F5 CEO Reports on DPI Products; Availability not Provided

In November 2011, F5 announced its plans to introduce policy enforcement, Deep Packet Inspection products planned for release in 2013 (see "F5 Service Provider/Mobile Road Map: Focus on DPI" - here), after the intention to acquire Allot Communications for $500M (here) did not materialized. Allot's market cap is now $456M, after reaching $930M during 2012.

John McAdam (pictured), President and CEO, provided an optimistic update during F5's recent earning call, although a release date was not provided - despite previous reports about DPI reaching beta status (see "F5 - Moving Ahead with DPI (already in Beta)" - here).

"Our development team made fantastic progress last quarter in meeting their development milestones to deliver a significant new release of TMOS referred to internally as Solar .. and a new service provider solutions that carry a great network address translation, and policy enforcement module with deep po[a]cket inspections.

Our policy enforcement module allows bigger IT to inspect and classify application and protocol traffic and dynamically enforce service provider policies. For example, our policy enforcement module supports a GX interface enabling inter-operability with a broad set of PCRX[F] and our own traffic signaling delivery controller" [refers to the Traffix product line - see "F5 Acquires Traffix Systems for $135M" - here].

Later, questions from Matt Robison, Wunderlich Securities, referred also to DPI, and were answered by Karl Triebes - EVP, Product Development and CTO (see also "F5 Platform Road Map - 100GE Ports Planed for 2013/14" - here)

F5 VIPRION 4480

Q: So, is there any specific hardware that needs to be in place to invoke the policy enforcement – the DPI capability that is required for that?

A: Yes, with the PenModual [?], obviously our VIPRION platforms and our higher end platforms – right now, we don’t support it on the low end of the range yet, because it is very much focused on the surge provider market.

Q: Yes, so the VIPRION platforms that are available now can do it?

A: That is correct.

See "F5 Networks' CEO Discusses F1Q13 Results - Earnings Call Transcript" - by Seeking Alpha, here.

[IEFT Draft]: Manage and Enforce Polices for Devices Behind NAT

 
A new IETF draft by Mohamed Boucadair, France Telecom and Tirumaleswar Reddy, Prashanth Patil, and Dan Wing (pictured), Cisco aim to provide granular policy management and enforcement for multiple devices behind a single NAT address.

"This document describes how to use PCP to retrieve the identify of a host behind a NAT. Two use cases are discussed and the PCP applicability is analyzed. This document extends PCP with a new OpCode: QUERY. The proposed mechanism is valid for all NAT flavors including NAT44, NAT64 or NPTv6".

The PCP (Port Control Protocol) QUERY opcode "can be used to query PCP-aware NAT to retrieve the Internal IP Address and Internal Port of a given mapping"

PCP Mapping IPv6 and IPv4 (Source: Cisco)

See "Using PCP to Reveal a Host behind NAT" - here.

Procera Explains the New NAT and Steering Features

Procera Networks published a white paper - "Intelligent Policy Enforcement and Application Delivery Networking - Advanced Traffic Steering and Carrier Grade NAT Technology Deployments" (here), explaining the features it has released earlier this week for network and cloud service provider (see "Procera Adds Application and Subscriber-Aware Solutions to Cloud Service Providers" - here).

• Advanced Traffic Steering - "PacketLogic Advanced Traffic Steering combines the subscriber and service awareness of the PacketLogic Subscriber Manager with the Application Awareness of the PacketLogic Real-Time Enforcement. The PSM provisions the PRE with the Traffic Steering policies, which can be based on subscriber ID, subscriber service plan (for example subscriber is under 18), location, and device attributes, and combined with the specific traffic or application types that will receive traffic steering treatment"

• Carrier Grade NAT - "PacketLogic Carrier Grade NAT is the first IPE-based large scale NAT solution for network operators. Network operators are finding it increasingly difficult to manage their subscriber growth with their existing address space. Most operators do not have the ability to request more address space from the Internet Assigned Numbers Authority (IANA), as there is very little address space available (none in some regions). As a result, operators are attempting to launch IPv6 services to ease address congestion, but this rollout has been hindered by many different engineering and product challenges. As a result, operators are attempting to deploy Carrier Grade NAT (also known as Large Scale NAT) to ease their address shortages. The challenge with implementing with current CGN products is that they lack subscriber and service plan awareness, and most are not designed to scale with transparent stateful processing of application traffic".
   

 

Research: US MNOs Firewall Policies Degrade Network Performance

  

A research paper by Zhaoguang Wang, Zhiyun Qian, Qiang Xu, Z. and Morley Mao (pictured) from the University of Michigan and Ming Zhang from Microsoft Research finds that key NAT and firewall policies used by celluar operators in the US have direct implications on performance, energy, and security.

For example, the research found that "One of the largest U.S. carriers is found to configure firewalls to buffer out-of-order TCP packets for a long time, likely for the purpose of deep packet inspection. This unexpectedly interferes with TCP Fast Retransmit and Forward RTO-Recovery, severely degrading TCP performance triggered merely by a single packet loss"

See "An Untold Story of Middleboxes in Cellular Networks" - here.

ABSTRACT

"We present NetPiculet, the first tool that unveils carriers’ NAT and firewall policies by conducting intelligent measurement. By running NetPiculet in the major U.S. cellular providers as well as deploying it as a smartphone application in the wild in more than 100 cellular ISPs, we identified the key NAT and firewall policies which have direct implications on performance, energy, and security. For example, NAT boxes and firewalls set timeouts for idle TCP connections, which sometimes cause significant energy waste on mobile devices. Although most carriers today deploy sophisticated firewalls, they are still vulnerable to various attacks such as battery draining and denial of service. These findings can inform developers in optimizing the interaction between mobile applications and cellular networks and also guide carriers in improving their network configurations".

Sandvine and Citrix Integrated Offload Solution - See How !

Sandvine announced that " ..it is collaborating with .. Citrix Systems to offer mobile packet core offload solutions for mobile carriers"

The joint solution integrates Sandvine's DPI products (PTS) with Citrix NetScaler (here), a product line that so far was addressing, and associated by many with the enterprise and data centers markets.

Sandvine presents two use-cases:

1. Help mobile carriers reduce both packet core congestion and transit costs, using intelligent traffic redirection based on subscriber, device, and application type. In this scenario, the PTS redirects select mobile 3G or 4G data traffic to NetScaler, which routes the traffic via a direct path to the Internet, while the control plane remains unaffected
    
2. Multi-national mobile providers can improve service for data roaming subscribers on affiliated networks. This solution reduces network transit costs while dramatically reducing traffic latency for an improved user experience. 

According to Don Bowman, Sandvine's CTO, NetScaler is performing network address translation (NAT). PTS is installed in the IuPS (see chart below and "Sandvine New DPI Device for LTE" - here). Sandvine's PTS performs the function of online and offline charging as otherwise the carrier cannot count the data. PTS also selects the ‘right user’, ‘right traffic’, etc. E.g. only HTTP traffic from laptops might be one operators deployment, another might be only post-paid data.

In the 2nd use-case, its the same deployment but in Gp, and the PTS has a relationship with multiple OCS & OFCS systems, one for each home operator. It allows local serving of outbound roaming.

In addition, NetScaler also provides cache integration (here).