Broadband Networks – Overview

and Best Practices

Ananth Nagarajan
Feb 2005, SANOG V, Dhaka, Bangladesh

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1

 Agenda
™ Subscriber Management – BRAS Basics

™ Subscriber Management – Applications

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 2

 Subscriber Management –
BRAS Basics

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 3

 BRAS Overview
€ BRAS … Broadband Remote Access Server
€ First network element that provides IP services to
subscribers
€ BRAS means Subscriber Management
€ Subscriber Management
€ Subscriber … provisioned in the OSS database
€ User…online, in session
€ Fully dynamic per user
€ Each individual user is authenticated
€ IP address assignment
€ Policies (next-hop, rate-limit, TOS, etc.)
€ QoS – traffic classes/queues
€ Accounting

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 4

 Typical BRAS Network (DSL)
€ DSL today means ATM
PC client with
€ Popular AccessDSL-
• PCI-based Models DSLAM (Digital Subscriber Line Access MUX)
€ Client
modem(PPPoE, PPPoA) • DSL lines aggregation and
€ Access
• Runs network
PPPoA termination
(B-ETH)
• L2 Bridge
• Uplink (today) is DS3/OC-3/OC-12
L2 switchPPPoA L2 Access
• Connected
PC
AAL5 to a DSL-
IP Edge
DSL
modem BRAS
IP Core
•1483-R
Modem runs 1483-B
AAL5 Home Gateway (LAN
ATM
DSL
L2 Switch interfaces)
• Runs PPPoE
• Connected
PPPoE to DSL-modem
DSLAM
1483-B
• DSL-modem runs 1483-B
AAL5
Radius DHCP
DSL
Home GW

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 5

 Typical BRAS Network (DSL)
€ DSL today means ATM
BRAS
• L2 termination
€ Popular Accessand L3 forwarding
Models
ۥ Client
Radius client for user
(PPPoE, PPPoA)
authentication, accounting, IP
€ Access network (B-ETH)
address assignment
• DHCP server/proxy/client for IP
address assignment
PPPoA L2 Access
AAL5
PC IP Edge
DSL
BRAS
IP Core
1483-R
ATM
Radius AAL5
Proxy/Server
DSL
Router• Authenticates user against DB
• Returns parameters applied to
the user’s IP interfaceDSLAM
PPPoE (IP
1483-B
address, AAL5
DNS, VR, policies) –
Radius DHCP
in standard
Home GW
DSLattributes or VSA
• Collects accounting data

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 6

 Typical BRAS Network (DSL)
€ DSL today means ATM
€ Popular Access Models
€ Client (PPPoE, PPPoA)
€ Access network (B-ETH)

PPPoA L2 Access
AAL5
PC IP Edge
DSL
PPP BRAS
IP Core
1483-R
AAL5 ATM
DSL
Router

Radius
PPPoE PPP
DSLAM
1483-B
AAL5
Radius DHCP
DSL
Home GW

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 7

 BRAS Service Activation
1 Internet
7
5

4
2

3
1. User initiates PPP session
and provides 6
identification and RADIUS Repository Registration
password Server Rating & 5. Services Router configures
Billing
Service Provider Back-office the connection
2. Services Router detects Server
PPP initiation and
6. The RADIUS server starts
formulates RADIUS
an accounting usage
query
record
3. RADIUS queries directory 4. The RADIUS profile is
to validate user-id and 7. The user can now access
returned to the Services
password. If valid, services such as the
Router to configure the
RADIUS also queries the Internet
directory for the user’s connection
RADIUS profile

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 8

 BRAS Service Deactivation & Acc’ting
12
Internet

8
DSLAM

10 11

RADIUS Repository Registration

Server Rating &
Billing
Service Provider Back-office Server

8. User terminates PPP session

9. Services Router notifies 11. Accounting start and stop 12. Invoices are generated
RADIUS server of PPP records make up a usage and sent to the subscriber
termination record for feeding into the
10. RADIUS creates an rating and billing server
accounting stop record

