Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
I/F (ISG)
HSI, VoIP, VoD
HSI/VoD/VoIP HSI, VoIP, VoD, TV
Non Trunk N:1 or 1:1 VLAN
TV
IP Multicast or Multicast VPN TV
N:1 VLAN
SP Peering
L3 (routed) IP Sessions
ISG Sessions
ACL
Flow
Flow
Data ACL Network
Feature
Feature
Feature Feature
Feature Service
Default-Class
Business
Business Policy
Policy
Decisions:
Decisions: Event
Centralized
Centralized Central Services
(Application &
ISG
ISG takes
takes role
role of
of Policy)
PDP
PDP and
and PEP:
PEP: Policy Decision Multiple Layers
Point (PDP)
Communication
Communication to to through ISP SP etc.
Signaling/Network
Signaling/Network
external
external Server
Server not
not Policy
Policy Decisions:
Decisions:
required/ Event
required/ optional
optional Distributed
Distributed
ISG Network
Element Services
Policy
plane
(Access/
Aggregation)
Control
plane
Event
Data
Conditional debugging Debugging based on any subscriber, service or any other identifier
ISG IP Sessions:
L2 or L3 (routed) connected sessions
ISG IP Session Creation:
RADIUS Access Request: For routed IP subscribers, a new IP session is triggered
by the RADIUS Access Request while ISG acts as RADIUS proxy
Unclassified source IP address: For routed IP subscribers, a new IP session is
triggered by the appearance of an IP packet with an unclassified source IP address
DHCP DISCOVER: For Layer 2 connected IP subscribers, a new IP session is
created based on DHCP Discover, while ISG acts as a DHCP relay or server
Unclassified source MAC address: For Layer 2 connected IP subscribers, a new IP
session is triggered by the appearance of an IP packet with an unclassified source
MAC address
ISG IP Sessions Termination:
DHCP IP Sessions: DHCP RELEASE or lease expiry
RADIUS IP Sessions: RADIUS Accounting-Stop (for RADIUS proxy operation)
Any IP sessions models: Session Timeout, Account Logoff, ARP/ICMP/(BFD)
keepalives timeout
IP interface session
Defined by all traffic to and from a
Residential
ISG Gateway subscriber subinterface
Access Node I/F (ISG) Configurable on logical Interfaces
IP
(dot1q or QinQ)
1:1 Mapping between Session and
STB
Interface
Residential I/F (ISG) Session initiation is at provisioning
time (same for acct. start)
IP Session end is at de-provisioning
time (same for acct. stop)
STB
Dynamic RADIUS based features
provisioning and changes
10.0.0.8/29
Represents a subscriber IP
Residential
ISG Gateway subnet
Access Node
I/F (ISG)
IP
IP subnet sessions are
supported as routed IP
IP
subscriber sessions only.
STB IP subnet sessions are created
10.0.0.16/29 the same way as IP sessions
Residential
(except that when a subscriber is
authorized or authenticated and
the Framed-IP-Netmask attribute
is present in the user or service
profile, ISG converts the source-
STB
IP-based session into a subnet
session with the subnet value in
the Framed-IP-Netmask
attribute=
DHCP DISCOVER
Notes:
1a DHCP DISCOVER
1b With Option-82 Info 1b. Note: We assume DHCP DISCOVER is
2 ISG session creation
3a
RADIUS Access Request the first sign of life. Conditions may
Username := Opt-82
Verify Identity: OK 3b arise such as a user leaves his
RADIUS Access ACCEPT
3c previous session with a long lease still
DHCP OFFER
1c outstanding. When he returns, his PC
1d DHCP REQUEST will just send packets using the existing
DHCP ACK
1e address. The first IP packet will be
HTTP : Open browser (home page)
4 Apply L4-Redirect; Set Timer treated as the session-start event, the
5 system will correlate the MAC address
6 L4 Redirect (home page)
CoA Session Query (if available) against cached DHCP
7a
Session Query Response information and then continue as
7b
HTTP Redirect to assigned portal (HTTPS. Credentials)
shown.
8 3b. The AAA server knows which port the
Account Logon
9a user is connected to and will use the
RADIUS Access Request
10a Opt-82 information to successfully
Verify Credentials: OK! 10b
RADIUS Access ACCEPT
authorize the User.
10c This results in TAL-like (transparent
CoA AcK (w/ service profile parameters)
9b auto logon) behavior.
