Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1

Bart Brinckmanbbrinckman@jnpr.net

Juniper Carrier AAA roadmap

May 2008

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 22

The Current Identity and Policy Management portfolio

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 33

The Identity and Policy portfolio

Net

wo

rkP

olic

yS

ervi

ce

IPTVHome VoIP

InternetVideo Telephony

Mobile VoIPVideo Roaming

FMCPush to Talk

FR VPNATM VPN

PSTN

ProviderUnique

Services

CPE

WirelessAccess

WirelessAccess

Routing and Security PortfolioIndustry-leading packet handling and security solutions for thousands of customers worldwide

DataCenterCoreEdge

OPEN INTERFACES

OPEN INTERFACES

SignalingSpecificSecurity

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 44

AAA functions today: different products aimed solving different problems

SBR/SIM

SBR/MIM

SBR/SPE

SBR/HA

SBR/SLM

Po

licy

Network Attachment

Resource Assignment

Network Mobility

Service Delivery

Network Identity

Charging & Billing

xDSL

PublicWi-Fi

GPRS/UMTS

CDMA1XRTT/EvDO

WiMAX(simple IP & proprietary)

UMAFemtocell

Access Network

IMS AAA

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 55

Policy Engine: Any Service - On Demand

Subscriber Initiated – Self Service

Application Initiated

SRC ServiceProfile Initiated

• Activate on Login• ToD Activated• Volume/Time Controlled

Portal Server with SRC-PE portal API• Turbo• Tiered Internet

• VoD• Games• Streaming Media• Video Conferencing

Network DetectionInitiated

DPI or IDP Platforms• P2P Controls• Threat Mitigation

IMS Service Complex

• VoIP• Video Telephony• Multi-media

SOAP DIAMETER

Core

Walled Garden + Over the Top (Web 2.0)

Acces

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 66

Carrier AAA Roadmap

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 77

Legal statement

This product roadmap sets forth Juniper Networks’ current intention and is subject to change at any time without notice. No purchases are contingent upon Juniper Networks delivering any feature or functionality depicted on this roadmap.

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 88

AAA Evolution to FMC and WiMAX

Wireline

WiFi/UMACDMA

GSM/UMTS

SBR/SPE

SBR/SIM

SBR/MIM

WiMAX

SBR/SPE

SBR/HA

SBR/HA

SBR/Carrier

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 99

One AAA to Manage All Access A centralized AAA

Architecture that supports all access technologies and user credentials is an important element of the NGN network

A benefit of centralizing AAA is that it allows for the centralization of subscriber session information on the networks

Enhancement to service delivery and new services can be delivered by leveraging this active subscriber database.

LDAPPKI

Sessions

Applications/

Services

DSL

GPRS/UMTS

UMACDMA

WiMAX

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1010

Authentication modules

GUIGUILDAPLDAPSNMPSNMP

SQLSQL

LDAPLDAP

HLR Gateways

HLR Gateways

Proxy RADIUSProxy

RADIUS

RADIUSRADIUS

SMSauthSMSauth

SIMauthSIMauth

CDMAMobilityCDMAMobility

SBR Carrier CoreSBR Carrier Core

Step 1:SBR Carrier v 7.0(target August 08)

Modular AAA for Wireless and Wireline carriers• Standalone AAA server• combining all previously existing Juniper AAA carrier functionality into 1 modular product• Adding a mobile WiMAX module

OSS Interfaces

Fro

nt-E

nds

Bac

k-E

ndsMobility modules

CLICLI

WiMAXMobilityWiMAXMobility

Optional modules

ScriptingScripting

*CDMA mobility and SMS auth EFT only in v7.0

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1111

SBR Carrier Core SBR Carrier CoreSBR Carrier Core

Built on Industry-proven SBR SPE technology!•Open and flexible AAA functionality regardless of end user access technology (through RADIUS, EAP, Http-digest), integrated into 1 platform•Supports SQL or LDAP based user repository, regardless of DB schema•Advanced service delivery features•Carrier grade proxy engine and filtering features•Virtualization support•Network integration features