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 9

 BRAS Service Activation w/
Service Portal Internet

Content
1
Provider A
5

DSLAM
Content
4
Provider B
2
7

6
1. User initiates PPP
session and provides Service RADIUS Repository Registration
identification and Selection Server Rating &
password Portal Billing
Server Server
2. Services Router detects PPP Service Provider Back-office
6. The RADIUS server starts an accounting
initiation and formulates RADIUS 4. The RADIUS profile is returned to usage record for the xDSL BRAS session
query the Services Router to configure the
connection. 7. The user can only access services
3. RADIUS queries directory to validate granted (in this example - Service
userid and password. If valid, RADIUS 5. Services Router Configures the
queries directory for the RADIUS profile Portal Only)
connection to allow access to
which will contain an Service Portal profile. Service Portal only (or Service
Portal+Internet Only)
Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 10
 BRAS Dynamic Service
Selection w/ Service Portal
1
SSP
4
3
1. Subscriber accesses the
Service Selection Portal
URL with a web browser
2. SSP server queries repository Service
Selection
for list of services available to Portal
subscriber using LDAP. Each
Server
service and its corresponding
COPS “commands” are cached.
3. SSP server builds a web page with
the relevant service choices and
returns this to the subscriber
Copyright © 2003 Juniper Networks, Inc.
Internet
Content
Provider A
DSLAM
Content
5 Provider B
6 7
RADIUS Repository Registration 6. SSP server notifies RADIUS
Server 2 Rating & accounting to generate a start
Billing
record for the selected service
Server
Service Provider Back-office
7. RADIUS writes accounting
4. Subscriber selects a service from the portal start record into the repository
by clicking on the service in the browser. In
this example, Content Provider B
5. SSP server uses COPS to configure the
Services Router to allow connection to the
selected service (Content Provider B) with a
given Qos level
Proprietary and Confidential www.juniper.net 11
 BRAS –
Building Blocks
• Retail, wholesale
• Personal TV, Video on
• Business/consumer Demand, VoIP, gaming
services Value-added
Services • Corporate VPN

• PPP, PPPoE, IDAS,

Subscriber Management Radius, DHCP, COPS
• Per subscriber
queuing, low
latency, traffic Quality of Service
shaping
• E.g. routing, multicast,
• Integrated edge L2TP, policy-enabled
router and networking, MPLS
subscriber Network Network traffic engineering,
management Awareness Services fine-grained stats
• BGP, MPLS, virtual
routers
• High subscriber
aggregation and
Network Scalability density, fault tolerant,
wire-speed redundancy

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 12

 Subscriber Management –
Applications

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 13

 L2 Access
Service Provider Edge must:
Dial-up
• Terminates a variety of access methods
and protocols
DSL
• Handle both IP and non-IP traffic
• Routes packets in wire-speed over a
Cable common IP Transport

GSM/GPRS
LMDS

WLAN
802.11
IP Backbone

Ethernet
(VLAN)
Leased Line Service Provider
IP or L2 Edge Router

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 14

 BRAS – DSL Access
• PPP/PPPoE termination and subscriber management using Radius, DHCP and COPS
• IP SA validation and policy management
• Offerings such as tiered bandwidth, premium/business/consumer services

Storage
Network
B-RAS
Gaming
PPPoE/DSL Network
DSLAM
Video
Services
PPP/DSL

DSLAM
RADIUS Policies
DHCP

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 15

 BRAS – DSL Access
Dynamic Service Selection
• SP designs policy-based service offerings, stores them
in directory
• Subscriber selects services from a customized portal
Policy Manager
• BRAS shares with Policy Manager the user id/domain
• Services are instantaneously activated
• Flexible accounting models (e.g. per service, per
usage, volume, time, event)
ISP
B-RAS
PPPoE
Corporate
VPN
DSLAM