11 UN-Apply L4-Redirect
12
Accounting start (for new session) PPPoE sessions have a similar model
User Access to Services (contains entire identity info of user)
13 2007 Cisco Systems, Inc. All rights reserved. 20
Routed IP session
IP Subscriber Transparent Auto Logon
Access Node ISG Portal AAA
Radius
First IP packet
Notes:
1a
2 ISG session creation 1a. Note: We assume the first IP packet is
3a
RADIUS Access Request the first sign of like and the ISG
Username := IP address
Verify Identity: OK 3b gateway is configured for Transparent
RADIUS Access ACCEPT
3c Auto Logon. The ISG session is
created and RADIUS authorization is
initiated
3b. The subscriber profile in the RADIUS
HTTP : Open browser (home page)
4 Apply L4-Redirect; Set Timer server is defined based on the static IP
5 address allocated to that subscriber.
6 L4 Redirect (home page)
CoA Session Query This results in TAL-like (transparent
7a
Session Query Response auto logon) behavior.
7b
HTTP Redirect to assigned portal (HTTPS. Credentials)
8
Account Logon
9a
RADIUS Access Request
10a
Verify Credentials: OK! 10b
RADIUS Access ACCEPT
10c
CoA AcK (w/ service profile parameters)
9b
11 UN-Apply L4-Redirect
Accounting start (for new session)
User Access to Services 12 (contains entire identity info of user)
13 2007 Cisco Systems, Inc. All rights reserved. 21
Routed IP session
IP Subscriber Web Portal Authentication
Access Node ISG Portal AAA
Radius
First IP packet
Notes:
1a
1a. We assume the first IP packet is the first sign of
2 ISG session creation life
2. The IP Session is created with a basic set of
policies that are granting access to the
authentication portal and L4-redirect to that
4 Apply L4-Redirect; Set Timer
portal
4. Redirect User to Portal to have him input his
credentials and service preference. Set a
timer which will remove the session if the
HTTP : Open browser (home page)
5 authentication is not successful (avoid
6 L4 Redirect (home page)
accumulating state).
HTTP Redirect to assigned portal (HTTPS. Credentials) 12. Accounting record informs AAA server about
8
users identity (IP address and user name ).
Account Logon
9a Note: Accounting messages need to be
understood as state/event notifications, not
10aRADIUS Access Request just charging information.
Verify Credentials: OK! 10b
RADIUS Access ACCEPT
10c
CoA AcK (w/ service profile parameters)
9b
11 UN-Apply L4-Redirect
Accounting start (for new session)
User Access to Services 12 (contains entire identity info of user)
13 2007 Cisco Systems, Inc. All rights reserved. 22
IP Subscriber Dynamic Service Selection
Access Node ISG Portal AAA
Radius
Target:
Use the PPPoE authentication models to avoid operational impact
Requirements:
The authentication must be secure
Client credentials are sent based on a secure encryption scheme
The authentication must be before IP address allocation
Ensures entitlement to the service
Ensures safe and predictable IP address usage
Ensures predictable legal intercept for the client traffic
Ensures that any attacks are launched by known individuals
The authentication process must accommodate clients that cant perform
authentication
The authentication process must rely on standards protocols and not
disrupt or change existing protocols
Standardization Direction:
Started efforts in IETF for defining the DHCP authentication models
OR
DHCPNACK
(w/CHAP Failure if unsuccessful)
ARP Keepalive
IPoE Session
BNG
I/F (ISG) I/F (ISG)
Residential Residential
Access DHCP Access DHCP
Node Request Node Ack
DHCP DHCP
Request Ack
BNG BNG
STB
I/F (ISG) STB
I/F (ISG)
2007 Cisco Systems, Inc. All rights reserved. For IP routed sessions, FSOL is an RADIUS AR or new IP flow
30
Access Node Dual-homing
IPoE Session Re-Initiation (continued)
Keepalives 2
5. 2 Keepalives
BNG 6. BNG
IPoE Session 3
I/F (ISG) I/F (ISG)
Residential Residential
Access Access
Node Node
1
DHCP
Discover
BNG BNG
DHCP
I/F (ISG) Offer I/F (ISG)
STB STB
ARP Keepalive
ARP Keepalive
2007 Cisco Systems, Inc. All rights reserved. For IP routed sessions, keepalives are based on BFD or ICMP
31
Conclusion