Understanding DPI and service control

Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.

service controlLazar Obradovic, Cisco Systems

• Service Control Engine

• Visibility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

• Control

• Summary

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

Stats of our network?What’s causing

congestion? Where?

Security: Obvious attacks? Malicious traffic? Suspicious

traffic?

Marketing: What are subscribers doing?

How do we monetize that?

SNMP Netflow Net Protocol

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

SNMP

• Statistics

• Layer 2

Netflow

• Statistics

• Layer 3-4

Net security

• Details of critical points

• Semantics of details

• Layer 7

Protocol analyzers

• Details

• Semantics

• Layer 7

• Reference users by their IDs, not by IP addresses

• Go deeper into the packet and tell the application rather than ports it’s using

Application recognition

User awareness

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

• Full and comprehensive report about anything possible

• Breadth of techniques and mechanisms to influence and control traffic

Visibility and

reportingControl

SNMP Netflow DPI Security Protocol

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

SNMP

• Statistics

• Layer 2

Netflow

• Statistics

• Layer 3-4

DPI

• Statistics and details

• Layer 3-7

Security

• Details of critical points

• Semantics of details

• Layer 7

Protocol analyzers

• Details

• Semantics

• Layer 7

Cisco Confidential 7© 2010 Cisco and/or its affiliates. All rights reserved.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

Service Control Engine

• Cisco offers 2 generations of SCEs

SCE1010 / SCE2020 –fixed configuration, Gigabit Ethernet model

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

SCE8000 – modular configuration, Gigabit or TenGigabit Ethernet model

• All SCE platforms share some common properties:

Stand-alone appliances – can be inserted into any Ethernet/IP network

L2-L3 transparent – no MAC / IP address on data port

Data / Control plane separation – data and control planes are completely separate and don’t influence each others performance

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

completely separate and don’t influence each others performance

Dedicated hardware – data plane is a combination of fast FPGAs and powerful CPU, backed up by lots of memory

IOS-like CLI – CLI for configuring low-level properties is based on IOS-like interpreter

Low latency – all platforms introduce low latency (~32µS) and almost no jitter. Hardware fast-path is separate hardware path for delay-sensitive traffic, ensuring very low latency (~10µS)

Open APIs – for integration into OSS/BSS/Security

SCE1010 SCE2020 SCE8000

Data plane

interfaces

2x GE 4x GE Modular

2x or 4x 10GE

8x or 16x GE

DPI

performance

2 Gbps 2.8 – 3.2

Gbps

15 Gbps 30 Gbps

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

performance Gbps

Maximum

Concurrent

subscribers

40K – 200K 80K – 200K 250K – 1M

Maximum

open flows

1M – 400K 8M – 5M 16M – 10M

Insertion modes

Recv-onlyInline

MG-SCP

Recv-onlyInline

CascadeMG-SCP

Recv-onlyInline

CascadeMG-SCP

• Protocols Coverage

600 Protocols – 950 L7 based signatures.

900 Protocols - port-based.

• ~1200 customers, Multiple geographies, Multiple SP segments

• Application groups: Voice, Video, File-

• Classification engine supports customer generated signatures

• Supports classification modifiers:

Zones – collection of network side prefixes

Application parameters – URL, User-Agent, Calling/ Called Number, Domain name, Content-type…

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

• Application groups: Voice, Video, File-Sharing, File-Hosting, Gaming, News-Groups, Instant-Messaging, Web-based services, etc.

• Zero Day Classification – Behavioral /Heuristic Algorithms

• SCE exports 30 types of Raw Data Records

Link Usage RDR

Zone RDR

Virtual Link RDR

Package Usage RDR

Subscriber Usage RDR

Real-time Subscriber Usage RDR

• Depending on the type, RDRs include:

Source / Destination IP/Port

Timestamp, duration, volume

Application ID

Requested URL, User-agent, Cookie

Delivered content type

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

Real-time Subscriber Usage RDR

Transaction RDR

Transaction Usage RDR

HTTP / VoIP / Video Tran. Usage RDR

Flow RDR

Malicious Traffic RDR

SPAM RDR

Quota RDR

[…]

Delivered content type

Called / Calling Numbers

Video Codec and bitrate

Filename

P2P file hash

Attack type

List of email recipients

OS type*

[…]

• Policy decision can be made based on multiple criteria:

Application usage (all levels)

Subscriber quota

Priority (application or subscriber)

Time of day

State of attack

Presence of other applications

• Once decision is made, control can be established on many levels:

Link

Application per link

Subscriber group

Subscriber total bandwidth

Application per subscriber

Application flow

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

Presence of other applications

• Complex policies include multiple chained rules

• Actions can be chained too*

Application flow

• Connections can be:

Allowed

Dropped

Policed (CIR and PIR)

Redirected (Layer 2)

Redirected (Layer 7, HTTP and RTMP)

Mirrored

Captured

Subscriber

and Quota

manager

AAAData

retention

Cisco Insight SCA-BB

Console

Portal

Collection Manager

Event correlation

engine

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

Service ControlEngineUsers

NetworkNetwork

1. SCE Applianceto view and act on the packets

2. Collection Manager to collect data records for Reporting & external DB’s

3. Subscriber Managerto coordinate sub info w/ AAA and control sub-level policies

4. Cisco Insightto provide business intelligence and network trending reports

• Cisco Insight is a next generation web based reporting tool that unlocks the

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16

reporting tool that unlocks the SCE’s full traffic management potential

• New easy-to-use GUI leveraging Adobe FLEX™ technology to improve usability and maximize the user experience

• Advanced graphical

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17

• Advanced graphical widgets (time sliders, tree views, dynamic selection controllers, etc.)

• Wizard-like guide through the process of report creation

• 150+ report types

• Custom dashboard

• Scheduled reports

• Email notification of reports

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

• Report comparison and trend analysis reports (Traffic analysis, trend studies, comparisons)

• Report export in different formats: pdf, excel, image

• Operators can create many users and assign different view rights

• Restrict access based on:

Report type

Topology

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19

Topology

Object type

• Full auditing

• Objects are organized in tree-like structure

Devices

Links

Parts of networks

Groups of subscribers

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20

Groups of subscribers

Subscribers

• Graphical Topology View, customizable by user

SNMP Netflow DPI Security Protocol

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

SNMP

• Statistics

• Layer 2

Netflow

• Statistics

• Layer 3-4

DPI

• Statistics and details

• Layer 3-7

Security

• Details of critical points

• Semantics of details

• Layer 7

Protocol analyzers

• Details

• Semantics

• Layer 7

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23

Service Control Engine

Thank you.Thank you.