PPP Content
Provider
DSLAM

Policies
RADIUS
DHCP

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 16

 BRAS Access Wholesale – LAC
€ Physical link termination (LAC)
€ Tunnel assignment through Radius or local domain-map
€ PPP-session forwarded to LNS in L2TP tunnel/session
€ Hand-off PPP session to retail ISP

L2 Access
IP Edge LNS ISP
1
IP Core
PC
LAC
PPPoA
Access L2TP Tunnels
PPPoE DSLAM
BRAS
LNS ISP 2

Home GW
Radius DHCP

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 17

 L2TP Tunnel Termination – LNS
€ LNS == BRAS == subscriber management
€ LNS == ILEC managed service or ISP
€ Terminate L2TP tunnel/session and PPP session
€ BRAS “as usual”, e.g.
€ Authenticate user
€ Apply IP services

IP Edge
Access IP Core
PC PPPoA Provider LAC
LNS

L2TP Tunnels
Access LAC BRAS
PPPoE Provider

Home GW
Radius DHCP

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 18

 L2TP Tunnel Switching – LTS
€ Scaling L2TP tunnels
€ LNS – LAC Combination
€ Switch session across tunnels (could be in different VRs)
€ Tunnel assignment through Radius or local domain-map

Tunnel Switch
LAC LTS
PC PPPoA
LNS ISP X
L2TPLNS
Tunnels LAC
LNS
BRAS
LAC
PPPoE

Home GW
Radius DHCP

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 19

 ML-PPP over L2TP
€ ML-PPP over L2TP
L2TP Dial - out
€ Dial-up PPP (modem, ISDN) sessions forwarded to BRAS using L2TP
€ ISDN -> 2nd B-channel: ML-PPP bundle is terminated at the LNS
€ L2TP dial-out
€ Network-initiated L2TP tunnel to NB-RAS

LAC L2TP
NB-RAS

IP Edge
IP Core
LNS
ML-PPP
over L2TP MPLS-VPN Core

BRAS
L2TP
Dial-out
Radius

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 20

 Outsourced Access
(using Virtual Routers)
• Each Virtual Router (VR) contains a separate instance of
the IP stack and IP applications (e.g. route table, routing
protocols, route policies, SNMP)
• Each subscriber IP interface is associated with the VR of
the corresponding Retail ISP
Access ISP 1
IP Edge
IP/PPP VR
ISP 2
ADM
SONET
ETH

IP/Frame Relay

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 21

 Secure Remote Access
• Microsoft is pushing for L2TP/IPSec for remote VPN Access; integral part of Windows
• BRAS acts as a VPN server, terminating L2TP/IPSec
• A “simple” machine-level certificate (no need for a user certificate, no need for strong
identity proof, no need for revocation procedures)
• This solution works for ANY access network, including IP backhaul via another ISP

IP over PPP/L2TP (name/pwd)

IPSec/IKE (machine certificates)
LAC Local access (PPP,
DHCP, whatever)

L2TP/IPSec Tunnel
LNS/ VR
PC Access
IPSec LNSVPN VPN
A A

BRAS VR VR
Transport VPNVPN
B B
Access

Home GW
Radius Radius

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 22

 DSL Service Integration (with PPPoE)
• Users simply treated like ordinary DSL subscribers
• No special features required for W-LAN network operation
• PPPoE client software required on users’ PCs (not a typical assumption,
cf. business users & PDAs are usually DHCP-based)

Service Provider
Laptop PC R
Va ad
lid ius Network
PPPoE ati
on
PPPoE L2TP
Client Broadband
Laptop PC Wireless Aggregation
Access Router
Point Broadband
PDA
PDA Aggregation
Router
Radius
HotSpot Location Server

