SG-1 Service Gateway: Intelligent IP Network Value-Added Service Enhancements to Existing Broadband Networks WHITE PAPER Introduction Wireline network operators have increased available customer bandwidth with xDSL modems, DSLAMs and Broadband Remote Access Server (BRAS) systems. While this basic topology enables standard broadband service, most service providers want to expand their portfolios of broadband offerings to improve their competitive position, increase revenues and decrease operational expenses. At the same time, they realize that any enhancement to a network should leverage the existing architecture and easily integrate with it. Such enhancements require only incremental capital investment with minimal replacement of existing network elements. These enhancements also eliminate unnecessary operating expenses arising from changes in the network elements like operation and support, management and billing, and BRAS systems. Integration with the existing network, including its operational processes, is, therefore, a decisive factor in the choice of any new equipment and systems that enable value- added services such as bandwidth on demand and application awareness. These advanced services can be charged to the user with little or no impact on existing network elements and with minimal investment for the network operator. ADC’s SG-1 Service Gateway meets these requirements since it is designed for simple and straightforward integration with a wide range of network elements and topologies. With its drop-in architecture, the SG-1 takes the responsibility for service creation, service enforcement and dynamic service management, independent of the access network elements being used. The access network is responsible for access, transmission and switching, while service management and provisioning are handled in central or regional locations by the SG-1. This concept and topology are similar to a voice intelligent network, where signaling and voice data transport are separate. The SG-1’s network integration capability simplifies the system’s integration with the existing network, which shortens time-to-market for new value-added services, decreases the total cost of ownership including maintenance, and facilitates training. The SG-1 integrates well with existing network devices such as a BRAS, dialup RAS, CMTS (Cable Modem Termination Systems) and WLAN Access Points. The SG-1 also integrates easily with existing or third-party portals, operation and support systems, and management and billing. The SG-1 enables any portal to handle user interactive service selection and subscription, regardless of the access or aggregation devices terminating the calls. Intelligent IP Network To Existing Broadband Networks Value-Added Service Enhancements Intelligent IP Network Value-Added Service Enhancements to Existing Broadband Networks Page 2 SG-1 as a Service Enabler in an Existing xDSL Network With its own advanced service-creation functionality, the SG-1 is capable of upgrading existing BRAS systems that lack service-creation capabilities. It can also simultaneously act as a BRAS by terminating the PPPoE and PPPoA sessions using redundant SONET/SDH interfaces. Thus, users terminated by the existing BRAS and those who are directly terminated by the SG-1 receive the same service and have the same user experience. For example, users connected through the Redback SMS 10000 are offered Try-Before-Buy, Third Party Boost, Bandwidth-on-Demand, and other advanced services, although the Redback system terminating those users cannot provide those services by itself. Such enhanced functionality can be provided using the methods described below. Tunnel Termination / Tunnel Switching Method The existing BRAS transmits (tunnel-switches) the user PPP session via an L2TP tunnel to the SG-1. The transmission is done using the existing AAA server, which responds to each BRAS Access-Request message with a tunnel switching command (tunnel switching attributes). The SG-1 can terminate the L2TP tunnels initiated by the BRAS and terminate each of the tunneled user’s PPP session within those tunnels. On the other hand, it can switch the tunnel to another LNS. For example, the tunnel may be switched by the SG-1 to an ISP network that will terminate the tunnel and the PPP session. When the SG-1 terminates the tunnel, the SG-1 authenticates the user PPP session in the same way it was authenticated by the BRAS, using the same AAA server. The SG-1 provides IP addresses and maintains the point-to-point connection of the user PC or routers. The tunneled traffic to the SG-1 may be carried by SDH/ATM or by Gigabit Ethernet using the SG-1 multi- interface support. The BRAS in this case may either tunnel a group of users through one tunnel or create a separate tunnel for each user. When the SG-1 switches the tunnel without termination of the PPP session, it can still authenticate the user and communicate with the AAA server. Value- added services can be performed and additional user scenarios may be supported. For example, if the session is terminated by a third-party ISP LNS, the network operator can still provide independent value-added network services and apply additional functions such as bandwidth control. A customer service request, initiated through an existing portal (anywhere in the network) results in a personal service profile definition and support, independent of the type of edge router or BRAS being used. The existing BRAS uses its L2TP tunnel switching capability that is standard for most BRAS systems and edge routers. The SG-1 uses its own capabilities as an LNS or L2TP switcher to support this topology. The network operator, using this method, can divide the user sessions into two groups. One group can be provided with an extended range of services and can be tunneled to the SG-1, while the other group can be served with the current range of services and will continue to be terminated as before. This capability enables gradual introduction of new services to the customers, based on geographic or other criteria. In parallel to upgrading existing tunneled sessions, the SG-1 can have a direct connection to the ATM cloud and provide direct enhanced services to additional sessions directly from the DSLAMs. As the number of new xDSL customers grows, the network operator may route the new DSLAM traffic directly to the SG-1, which may terminate the user PPPoE and PPPoA sessions, or aggregate the traffic for termination in another network. The SG-1 can support simultaneously ATM and IP traffic through the same chassis. The network diagram below illustrates the SG-1’s role in an existing xDSL network according to this method. User traffic can be supported by both the SG-1 and the BRAS: Network architecture can now provide service using the existing infrastructure, and the SG-1 can act as a service enhancement platform and as an additional BRAS. The SG-1, in this case, is actually enhancing the BRAS service capabilities by providing advanced services to part or all of the users. The SG-1 can support simultaneously both ATM and IP traffic. MTA SLPM-PI eroC sPSI 1-GS MALSD MA L SD sresU re s U BD sresU tnetnoC SARB Tunnel Termination / Tunnel Switching Method IP Routing Method A In the following topology, the BRAS is not required to use L2TP capabilities. In fact, the BRAS does not change its behavior in any way. This topology might be most suitable in two scenarios: • When the service creation functionality is managed by the network operator, independent of an access network that includes BRAS systems. In this case, the manager of the SG-1 may not want or may not be able to make any changes in the BRAS configuration. • When the processing power of the existing BRAS may be overloaded with additional functionality and may not support the required L2TP tunneling for all the traffic. The router, using its policy-based routing, sends the IP traffic to the SG-1, which monitors the user sessions and provides each user with a selected or configured service profile. The SG-1 may authenticate the users just before enabling the service. In this application, the SG-1 uses its native IP service creation features. The routed traffic to the SG-1 may be carried both by SDH/ATM or IP Gigabit Ethernet using the SG-1 multi- interface support. The network diagram below illustrates the SG-1’s role in an existing xDSL network supporting this method. Sessions can be supported by the SG-1 and DSLAMs; the router distributes the traffic according to provider service policy, and routes the session traffic to the SG-1 for adding the service layer. Sessions can be authenticated and authorized simultaneously through web authentication or PPPoE application through the existing AAA server. Different users or user groups, or different service requests, may be authenticated, authorized and billed by different AAA servers. The SG-1 can interact with many different AAA servers accordingly. IP Routing Method B The BRAS in this method uses its own IP interface and routing capabilities, and routes the users’ IP traffic to the SG-1. The SG-1 monitors the user sessions and provides each user with its selected or configured service profile. The SG-1 can act as the existing BRAS default gateway and may authenticate the sessions before enabling the service. The routed traffic to the SG-1 may be carried both by SDH/ATM or IP Gigabit Ethernet using the SG-1 multi-interface support. The network diagram below illustrates the SG-1’s role in an xDSL network supporting this method. The BRAS interface with the SG-1 (illustrated by the blue dash line in the diagram) represents the new routed traffic from the BRAS to the SG-1. Intelligent IP Network Value-Added Service Enhancements to Existing Broadband Networks Page 3 MTA SLPM-PI eroC sPSI 1-GS MALSD M AL SD sresU re s U BD sresU tnetnoC SARB MTA SLPM-PI eroC sPSI 1-GS MALSD MALSD sresU resU BD sresU tnetnoC retuoR SARB IP Routing Method B IP Routing Method A Intelligent IP Network Value-Added Service Enhancements to Existing Broadband Networks Page 4 Integration with IP DSLAM The SG-1 includes support for the new generation of IP DSLAMs. The IP DSLAM in this case uses its own IP interface and routing capabilities, and routes the users’ IP traffic directly to the SG-1. The routed traffic from the DSLAM to the SG-1 may be carried both by SDH/ATM or IP Gigabit Ethernet using the SG-1 multi- interface support. The SG-1 monitors the user sessions and provides each user with its selected or configured service profile. The SG-1 can act as the IP DSLAM default gateway and may authenticate the sessions before