Transcription
Stingray Service GatewayAdvanced DPI SolutionAnalysisControlManagement
IndexAbout VAS ExpertsCG-NATQuality of ExperienceOur companyCG-NAT characteristicsQoE moduleProduct portfolioFlexible tariff plansQoE metricsDPI platformIPv6DPI engineMultifunctionalityPerformanceGraphical User InterfaceOptionsLicensingBypass supportPlansRedundancyFiltering by blocklistScalabilityAnalyticsPlatform ArchitectureTraffic prioritizationSolution ArchitectureAllow List and Captive portalBNGMini-FirewallBNG operating modesBNG characteristicsDDoS attacks protectionInserting ads into web-pagesOperating scheme for Ads01Advanced DPI SolutionUse-casesDevelopment plansDPI licensingContact us
About VAS Experts Over 1000 installations on ISPs in Russia, Europe and AsiaLatest Installations: More than 25 Tbps Lebanon 10M users Cyprus Turkey Moldova02Advanced DPI Solution
Our portfolio01Deep Packet InspectionBNG03CG-NATQoE04DLPKey FeaturesAnalyticsSubscriber ManagementVAS for ISP IoT, DDoS, BotNet Prioritization, policing NetFlow, Interception Block/Allow lists QoE metrics BNG, CG-NATcampaigns Parental control Mini-Firewall03Advanced DPI Solution0205
Own DPI EngineHistory2013201620172018201920202021 -DPICG-NATL3 BNG DualStack IPv4/IPv6Lawful InterceptionL2 BNG DualStack IPv4/IPv6Mobile Networks SupportBorderVAS Experts DPI can compete with Sandvine A10 Network Allot Ericsson SE Cisco SCE04Advanced DPI Solution
Multi-functionalityInvestment ProtectionLicense:License Manager: Upgrade Reservation Merge Oversubscription Split VAS (additionalservices) regationAccessBNGDPICG-NATRouter Testing VirtualizationSaaS PaaSDPIBNGStingray SG05Advanced DPI SolutionCG-NATRouter
Performance per -120Performance, Gbps6204080100120Number of subscribers2M4M8M10 M12 MMaximum number of session16 M32 M64 M80 M96 MNumber of new sessions250 K350 K400 K500 K600 K16x10GbE /20x10GbE /6x40GbE /6x25GbESFP / QSFP /QSFP288x40GbE /8x25GbESFP / QSFP /QSFP286000 Application protocolsPortsLatency (average value), µcPlatformAdvanced DPI Solution2x10GbESFP 4x10GbESFP 8x10GbESFP 16x10GbESFP 30
RedundancyHash IPsrc/IPdst balancing in Link Aggregation GroupSpare DPI on the alternative routeSpecial low license price for Spare DPIDPI SpareDPI 1RouterLAG07Advanced DPI SolutionRouterLAGDPI N
Platform scalabilitySupport of 100Gbps links with using load balancerAbility to scale up to 3.84 Tbps10 Gbps10 GbpsDPI 1100 Gbps100 GbpsLoad BalancerLoad Balancer10 Gbps10 GbpsDPI N08Advanced DPI Solution
Platform ArchitectureHardware Factors x86 servers4 coresworkers1 coredispatcher4 coresworkers1 coredispatcher High performance1 coreNetFlowManagementServices Soft limits Scalability Available platformControl Plane Self-upgrade Continuous growthControl Plane CentOS 8Data Plane DPDK09Direct NIC Access technologyAdvanced DPI SolutionData PlaneDNA 0inDNA 1outDNA 2inDNA 3outVertical scalability with multiprocessorsystems up to 400 Gbps on a single unit.
