Seminar on ITU-T hot topics for Standardization
(Mar del Plata, Argentina, 2 September 2009)
Enablement of QoS and Security in NGN
Hui-Lan Lu, Ph.D.
Vice Chairman of SG 13, Chairman of WP 4/13
Bell Labs Fellow,
Mar del Plata, Argentina, 2 September 2009
International
Telecommunication
Union
Outline
Motivations and basic NGN requirements
Related work in WP 4/13
Q.4/13 on QoS
Resource and Admission Control Functions (RACF)
Q.16/13 on security and Identity Management (IdM)
Identity management framework
Q.17/13 on Deep Packet Inspection (DPI)
Summary
Mar del Plata, Argentina, 2 September 2009
International
Telecommunication
Union
2
Why?
Base packet transport lacks inbuilt
support for hard security and QoS
802.xx
Access
Cable
NGN Core
DSL
NGN Core
3G/LTE
Yet
Applications have diverse bandwidth and performance needs
User devices have improving but varied capabilities
Different access technologies are in use
Multiple providers and walled gardens are involved end-to-end
Networks and communications are vulnerable, while some
actors are malicious or non-trustworthy
Mar del Plata, Argentina, 2 September 2009
International
Telecommunication
Union
3
Security may mean…
Limitation of data disclosure
Privacy
Anonymous communications
Prevention of changing data in transit
Law enforcement
destruction of pirated content
tracking criminals
monitoring enemy’s communications
Mar del Plata, Argentina, 2 September 2009
International
Telecommunication
Union
4
QoS may mean…
Satisfactory bandwidth or network performance (e.g.,
delay, jitter, packet error ratio, and packet loss ratio)
Satisfactory application performance, such as signal-tonoise ratio, lip sync, channel change delay, and post
dialling delay
Carrier-grade network reliability
Robust communication security
Quality of experience of a user
Collective effect of service performance which
determines the degree of satisfaction of a user of the
service (as defined in E.800)
Mar del Plata, Argentina, 2 September 2009
International
Telecommunication
Union
5
General Network Requirements
QoS
Security
Only legitimate requests are satisfied
Ensure confidence transactions
Allocate and de-allocate resources (e.g., bandwidth)
based on established policy
Hide the network topology (e.g., IP addresses of all but
a few entities) as necessary
Be able to handle remote network address/port
translation devices and firewalls
Mitigate relevant Denial-of-Service (DoS) attacks
Mar del Plata, Argentina, 2 September 2009
International
Telecommunication
Union
6
Working Party 4/13 is addressing NGN QoS and security issues
Working Party 4/13
QoS and Security
Question 4/13
QoS
Question 16/13
Question 17/13
Security and
Identity Management
Deep Packet
Inspection
Mar del Plata, Argentina, 2 September 2009
International
Telecommunication
Union
7
Question 4/13 Work Program
Y.2172
Y.2171
Y.2173
restoration
priority
admission
priority
performance
management
resource
authorization
Y.2112
Y.2111
Ethernet-based
IP access network
Resource and
admission
control
Y.2113
Ethernet
Y.2174,
Y.2175
Flow-aware
transport
Y.2121,
Y.2122
Other NGN
studies related
to QoS
Q.330x.x
(SG 11)
Y.IPTV-TM
Protocol
specifications
MPLS core network
Mar del Plata, Argentina, 2 September 2009
International
Telecommunication
Union
8
Resource and Admission Control Functions (RACF)
(Ref.: ITUITU-T Rec. Y.2012)
Control
Media
Management
3rd Party Applications
Management Functions
ANI
Application/Service Functions
Service
Service User
User
Profiles
Service stratum
Transport User
Profiles
Service Control
Functions
Network
Attachment
Control Functions
Resource & Admission
Control Functions
Transport Control Functions
End-User
Functions
Other
Networks
Transport Functions
UNI
NNI
Transport stratum
Resource and Admission Control Functions (RACF)
v Provide application-driven, policy-based resource management to
dynamically assure QoS and enforce network security measures
v Address unicast/multicast, fixed/mobile, and CPE/CPN requirements
Mar del Plata, Argentina, 2 September 2009
International
Telecommunication
Union
9
Resource and Admission Control Functions (RACF)
(Ref.: ITUITU-T Rec. Y.2111 Rev. 1, 11/2008)
intra-domain
Service Control Functions
inter-domain
Service Stratum
(Diameter)
Ru
Network Attachment
Control Functions
TRC-FE
Rh
CPE/CPN
Rp (COPS)
Rn
TRE-FE
PD-FE
Rt (Diameter)
Rc (COPS, SNMP)
Transport
Functions
(multicast-aware )
Policy Decision Functional Entity (PD-FE)
Authorizes resource requests based on policy
Configures the transport to enforce policy
Transport Resource Control Functional Entity (TRC-FE)
Tracks resource use & network topology
Makes resource-based admission decision
Policy Enforcement Functional Entity (PE-FE)
Enforces policy for NAPT, gating, rate limiting, packet
marking, etc.
