against loss physical commonly of subsecond adjacent loss limitations paths of 1 ~1s for data SAs connectivity plane zones for failover best entire routers signalling redundancy feed or failover links or 2 PSUs Latency between sites must be less than 100ms Aggregation site 2 S-GW Core Site P-GW 4 Copyright 2011 Juniper Networks, Inc.

5 GEOGRAPHIC CLUSTER DISTRIBUTION HA Links L2 Infrastructure Site A Cluster Jurisdiction Site B Mitigate catastrophic event by distributing SeGW cluster members between physical sites with L2 connectivity (required) No hard maximum distance Latency between sites should be less than 100ms HA connections can be directly cabled or over a switched infrastructure Appnote enclosed explains design guidelines 5 Copyright 2011 Juniper Networks, Inc.

6 MULTIPLE HA LINKS Node 0 Control plane Node 1 Control plane Separate physical paths between sites Node 0 Dataplane Node 1 Dataplane SRX Node 0 SRX Node 1 Dual links can be used for control and forwarding plane (Fabric) HA Maximum availability of cluster links across distributed sites Requires additional Routing Engine (RE) per node for dual control links 2 I/O ports per node required for dual Fabric links (1Gbps or 10Gbps) Should be cabled over separate physical paths/infrastructures for greatest resilience 6 Copyright 2011 Juniper Networks, Inc.

7 REDUNDANT POWER OPTIONS Power feed 1 Power feed 2 Fully redundant, 2+2 power (DC or high-capacity AC) available Dual zones on SRX (as above) Dual power feeds in aggregation site should be distributed across zones Eg, Feed 1 goes to PEM 0 and PEM 1, Feed 2 to PEM 2 and PEM 3 SRX can continue to fully function through loss of Entire single power feed Up to 2 PSUs, providing they are different zones 7 Copyright 2011 Juniper Networks, Inc.

8 HIGH AVAILABILITY:- CORE FUNCTIONALITY IPSec tunnels IPSec SA and session sync JUNOS HA provides a number of core resilience functions on SeGW Synchronisation of IPSec SAs No tunnel re-establishment = minimal downtime for SeGW failover Synchronisation of underlying clear-text sessions SCTP and GTP Allows for stateful security and HA for SCTP signalling ISSU (In-Service Software Upgrades)* Upgrade JUNOS with minimal downtime (potentially subsecond) SPC capacity upgrade Scale performance with minimal downtime (potentially subsecond) 8 Copyright 2009 Juniper Networks, Inc. *IPSec support for ISSU coming 2H2012

9 OPTIMISED L3 FAILOVER RAN L3 forwarding interface (Reth) OSPF/BFD adjacency Use 2 x L3 links up and down stream for optimised failover BFD (+DRP) runs between SRX and adjacent aggregation/pe routers Loss of aggregation/pe router or a link causes L3 route failover HA failover occurs only if both L3 interfaces (up or down stream) on a node are down Site A EPC Site B Failover with BFD occurs with an absolute downtime of ~350ms Ideal for high priority traffic requirements, eg VoLTE 9 Copyright 2009 Juniper Networks, Inc.

10 OPTIMISED L3 FAILOVER IPSEC TERMINATION L3 interfaces Possible IPSec tunnel paths Aggregation router (site A) Loopback cable NB Logical view only, SRX cluster not shown IKE/IPSec termination point SRX Aggregation router (site B) L3 ingress IP changes as interface fails over Needs an agnostic logical interface for IPSec termination Loopback Reth A physical interface is kept up with a local loop cable Used as the outgoing interface for IKE negotiation but no traffic traverses the looped cable Can be 1Gbps or 10Gbps no forwarding needed Can be migrated to logical loopback from JUNOS 12.3 (loopback currently not supported for IPSec termination in cluster mode) 10 Copyright 2009 Juniper Networks, Inc.

11 SIGNALLING OPTIMISATION Association setup (INIT exchange) + primary SCTP path enb Secondary SCTP path The problem:- SCTP signalling applications typically failover in 800ms or less For dual-homed signalling, primary AND secondary paths could both fail in 1.6s Under certain conditions, SeGW HA failover takes > 1.6s HA failover could lead to complete loss of signalling The solution:- Split the primary and secondary SCTP sessions, both from a RAN path perspective and also an SeGW termination point perspective Use Active/Active HA and divide the homing across cluster members MME 11 Copyright 2009 Juniper Networks, Inc.