enabling the service. The network diagram below illustrates the SG-1’s role in an xDSL network supporting the new IP DSLAM along with the existing ones. Advanced and Unique Services Functionality The SG-1 delivers a new set of functionalities that are applicable to all of the topologies mentioned above. The main capabilities are: • No Profile/Policy/Service Server: SG-1 does not require any type of profile, policy or service server because the profiles are kept within a Standard RADIUS database format. This concept simplifies integration and significantly decreases deployment time. • Real-Time Profile Change Without Session Termination: To offer services such as “Turbo Button”, the SG-1 handles real-time profile changes without session termination. • Dynamic Access Lists For Walled Gardens: Dynamic access lists are important to modify a user's profile to exit a garden or to access another type of garden, all within one session. • Real-Time User Profile Bandwidth Limitations: For Turbo Button features, it is important that user bandwidth limitations can be changed within a session real-time. SG-1 is capable of this. • Real-Time User Profile Prepaid and Quota Limitations: For prepaid and quota features, it is important that a user time limitation can be changed within a session real-time. • Scalability: The system can grow as service demand grows. The operator can start with a lean 4,000 end- user session support and gradually and seamlessly scale up the system without service interruption. Eventually, a 10U system can populate up to 64,000 concurrent sessions. • Standard Protocols: The SG-1 is designed to use standard protocols, so the operator doesn’t need to invest heavily in new platforms and/or servers and go through painful network upgrades and enhancements. • Support For Home Networks: The SG-1 is able to authorize, authenticate and support self-provisioning for each terminal or home appliance within a home network separately and with an individual associated service profile. • Advanced Security Features For The Mass Market: By using the SG-1, the operator can now offer new and exciting security services for the Broadband user mass market. The SG-1 is offered with a third party anti-virus system that scans HTTP/FTP traffic and delivers a full-service suite in real time to users. Combined with SG-1 service capabilities, the operator can receive a complete platform, geared to handle the new challenges in Internet service provisioning: – An anti-virus engine certified to block 100% of the "in the wild" viruses as well as more than 50,000 samples of malware (viruses, worms, Trojans, etc.). Scans all MIME types and compressed files. Virus protection is certified by ICSA Labs and Check Mark to comply with industry standards. – Ghost Machine ® proactively protects against sophisticated, encrypted, stealth and polymorphic viruses. – SmartScript™ proactively blocks all malicious scripts in email and web pages. Non-malicious scripts still function without difficulty. – MacroTerminator™ heuristically detects and blocks variants of known Microsoft Office macro viruses, as well as unknown ones. MTA tenrehtE SLPM-PI eroC sPSI 1-GS MALSD MALSD MALSD sresU sresU resU BD sresU tnetnoC retuoR Integration with IP DSLAM – Vandal Protection inspects all web pages, downloaded files, and email traffic, cleaning malicious Java, ActiveX and script vandals. – Office Protection removes macros and embedded objects such as executables from Microsoft Office ® documents arriving from un-trusted sources. Benefit to the Service Provider The SG-1 allows for the rapid creation and implementation of new services. With dynamic bandwidth control and application awareness services for voice and peer-to-peer traffic, different applications from the same user may be associated with different service profiles. These profiles can be changed dynamically upon customer request made through any commercial or existing portal. Intelligent IP Network Value-Added Service Enhancements to Existing Broadband Networks Page 5 ADC Telecommunications, Inc., P.O. Box 1101, Minneapolis, Minnesota USA 55440-1101 Specifications published here are current as of the date of publication of this document. Because we are continuously improving our products, ADC reserves the right to change specifications without prior notice. At any time, you may verify product specifications by contacting our headquarters office in Minneapolis. ADC Telecommunications, Inc. views its patent portfolio as an important corporate asset and vigorously enforces its patents. Products or features contained herein may be covered by one or more U.S. or foreign patents. An Equal Opportunity Employer 1317098 5/05 Original © 2005 ADC Telecommunications, Inc. All Rights Reserved Web Site: www.adc.com From North America, Call Toll Free: 1-800-366-3891 • Outside of North America: +1-952-938-8080 Fax: +1-952-917-3237 • For a listing of ADC’s global sales office locations, please refer to our web site. WHITE PAPER . Broadband Networks Value-Added Service Enhancements Intelligent IP Network Value-Added Service Enhancements to Existing Broadband Networks Page 2 SG-1 as a Service. SG-1 Service Gateway: Intelligent IP Network Value-Added Service Enhancements to Existing Broadband Networks WHITE PAPER Introduction Wireline network