Wholesale model provided through L2TP ISP

(as with DSL & Metro Ethernet) or Content Provider

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 23

 PPP/L2TP/IPSec down to the BRAS
• A BRAS could act as a VPN server, terminating L2TP/IPSec
• Client configuration (ok for Windows laptops; less clear for MacOS/Linux):
• A “simple” machine-level certificate (no need for a user certificate, nor a certificate directly issued by
VPN/ISP organization, no need for strong identity proof, no need for revocation procedures)
• DNS hostname or IP address of IPSec endpoint. If BRAS terminating IPSec is the local edge, then use
a virtual address identical for all “edge” BRAS. Hide it behind a DNS name.
• Then configure a “secured” VPN remote access via Microsoft wizards. Reasonably user-friendly.
• This solution works for ANY access network, including IP backhaul via another ISP

IP over PPP/L2TP (name/pwd) Radius

IPSec/IKE (machine certificates) RADIUS
Server(s)
Local access (PPP,
DHCP, whatever)
Internet
Radius Access
Laptop PC
client
Local
Network PPP Remote
Laptop PC Access VPN
Device
BRAS
PDA IP Network
PDA

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 24

 Video Over IP
TV Servers

TV Servers

Services Router

TV Servers
• IP Based Subscriber Management
• Policy is enforced for each subscriber flow
• Rate shaping, rate limiting, filters, queuing
• Subscriber applications are treated according to policy
• I.E. Napster downloads won’t degrade home VPN connection

• Extends subscriber based services across existing cable networks

• Flexible billing models
• Advanced IP Services
• User-based bandwidth management

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 25

 Video Services
• Multicast Video Services
• IP TV
• NVOD (Near Video on Demand)
• PC TV

• Unicast Video Services

• VOD (Video on Demand)
• Network PVR (Personal Video Recorder)
• Streaming Media
• Surveillance
• Video Teleconferencing

• All Require Access and end-to-end QoS and Bandwidth Control

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 26

 Video Streaming over Ethernet
• Integrated subscriber management for Broadband Ethernet
– VLANs (802.1q)
• many VLANs and subscribers per chassis

• Unique services per VLAN

– VLAN to MPLS mapping

• Extended LAN services across IP WAN

• Individualized service profile per user

• VPN membership

• QoS Access

Gigabit Ethernet
IP Edge
IP Core ASP A
Services Router
VLAN 1 VLAN 5
ASP B
IP/ETH VLAN 6
PPPoE
VLAN 7
ISP B
Ethernet VLAN 2
Switch
(VLAN tagged)

Policies
RADIUS
DHCP

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 27

 Multicast Services
•Current Model for Content Broadcasting: Unicast
•Consumes large amounts of Bandwidth and burns server resources
•Only available model because network could not cope with
Multicast bandwidth requirements

Consumer PC
Layer 3
FTTB / DSL
Service Delivery Point
OC-12 (MPLS)
ATM / FR / IP Core
Layer 2 PPP, etc.
Access Network
Ethernet
Edge
Router
PPP, F/R or ATM

Business
Customer Application
Server

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 28

 Multicast Services
•Rolling out model for Content Broadcasting: Multicast at the IP Edge
•Consumes small amounts of bandwidth and doesn’t touch server resources
•Available because Services Router is capable of wire-rate Multicast routing
•Controlled and Billed on a Per Stream Basis through a Policy Engine

Consumer PC
Layer 3
Service Delivery Point PIM

FTTB / DSL IGMP IP Core

Layer 2 OC-12 (MPLS)
Access Network
Services Ethernet
Router
Edge
PPP, F/R or ATM Router
DVMRP IGMP

Policy Engine
Business
Customer Video Server

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 29

 Deployed IP-TV Networks

DSLAM IP Core Network

STM-1 (IP)
Fast Ethernet

Set Top Box

TV STM-1
+ADSL Modem
ATM

Typical Subscriber
Services Router

GE
Authentication Network and Service Video Server
Authorization Policies DHCP Management;
Accounting (COPS) Billing

Ethernet IP HEAD-END
Switch
Directory
(LDAP)