Solution ArchitectureModes L2/L3 BNG supportCombine on the platform BRAS/CG-NAT/DPI/URL-FilteringFull RADIUS (CoA) supportHigh availability with PCRFHot start from local UDR010Advanced DPI Solution
BRAS operating modes011SSH-managedBNG L3 IPoEIP and tariff plans preloading. In case of dynamic IPdistribution a Radius monitor or completeimplementation of Radius is neededRadiusmanagedBNG L3 IPoEAuthorization via Radius-server for the subscribers whoalready have an IPSupporting VLAN/Q-in-Q tagsBNG L2 DHCPRelay agentSubscriber authorization via MAC-address at Radiusserver. A DHCP-server is used for IP distributionARP proxy, ARP authorization,supporting VLAN/Q-in-Q tagsBNG L2 DHCPRadius ProxySubscriber authorization via MAC-address at Radiusserver. Instead of DHCP-server a Radius-server is used.DHCP is replaced by combining FastDPI FasrPCRFOption 82 in the DHCPrequest, ARP proxy, ARPauthorization, supportingVLAN/Q-in-Q tagsBNG L2 PPPoEPAP, CHAP, MS-CHAPv2, MAC-address authorizationprotocols are supportedSupporting VLAN/Q-in-Q tagsAdvanced DPI Solution
BNG Characteristics The combination of L2 (PPPoE, DHCP) and L3 modes (IPoE) Implementing traffic termination (PPPoE, Q-in-Q, VLAN) Multi-user support (one Login is multiple IP) Dual Stack IPv4/IPv6 White list support based on hostname or URL, including*.domain mask Increasing the speed of local resources or peer-to-peernetworks regardless of the speed of the tariff plan Prioritization Video, Online games, Web traffic Traffic coloring (VLAN, IP, MPLS) and work with alreadycolored traffic Mini-Firewall012Advanced DPI SolutionPCRF Proxying requests between BNG andRadius server Dynamic management of policies andservices of subscribers by Radius (CoA) Synchronize multiple BNG operationsand provide redundancy Using separate accounting for ASor protocols
CG-NAT Characteristics Full ConeProvides transparentoperation Limitsthere is a limit of TCP and UDPconnections for each pool of IP addressesof peer-to-peer protocols(torrents, games) NAT flows exporttext file or NetFlow v10 Paired IP address poolingSubscriber sessions are tied to aPrivate IPv4Networksingle external IP address for thesubscriber HairpinningSubscribersCPEInside NATPrivate IPv4Access NetworkSubscribers communicate witheach other without addressCG-NATtranslation.Private IPv4NetworkCPESubscribersPrivate IPv4013Advanced DPI SolutionIPv4 InternetPrivate IPv4Public IPv4
Flexible tariff plansTask:htb inbound root rate 50mbitOutbound Torrent Limithtb inbound class1 rate 1mbit ceil 50mbitMaximum speed on local resourcesIncrease speed tohtb inbound class0 rate 20mbit ceil 50mbithtb inbound class2 rate 8bit ceil 50mbithtb inbound class3 rate 8bit ceil 50mbit Messengers and SIPhtb inbound class4 rate 8bit ceil 1mbit HTTP, HTTPS, QIUChtb inbound class5 rate 100mbit static Game service like world of tankshtb inbound class6 rate 8bit ceil 50mbithtb inbound class7 rate 8bit ceil 50mbitClasses (cs):htb root rate 50mbitcs0 dns, icmp, AS world of tankshtb class1 rate 1mbit ceil 50mbitcs1 http, https, quiccs3 defaultcs4 viber, whatsapp, skype, sipcs5 AS local IP, peeringcs6 tcp unknowncs7 Bittorrent014Advanced DPI Solutionhtb class0 rate 20mbit ceil 50mbithtb class2 rate 8bit ceil 50mbithtb class3 rate 8bit ceil 50mbithtb class4 rate 8bit ceil 1mbithtb class5 rate 100mbit statichtb class6 rate 8bit ceil 5mbithtb class7 rate 8bit ceil 5mbit
IPv6We recommend Dual Stack: private IPv4 public IPv6ProblemsWhy now is the time?Old equipment: Implementation takes a long time (experience, equipment CPEreplacement, CPE) 3 years,Suddenly you will need it urgently IOT IPv6 only devices Professionals (admins, webmasters) - access to ipv6 resources(internal / corporate networks) Corporate: communication branches, redundancy uplink New network standards Retention of subscribers (a few other ipv6 providers)015Advanced DPI Solution TV SIP phones Gaming and TV set-top boxesAdvantage IPv6 No CPE NAT Improved P2P Access to home resources (NAS)
Option: Bypass SupportBypass allows to ensure the network operability incase of installation of thesystem in series or asymmetrically, in the following situations: Equipment malfunction Preventive maintenance Software errors Power cutInternal bypass produced by SilicomExternal bypass by any manufacturer managed by DPIDPISilicom NetworkCardOutInManagementOutInDPI016Advanced DPI SolutionExternal Bypass