Mar del Plata, Argentina, 2 September 2009
Ri
RACF
Rw (H.248, COPS, Diameter)
Other NGNs
Rs (Diameter)
Rd
Transport Stratum
PE-FE
service-facing,
transport-independent
service-independent,
transport-dependent,
segment-specific
typically part of border transport
elements (e.g., edge router and
border gateway) International
Telecommunication
Union
10
Options for Admission Control in TRC-FE
NULL
Accounting-based
Track consumed resources from a resource pool
Measurement-based
Audit resource use in the transport periodically
Measure network performance via active probes
Part of native transport admission control
MPLS routers/switches track resource use and LSP map
In conjunction with native transport resource
reservation
Trigger native transport resource reservation and make
admission decision based on the reservation result
Choice depends on service/network specifics and operator policy
Mar del Plata, Argentina, 2 September 2009
International
Telecommunication
Union
11
RACF in Action (Unicast) – Video on Demand
VoD
Application Signaling
Service Control
Functions
RACF Control
2
5
6
1
pla
y
RACF
Policy
User
Equipment
3
Derive general QoS requirements
Derive transport QoS requirements
Make policy and admission decision
Configure transport
4
VoD
Transport
Functions
video stream
Application signaling triggers transport-resource allocation
UE does not need to support transport QoS signaling
Mar del Plata, Argentina, 2 September 2009
International
Telecommunication
Union
12
Broadcast TV Challenges
Expectation of non-blocking service
Low tolerance to packet loss and error
High bandwidth requirement
Expectation of fast channel change
Bursty change requests
Varied display and processing capabilities across
terminals
Vulnerability to DoS attacks
Proper network dimensioning and use of multicast are essential
Mar del Plata, Argentina, 2 September 2009
International
Telecommunication
Union
13
Multicast Considerations
Receivers use transport-level signaling to tune in to
(and out of) a multicast group
Access control
Admission control
Change in multicast group membership may alter
multicast topology and resource requirements
Fast resource allocation/re-allocation
Minimizing dynamic portion of multicast topology
Efficient use of bandwidth
Tradeoff between speed and efficiency
Multicast source may be set up dynamically
How to authenticate the source, especially user-originated
source?
Mar del Plata, Argentina, 2 September 2009
International
Telecommunication
Union
14
RACF in Action, Broadcast TV (simplified)
Service Control
Functions
Application Signaling
Derive general QoS requirements
RACF Control
Transport Signaling
1
2
Join A
Leave A
Admission
control
Derive transport
QoS ensures
requirements
granted
Make policy
requests
and admission
are indecision
profile
Configure
transport
and
met with
acceptable QoS
RACF
6
3
User
Equipment
5
4
7
8
Co-located
TRC-FE
Join B
multicast A
multicast B
multicast C
Transport Functions
Multicast-Aware
Application signaling triggers multicast resource allocation
Multicast join requests are sent after service requests are granted
Multicast group change triggers resource re-allocation as needed
Mar del Plata, Argentina, 2 September 2009
International
Telecommunication
Union
15
Question 16/13 Work Program
Security
Requirements for
Mobile Financial
Transactions in NGN
Mobility Security
Framework in
NGN
Y.2701 Security Requirements
for NGN Release 1
Y.2702
NGN Authentication
and Authorization
Requirements
Y.2703
NGN AAA
NGN
Certificate
Management
NGN
Security
Mechanisms
Mar del Plata, Argentina, 2 September 2009
Architecture for
Secure Mobile
Financial
Transactions in NGN
All NGN
studies in
other
Questions
Y.2720
NGN IdM Framework
NGN IdM
Requirements
and Use Cases
NGN IdM
Mechanisms
Candidate for
initial closure
in September
International
Telecommunication
Union
16
Existing Issues with User Identity
End users are increasingly using multiple identities
Identities may be associated with differing contexts
and service privileges
Identities may only partially identify the end user
Identities may be used anywhere, anytime