•All 3GPP support built into SBR Carrier Core•Comes with all EAP methods enabled out of the box (except SIM/AKA): MD5, LEAP, GTC, POTP, PEAP, TLS,TTLS, FAST•Supports unlimited virtualization (directed realms)•Multiple additional optional features available

+

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1212

Flexible sub-TLV support• Support for sub-TLV’s in the core AAA engine• allow any sub-TLV requirement to be configured in the AAA core

Location based profiles• Enables policy granularity on location basis• Access technology based policy

Available in 2 flavors:• Location based profiles for users• Location based profiles for groups

SBR Carrier 7.0 core new features

Improved Management• Web delivered Administration UI

• Downloadable to any station• No permanent UI install• A browser is sufficient

• UI managed EAP configuration• UI based filter management• Administration audit logs ensuring administration accountability

Enhanced scripting features• Enabling precise implementation of custom service and business logic• Providing unparalleled flexibility in implementing and growing service and business logic

• JavaScript realm selection and JavaScript filter selection can:

• Query and modify any AVP • Query LDAP or SQL databases

SBR Carrier 7.0

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1313

SBR Carrier: Authentication Modules, Mobility Modules and Optional Modules

SIM authentication methods for PWLAN and UMA SIM authentication and authorization (against HLR over SS7 or SIGTRAN) Kineto INC S1 interface (UMA & Femtocell)

SMS OTP provisioning and authentication methods

CDMA Mobility module CDMA mobility, resource assignment and prepaid features CDMA RevA QoS support

SMSauthSMSauth

SIMauthSIMauth

CDMAMIM

CDMAMIM

JavaScripting module LDAP JavaScripting JavaScripted Filters Core routing JavaScriptingScrip

tingScripting

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1414

WiMAX in SBR Carrier 7.0

Modular approach, SBR Carrier Core +• WiMAX Module for wireline integration (EAP-TLS, EAP-TTLS)• WiMAX module + SIM authentication module for GSM/UMTS integration

(EAP-AKA)• WiMAX Module + CDMA mobility module for CDMA integration

WiMAX mobility management:• Mobile IP v4 support• ASN and CSN authentication authorization• ASN and CSN key management

WiMAX resource management• Home Agent Management• Home Address (IP-address) Management

WiMAX QoS support Charging Roaming: H-AAA and V-AAA Standards: WiMAX Forum NWG Stage 3 rev. 1.0, 1.1 and 1.2

compliant

WiMAXWiMAX

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1515

Optional modules

* Only in combination with Session control module

Step 2:SBR Carrier v 7.2 (target Q1 09)

Modular Carrier Grade AAA• Available standalone or with HA cluster• combining all previously existing carrier functionality into 1 product• Adding central address allocation, concurrency and Session Control modules

DBDB DBDBHA ClusterSession DB

Authentication modules

GUIGUILDAPLDAPSNMPSNMP

SQLSQL

LDAPLDAP

HLR Gateways

HLR Gateways

Proxy RADIUSProxy

RADIUS

RADIUSRADIUS

SMSauthSMSauth

SIMauthSIMauth

CDMAMobilityCDMAMobility

SBR Carrier CoreSBR Carrier CoreFro

nt-E

nds

Bac

k-E

ndsMobility modules

CLICLI

WiMAXMobilityWiMAXMobility

ScriptingScripting

SQL*SQL*Xml/

https**Xml/

https**

SessionControlSessionControl

Concurrency

Concurrency

AddressAllocationAddress

Allocation

OSS Interfaces

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1616

Net

wo

rkP

olic

y &

Co

ntr

ol

Ser

vice

IPTVHome VoIP

InternetVideo Telephony

Mobile VoIPVideo Roaming

FMCPush to Talk

FR VPNATM VPN

PSTN

ProviderUnique

Services

CPE

WirelessAccess

WirelessAccess Data

CenterCoreEdge

SQL/LDAP/CLI/Https

RADIUS/RADIUS CoA

Applications

SBR SessionDB cluster

SBR Carrier Non-Stop AAA and Service Delivery

Node 1A Node 1B

Node 2A Node 2B

Node Group 2

Node 3A Node 3B

Node Group 3

Node Group 1

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1717

SBR Carrier 7.2: New Optional Modules

In-session service changes RADIUS CoA based XMLoverHttps and CLI (scripting) based interfaces Applications: In session Hotlining, Legal Intercept, Disconnect, Prepaid, Tiered Services