Option: Filtering by blocklistFiltration allows you to block aCharacteristicDescriptionspecific URL for the http protocolUsing your own operator listYesfrom a page hosted, includingYessocial networks such asserversFacebook, Youtube, WikipediaConnection Diagrams SupportIn-line, asymmetric,mirroringAbility to control filtering by specific users and subnets forthe organization of filtering services for downstreamoperatorsYesTraffic blocking http/httpsYessupported and it is possible toBlocking https by SNI, CNYesuse a combination of categories.Redirect support for http to info pageYesAbility to collect statistics on blocked pagesYesAbility to monitor loading lists and filtering workYesMaximum list sizeUp to 4 billion URLand resources consideredextremist.Blocklisting by category isCategorized lists are loadedautomatically.017Advanced DPI Solution
Option: Filtering by blocklistFiltration allows you to block aDESCRIPTIONspecific URL for the http protocolCHARACTERISTICUsing your own operator listfrom a page hosted, includingsocial networks such as Facebook,Youtube, Wikipedia and resourcesIn-line,asymmetric,mirroringconsidered extremist.Connection Diagrams SupportAbility to control filtering by specific users and subnets for theorganization of filtering services for downstream operatorsTraffic blocking http/httpsBlacklisting by category issupported and it is possible to useBlocking https by SNI, CNa combination of categories.Redirect support for http to info pageCategorized lists are loadedAbility to collect statistics on blocked pagesautomatically.Ability to monitor loading lists and filtering workUp to 4 billion URL018Advanced DPI SolutionMaximum list size
Option: AnalyticsNetFlow analytical information is providedfor the following characteristics:1. Distribution of the band for application protocols2. Distribution of the band to autonomous systems(AS)3. Downloading summary information of billing by classfor each subscriber4. Downloading Full NetFlow by subscribersAll specified modes can work simultaneously.Using aggregate information for billing by classes foreach subscriber allows you to separately rate sip,skype and bittorrent traffic.Top application protocols with high traffic019Advanced DPI Solution
Option: Traffic prioritizationBy protocol / y directionBy the UplinkPer user Registered AS VLAN IP Customized AS Pair of physical ports Login020Advanced DPI Solution
Option: Allow listand Captive portalThe Allow List makes it possible to limit the sites and pages availableto the subscriber and to redirect the subscriber to the specified pagewhen trying to go outside this list.Use cases:HotSpot (Wi-Fi) Subscriber blocking in case of lowInternetPlatform RequestConnectionbalance, with the possibility of paymentvia authorized payment systemsConnection Organization of user identification in WiFiAuthorizationby Phone Numbernetworks, provision of certain useractions in a WiFi network to provideaccess.021Advanced DPI SolutionDPIUser s DevicePlatform RequestBNGStingray SGCG-NATAuthorizationServer
Option: Mini FirewallThe tasks are:Attack on the Client sHardwareParasite Traffic Preventing hacking of userdevices by system portsDPIMini-Firewall Blocking malicious activity fromthe subscriber - SPAM, BotNetLegitimate TrafficRecommendations: Utilize statistics from QoE module Announcement to the clientwarning him of his problem andoffer antivirus service022Advanced DPI SolutionRouterSubscribersBNGStingray SGCG-NATLegitimate Traffic
Option: DDOS attacks protection1. Protection against TCP SYNFlood: Detects an attack on exceeding a2. Fragmented UDP FloodProtectionThis type of attack is carried out by3. Protection (LOIC, etc.)based on Turing test (HumanDetection)specified threshold of requests notfragmented UDP packets, usually ofWhen the limit value of requestsconfirmed by the client SYNa short size. The attacked platformis exceeded (e.g., the number ofis forced to spend a lot of resourcesrequests per second that can befor assembling and analyzing them.processed by the site), Independently, instead of theprotected site, responds to SYNrequests Organizes a TCP session with theprotected site after confirmationof the request by the client.Depending on the settings, StingraySG may be activated manually,automatically or to be in constantprotection mode against this typeof attack.023Advanced DPI SolutionFor protection, protocols that areirrelevant for the protected site aredropped or hard-limited by thebandwidth.For example, for WEB-sites theprotocols HTTP, HTTPS are used. Inthis case, legacy protocols can bedropped by configuring DPI.protection is activated and theuser must enter informationfrom the CAPTCHA to confirmthat he is not a part of thebotnet.After that access to the site willbe allowed. This test determineswho the user of the system is - aperson or a computer.