Identities may not be interoperable between providers
Mar del Plata, Argentina, 2 September 2009
International
Telecommunication
Union
17
Key NGN IdM Drivers
Control and protection of personal information
Uniform user access to multiple applications from any
device and regardless of the number of providers
involved
Dynamic interconnection among multiple partners
without a priori pair-wise arrangements
Extending strong authentication for mobile services to
fixed services (including Web 2.0)
Confidence of transactions
Enablement of blended, mash-up applications (e.g.,
identity-based services, targeted advertisement and
personalized services)
Ease of compliance with regulatory requirements
Mar del Plata, Argentina, 2 September 2009
International
Telecommunication
Union
18
NGN IdM Framework (ITU-T Rec. Y.2720, 1/2009)
Business and Security Services
Identity Management
Federated Services
Application Access Control (e.g., Multimedia and IPTV)
Single Sign -on/Sign -off
Role -based Access to Resources
Protection of Personally -Identifiable Information
Security Protection of Information and Network Infrastructure
IdM Capabilities
Identity Lifecycle Management
Correlation and Binding of Identity Information
Authentication , Assurance , and Assertion of Identity Information
Discovery and Exchange of Identity Information
Identity
Information
Entities
Identifiers
Credentials
Attributes
(e.g., User ID, email
address, telephone number,
URI, IP address)
(e.g., digital certificates,
tokens, and biometrics)
(e.g., roles, claims,
context, privileges,
location)
Organizations, Business Enterprises,
Government Enterprises
Users &
Subscribers
Mar del Plata, Argentina, 2 September 2009
User
Devices
Network and
Service Providers
Virtual
Objects
Network
Elements and
Objects
International
Telecommunication
Union
19
Use Case: Single Sign-On (Ref: ITU-T draft on IdM use cases)
End User
Device
Application A
(e.g., VoIP)
Application B
(e.g., Data)
Application C
(e.g., IPTV)
IdM System
User
(1) Application Service Request
User
authenticates to
access
Application C
(e.g., IPTV)
(2) Identity Info
Request [UserID]
(3) Authentication Challenge
(4) Authentication Input [UserID, Credentials]
(5) Authentication
(8) Access Authorization
(7) Authorization
(6) Identity Response
[UserID, CredAssertion,
Attributes, Policy]
(9) Service Session
User invokes
Application B
(e.g., Data) and
obtains access
without having to
re-authenticate
User invokes
Application A (e.g.,
VoIP) and obtains
access without
having to reauthenticate
(10) Application Service Request
(11) Identity Info Request [UserID]
12 Verification
(14) Authorization
(13) Identity Response [UserID,
CredAssertion, Attributes, Policy]
(12) Verification
(15) Access Authorization
(16) Service Session
(17) Application
Service
Request
(18) Identity Info Request [DeviceID]
(20) Identity Info Response [DeviceID, Attributes]
(19) Authorization
(21) Authorization
(22) Service Session
Mar del Plata, Argentina, 2 September 2009
International
Telecommunication
Union
20
Question 17/13 Work Program
Q.16/13
Application
Scenarios
Security
DPI Requirements
(Y.dpireq)
Q.4/13
Charging
DPI Framework
(Y.dpifr)
QoS
DPI
Scan
Rules Table
Analysis
Mar del Plata, Argentina, 2 September 2009
Enforcement
International
Telecommunication
Union
21
Summary
WP 4/13 is addressing important issues of QoS and security in NGN
A set of Recommendations has been developed
Y.2111 specifies RACF—the central enabler for NGN QoS
Y.2701 and Y.2702 set the basic security requirements for NGN
Y.2720 provides a holistic view of IdM in NGN and lays the foundation
for further development
Ongoing studies include
IdM requirements and mechanisms, and securing mobile financial
transactions
Enhancements of RACF in support of mobility, P2P, and coordination
with network performance management and CPN resource
management
Deep packet inspection-enabled QoS and security control
Cooperation among related efforts in various SDOs (3GPP, ETSI
TISPAN, IETF, OMA, etc.) is essential for effective support of QoS
and security end-to-end
Mar del Plata, Argentina, 2 September 2009
International
Telecommunication
Union
22