All Rights Reserved © Alcatel-Lucent 2006, #####

NZNOG 2007

Control Planes and RADIUS Bitses

Alastair Johnson

Senior IP Technologist, Alcatel-Lucent

alastair.johnson@alcatel-lucent.co.nz

All Rights Reserved © Alcatel-Lucent 2006, #####2 | Presentation Title | Month 2006

Agenda

IntroductionWhat is AAA?

A A A

Types of AAAWhat, Why, How?Triple PlayIssuesQ&A

All Rights Reserved © Alcatel-Lucent 2006, #####3 | Presentation Title | Month 2006

Introduction

Solution Design IP guy for Alcatel-Lucent Professional Services in NZ and AU.

Support many clients, mostly telcos or large ISPs/carriers.

Focus on ‘next gen’ and ‘IP transformation’

Experience analyzing and deploying large carrier Control Plane solutions

ISP Background, too.

All Rights Reserved © Alcatel-Lucent 2006, #####4 | Presentation Title | Month 2006

What is AAA?

AAA is Authentication

Validation of an identity and credentials, and allowing a subscriber to receive the service(s) requested.

Authorisation Identify and grant network access to a subscriber, based on authentication, time of

day, service type, where they are on the network, etc. Tunneling…

Accounting Network resource utilisation accounting data, allowing you to “route money”.

Audit If you’re scary.

All Rights Reserved © Alcatel-Lucent 2006, #####5 | Presentation Title | Month 2006

What is AAA cont’d

Many protocols, common ones: RADIUS (RFC 2809/2865/2866/2867/2868/2869) DHCP (RFC 2131) Diameter (RFC 3588) TACACS+ (draft-grant-tacacs-02)

So we care a lot about getting people online and supporting the network infrastructure around that.

All Rights Reserved © Alcatel-Lucent 2006, #####6 | Presentation Title | Month 2006

RADIUS

RADIUS FreeRADIUS

XT RADIUS, Gnu RADIUS

Alcatel 5750 SSC Bridgewater Service Controller

Juniper/Funk Steel Belted RADIUS RADIATOR by Open Systems Lucent Navis RADIUS

But we ate them, so…

All Rights Reserved © Alcatel-Lucent 2006, #####7 | Presentation Title | Month 2006

DHCP

Alcatel 5750 SSC Bridgewater Systems DHCP Service Controller

ISC DHCP

Many other DHCP implementations

All Rights Reserved © Alcatel-Lucent 2006, #####8 | Presentation Title | Month 2006

Control Planes

Not your data or forwarding plane

Part of your management plane – somewhat

Provision services, subscribers, manage elements, identities.

Link them.

Your AAA platform forms part of your Network Control Plane.

All Rights Reserved © Alcatel-Lucent 2006, #####9 | Presentation Title | Month 2006

Why?

Authentication of subscribers We really want to only have paying customers online But do we need a password?

Authorisation Perhaps we want to tunnel them somewhere, or apply policy…

Accounting We like getting paid!

Policy Decision and Enforcement So, we have authorisation… lets give it some policy.

Subscriber identity and network location

All Rights Reserved © Alcatel-Lucent 2006, #####10 | Presentation Title | Month 2006

How?

Authorisation and policies Vendor specific attributes for pre-configured NAS policy We know who the subscriber is (identity), and we know where they are (access). We can return some policy which makes them jump through tricks.

Accounting Session Start records Session Interim records

Sometimes too much information can hurt Session Stop records

Authentication Identity Ways of integrating your identity management

All Rights Reserved © Alcatel-Lucent 2006, #####11 | Presentation Title | Month 2006

Why?

Because we need to control access to our network

Because we need to bill for that same access, in some manner.

Because it’s “all about the user (subscriber)”

All Rights Reserved © Alcatel-Lucent 2006, #####12 | Presentation Title | Month 2006

A normal network topology for delivering broadband services:

CPE DSLAM TransportBRAS/LAC

LNS

AAAControlPlane

CustomerDB

Accounting

NetworkControlPlane

All Rights Reserved © Alcatel-Lucent 2006, #####13 | Presentation Title | Month 2006

Triple Play

Buzzword.Voice, Video, Internet, converged over a single access service, and delivered to a

subscriber by a single provider.Requires intensive end-to-end quality of service.Requires a lot of policy, and changes to that policy “in service”.Interaction between your subscriber control plane, and your network control

plane.Builds upon the previous AAA changes.

All Rights Reserved © Alcatel-Lucent 2006, #####14 | Presentation Title | Month 2006

Session State

Really quite cool.

We know where subscribers are on the network, so what can we do with it?

We can determine IP address pools, provisioning, and whether a subscriber is online.

Perform actions based on that.

Cause events.

All Rights Reserved © Alcatel-Lucent 2006, #####15 | Presentation Title | Month 2006

Common AAA Disasters

All Rights Reserved © Alcatel-Lucent 2006, #####16 | Presentation Title | Month 2006

Slightly More Common AAA Disasters

Generally, AAA is overlooked by companies. We need it, but we don’t invest.

Peak demand, and average demand, and why ensuring we engineer for multiples of the peak demand is real important.

Redundancy.

Geographical redundancy.

Proxy events can cause knockon problems.

Poor subscriber linkage

Poor documentation

Often not really understood by the people who run it.

All Rights Reserved © Alcatel-Lucent 2006, #####17 | Presentation Title | Month 2006

Remember

AAA helps you route money from the subscriber to you.

All Rights Reserved © Alcatel-Lucent 2006, #####18 | Presentation Title | Month 2006

Q&A

Any questions?

All Rights Reserved © Alcatel-Lucent 2006, #####19 | Presentation Title | Month 2006

Thank You!

Contact me off-list if you have any queries about my RADIUS server.

All Rights Reserved © Alcatel-Lucent 2006, #####20 | Presentation Title | Month 2006

www.alcatel-lucent.com