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 30

 Interactive Gaming
Requirements
• Low-latency transmission of control data
• Round trip delay <= 200 msec (<=100 preferred) for
Ultima as example
• Support for both text and voice chat
simultaneous/unimpeded by control flow
• Strong multicast capability
• Emerging need for streaming and broadcast video
• Must support both PC based and console based gaming
services
• Peer to peer and subscriber to content models both
emerging

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 31

 Game Server –
Feeding packets into
the Core Server Farm
Game
Services

Gigabit 1. VLAN Traffic rate

Ethernet policed to prevent
Switch interference with other
VLAN Separation services
of Service
2. Packets Marked at
Ingress (Diff-Serv)
Router based on port number
3. Placed in low-latency
queue
Core 4. Forwarded onto
Network bandwidth reserved
MPLS or ATM circuit

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 32

 Low Latency Queuing
with
shared bandwidth
1. Broadband connection Traffic
Core
rate policed to prevent Network 1. Users must log-in
through the Service
interference with other services
Deployment System
2. Packets Marked at Ingress before choosing Game
(Diff-Serv) based on port Content
number
2. Policy Route, IP flow
3. Placed in low-latency queue Service rate, and low latency
Deployment queue is enabled on
4. Forwarded onto bandwidth Broadband
Router System the Router through
reserved MPLS or ATM circuit
COPS or SNMP.

Access
Network
Broadband DSLAM
Users

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 33

 Controlled Access for any
device
„ Support for both PPPoE and IP Services Sphere
appliances in the same household VoD
VoIP
Gaming
„ Ability to apply policies to the PC and the
gaming device independently Application Storage
Services
„ Can create guaranteed links between
different home appliances and network
servers

ISP 1
PPPoE
1M bW – Best Effort QoS
BGP4, OSPF, ISP 2
ATM IS-IS, MPLS
Multicast
DSLAM
IP Core ISP N
IP/1483 Bridged
1.5M bW – Gold QoS

Access
Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 34
 PPPoE based Hotspot
Service
Broadband LNS
Router (BRAS)
L2TP ISP 1
ATM or Ethernet Service
Layer 2 Provider
IP Core Radius
Access Network
PC with 802.11
W-LAN cards 802.11 Wireless
Access Point
PPPoE Client Software
Radius ISP 2

Radius
• No special features required for W-LAN network operation
- Wireless Ethernet is just another Layer 2 access method
• Users simply treated like ordinary DSL or FTTB network subscribers
• PPPoE client software required on users’ PCs
• Supports retail and wholesale business models

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 35

 DHCP based Hotspot
Service
Edge
Router ISP 1
ATM or Ethernet Service
Layer 2 Provider
Access Network IP Core
PC with 802.11 802.11 Wireless
W-LAN cards Access Point
Radius
NO PPPoE
Client Software ISP 2
Web Login

• No PPPoE client software required on users’ PCs

•Same as PPP-based service but simpler for users
• Requires the use of DHCP Access Server
•Provides Web Based Login for Subscribers

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 36

 Sponsored HotSpot Model
Edge
Router
ATM or Ethernet Service
Layer 2 Provider
Access Network IP Core
PC with 802.11 802.11 Wireless
W-LAN cards Access Point
Radius

Web Login

• User’s Web access is redirected to forced web page

• Web Page advertises services of the location and
provides a click-through to login to a service provider
• Email can also be directed to send a welcome email to
the user.
Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 37
 Hotspot Service with
IPSec
IPSec used to encrypt
IPSec or L2TP used to encrypt
Core Network traffic
Access Network traffic IDC
Broadband
Router
Service
ATM or Ethernet Provider
Layer 2 IP Core ISP 1
Access Network
PC with 802.11
W-LAN cards

IPSec Client 802.11 Wireless

Software Access Point
Radius & ISP 2
(Built in to
X.509 Certification
Win 2000, XP)

 IPSec can be combined with the Hotspot service to provide secure,

encrypted traffic across the access network

 This overcomes all of the (serious) security issues associated with

W-LAN networks.

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 38

Thank You