12 SIGNALLING RESILIENCE WITH ACTIVE/ACTIVE HA MS VPN A RAN enb VPN B User plane Primary SCTP Secondary SCTP SCTP dual-homed association split down dual IPSec tunnels In case of loss of primary path or primary SeGW, signalling fails to secondary VPN Secondary VPN always up Signalling timers (~800ms) are catered for User plane is not rerouted to secondary VPN Assumes failover time (1-3s) is acceptable for user plane S-GW MME 12 Copyright 2009 Juniper Networks, Inc.

13 SIGNALLING RESILIENCE WITH ACTIVE/ACTIVE HA FAILOVER WALKTHROUGH MS VPN A RAN enb VPN B User plane Primary SCTP Secondary SCTP 1 2 Normal operating conditions User plane and primary SCTP through RG1, secondary SCTP through RG2 RG1 failure (eg SRX loses power). User plane forwarding and primary SCTP path lost RG1 begins to failover; SCTP detects path down and uses secondary path Failover completes, RG1 and RG2 active on same node. User plane traffic resumes Primary signalling path recovered through SCTP heartbeats. HA preemption can be optionally configured to failback S-GW MME 13 Copyright 2009 Juniper Networks, Inc.

14 A/A ADDITIONAL BENEFIT:- SCTP ALG IP A RAN IP B Primary SCTP Secondary SCTP SCTP Association is synchronised across cluster Possible sessions for a given association are clearly defined by src/dst IP addresses in the INIT exchange Init exchange SCTP Association SIP=A,B DIP=C,D Turning on SCTP ALG allows SCTP to be handled statefully Prevents any potential attacks listed in RFC5062, eg hijacking, bombing IP D IP C MME 14 Copyright 2009 Juniper Networks, Inc.

15 USER PLANE FAILOVER WITH DUAL TUNNEL User plane failover requires a mechanism to detect that the tunnel is down (or not passing traffic due to a problem in the path) This could be DPD Tends to have long timers which do not facilitate rapid failover 30s+ common for DPD to detect tunnel down Checks tunnel liveness only via IKE (does not extend to forwarding plane checking) Could also be a DRP Not necessarily supported on enbs 15 Copyright 2009 Juniper Networks, Inc.

16 FUTURE FOR TUNNEL FAILOVER BFDoIPSEC? BFD could offer a solution Could be run in conjunction with static routes Granular timing options for BFD keepalives 50ms is typical minimum Can give high speed failover between tunnels including user plane Currently supported over IPSec on SRX Not supported on all (any?) base stations today, but planned* 16 Copyright 2009 Juniper Networks, Inc. *caveat:- Juniper is not a basestation vendor, this is what we have heard!

17 GEOGRAPHIC MIGRATION OF SEGW SeGW deployments tending towards a large scale centralised deployment One VPN migrated; traffic failed over; 2nd VPN migrated A more distributed architecture has advantages More efficient X2 transport Minimal impact of SeGW node failure Lower performance requirements per node S-GW MME Loopback termination of IPSec VPNs could offer a simple migration path in conjunction with A/A Dual tunnels could exist on different clusters during migration 17 Copyright 2009 Juniper Networks, Inc.

18 SEGW:- REDUNDANCY SUMMARY MATRIX Requirement Solution component Notes Redundant power 2+2 PSUs Dual feeds per site required Redundant HA links Dual control/dual data plane HA links Links pairs should traverse disparate paths High Availability SRX cluster Provides IPSec SA and session synchronisation Fast failover at L3 Dual L3 links with BFD Mitigates loss of adjacent routers or links Signalling failover Active/Active Dual tunnel Design may not be supported by all radio vendors Geographic redundancy Dispersed cluster L2 needed between sites 18 Copyright 2009 Juniper Networks, Inc.

19 Permanent Tunnel Initial Tunnel RELAY PROVISIONING AUTO CONFIGURATION PROTOCOL WORKFLOW enodeb SGW DHCP (can be coresident on SRX) DHCP: en- & operator specific / / PKI FE 1 PKI - BE Authenticate to Operator s CA with enb vendor Certificate & key signing request Create, sign & download operator s enb Certificate Create Temporary IPSec Tunnel Conf Server PKI FE 2 REBOOT Create Permanent IPSec Tunnel 19 Copyright 2009 Juniper Networks, Inc.

20 JUNIPER SRX AS SEGW:- INVESTMENT PROTECTION AND FUTURE SCALE Hardware Refresh:- Key points Backward compatible - Low upgrade cost Operational Simplicity No change to security config Investment Protection Non-stop services Redundant components Stateful HA In-service SW upgrade In-service HW upgrade Performance Scale Next-generation SPC 2x-3x boost in performance Up to 8x jump in scale Headroom for future growth 20 Copyright 2009 Juniper Networks, Inc.

21