User/ Group based concurrency Requires HA Cluster session DB for enforcement across the network Concurrency limitations on a per-user basis Concurrency limitations on a configurable attribute Concurrency limitations on a group basis (wholesale)

Centralized IP-address allocation Requires HA Cluster session DB for central ip-address pool management All SBR Carrier Frontend AAA nodes use the same address pools Splitting of address pools per AAA no longer required

SessionControlSessionControl

Concurrency

Concurrency

AddressAllocationAddress

Allocation

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1818

SBR Carrier 7.2: Other features Session database query support:

• SQL• LDAP (limited scalability: 150 attributes/sec)• https (requires session control module)• CLI• GUI

Extendable session database both in HA mode and Standalone mode: • Service providers now have the ability to extend their session database with any attribute (available in HA

and standalone mode) EAP-TTLS secondary authentication support:

• It is now possible to perform a secondary authentication on a the content of a client certificate used during EAP-TTLS authentication as already supported in SBR Carrier 7.0 EAP-TLS implementation

Proxy enhancements: • Exclude-unknown in filters: The ability to filter out attributes that proxy server is not able to interpret when

proxying a message.• Disable strobe when target goes in fastfail: Allow the server not to use the strobe mechanism to detect if a

server is up, but solely rely on the timer mechanism SNMP proxy alarming improvements:

• SNMP trap when proxy target goes out of service• SNMP trap when proxy realm (all targets) goes out of service

Logging enhancements:• Time based SBR Log rollover: Next to already supported volume based log rollover, now a time based

rollover will also be supported • Session identifier in log files: allows easy correlation of messages belonging to the same session

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1919

SBR Carrier 7.x: Feature Candidates Charging Module:

• Accounting reconciliation, combination, pacing • CDR generation

LDAP:• Scalable and performant LDAP interface to the session database

Extended wholesale features (Group based concurrency)• Hard and Soft limits with notification• Time of day• Region support

Asynchronous Inter-cluster replication:

IMS-AAA session cluster integration SRC-PE Session Cluster integration Juniper Hardware (appliance) based solution

Node 1A

StatelessFront-end

AAA

Node 1B

StatelessFront-end

AAA

Node 2A

Node 2B

Node Group 2

Node 3A

Node 3B

Node Group 3

Node Group 1

DC1DC2

Node 1A

StatelessFront-end

AAA

Node 1B

StatelessFront-end

AAA

Node 2A

Node 2B

Node Group 2

Node 3A

Node 3B

Node Group 3

Node Group 1

Asynchronous replication

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 2020

A-RACF

Border Node

SPDF

AF

IP Edge

L2T Point

RCEFAMF

E4 (diameter)

Gq’

IaRa

Di Ds

Re

Rq

Po

lic

y &

Co

ntr

ol

Tra

ns

po

rtS

erv

ice

s &

A

pp

lic

ati

on

s

RCEF

Node 1A Node 1B

Node 2A Node 2B

Node Group 2

Node 3A Node 3B

Node Group 3

Node Group 1

SRC-PE

CLFSBR Carrier 7.x

CLF gateway

UAAF/NACFSBR Carrier 7.x

RADIUS node

AF

CSCF

E2

SRC-NASS

E2 (diameter)

A1 (DHCP)

A3 (RADIUS)

A1 (RADIUS)

UAAF/NACFSBR Carrier 7.x

RADIUS node

SBR Carrier 7.x: Feature candidate: NASS

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 212121