Option: Inserting adsinto web-pagesAdvertisement placement and subscriber notificationEarning from every clickFormats Desktop and mobile InteractiveConducting and monitoring of marketing campaigns FullscreenBlack and white lists Native advertising Heading VideoAdBlock on the network level024Advanced DPI Solution Menu and filling out the form
Operating scheme for AdsAdvantages Activation in a clickVAS Cloud Automatic billingDPI Thoughtful targetingGUI Quick implementationBNGper click/impression. It ispersonal account andsettings.025Advanced DPI SolutionCG-NATBillingStingray SGADSAggregatorMarketing
DPI licensingSTINGRAY SERVICE GATEWAY FEATURESBNG/BRASBASECOMPLETEBypass SupportYesYesYesStatistics gathering and analysis on protocols and directionsYesYesYesTraffic prioritization depending on a protocol and directionYesYesYesCommon and virtual channels policingYesYesYesSubscriber notification and marketing campaignsYesYesYesSubcribers channel policing for IPv4 and IPV6Yes-YesAllow Lists and Captive PortalYes-YesBNG/BRAS L3 (IPoE), Dual Stack IPv4/IPv6, Radius with CoAYes-YesBNG/BRAS L2 (PPPoE, DHCP), Dual Stack IPv4/IPv6Yes-YesCarrier Grade-NATYes-YesAds blocking and replacingOptional-YesMini-Firewall for blocking on certain portsOptional-YesProtection against DOS and DDOS attacksOptional-YesFiltering by the blocklisted Internet sites-YesYesLawful Interception (LI)-OptionalYesURL Classifier Local version-YesOptionalURL Classifier Cloud ULATORY COMPLIANCEADDITIONAL MODULES AND SERVICESGUI (Graphical User Interface) Base versionGUI (Graphical User Interface) Global versionQoE (Quality of Experience) module Base versionQoE (Quality of Experience) module Standard versionYesYesYesOptionalOptionalOptionalAdding banners to HTTP recoursesSubscriptionCreating custom signaturesSubscriptionSignatures SDKSubscriptionExtended signatures packsSubscriptionRESERVE LICENSEStand-by License026Advanced DPI Solution25% from main license
Quality of Experience moduleQoE is a software product responsibleStingray SGfor statistic gathering and viewingThe statistics is transferred to special es the operator with information aboutAPIwhat kind of problems does he or sheencounter.RadiusPCRFBNGCG-NATIPFIXThe data obtained allows the operator to takeIP/Login/MAC/Hwid/Addressaction and to improve the services quality. Theresult is increasing customer loyalty.BillingQoE StorClassifierAPI027Advanced DPI SolutionSupportGUIMarketing
QoE metrics1. Round-trip-time (RTT);2. Indicators of retries number;3. The number of sessions, devices, agents, IP-addresses per subscriber;4. Traffic distribution by application and transport protocols;5. Traffic distribution by autonomous system (AS) numbers;6. Clickstream for each subscriber.ClientDPIServerSYNSYNSYN-ACKSYN-ACKRTT (ACK - SYN-ACK)/2ACKACKESTABLISHED CONNECTION028Advanced DPI Solution
How to use QoE metrics?Sales and MarketingTechnical and Support departments Upselling new service, Wi-Fi equipment, traffic plans Deep troubleshooting and monitoring with using Round Trip Work with outflow and analysis of the causes ofoutflow in the past Target advertising with using subscriber profilingTime and TCP retransmitting Identification of problems with client terminal equipment, WiFi router, access switch and aggregation Search for optimal peering points and connections to higherproviders.029Advanced DPI Solution
Graphical user interface1. Access restriction by role2. Managing several DPI: monitoring andconfiguration3. White and Black lists4. Managing subscriber tariff plans5. Creating of NAT-pools6. HotSpot and Clickwrap option control7. Work with statistics8. API support for integration with externalsystems.030Advanced DPI Solution
QoE LicensingQOE MODULE FEATURESBASESTANDARTNetFlow statistics collector with re-export supportYesYesAPI support for integration with external systemsYesYesFull NetFlow and ClickStream statistics visualizationYesYesBuilt-in reports of Full NetFlow-based TOP: high RTT, by traffic volume, by number of re-requests,by application protocols, by AS, by subscribers AS, by access switches and aggregationYesYesBuilt-in ClickStream-based TOP reports: URLs, hosts, subscribers, devices, IP resourcesYesYesReports export in *.xlsx, .*csv, *.pdf and *.pngYesYesNAT log collector with re-export support-YesUnloading NAT log from Full NetFlow-YesGTP collector with re-export support-YesReports on web resources categories, updating the list of categories-YesFull NetFlow and ClickStream reports with detailed information per user-YesSetting up triggers and actions on events, sending reports by email-YesDDoS and BotNet detection-Yes031Advanced DPI Solution
Development directions Routing. BGP, OSPF protocols support Various IPv6 prefix length support (currently /64 only)BGPBorder Diameter protocol support (Gx, Gy, Gz interfaces) Subscriber quota management Signatures SDK and definition by SNI (HTTPS) andSD-WANBNGhostname (HTTP) as a serviceDPI Configurable WEB-resources classifier MITM mechanism implementationResoursesSee also:Stingray Service GatewayBlogSoftware based BNGAbout usQoE module032Advanced DPI SolutionDDoSIoTBotNet
Follow the expertsdpi@vas.expertvasexperts.com
Stingray SG Aggregation Router Access Subscribers Aggregation BNG DPI CG-NAT Router Access Subscribers. . Support of 100Gbps links with using load balancer Ability to scale up to 3.84 Tbps 10 Gbps 10 Gbps 10 Gbps 10 Gbps 100 Gbps 100 Gbps Load Balancer Loa
