IP Services Gateway Overview

IP Services Gateway Overview
 
 
This chapter provides an overview of the IP Services Gateway (IPSG).
This chapter covers the following topics:
 
 
Introduction
The IP Services Gateway (IPSG) is a stand-alone device capable of providing managed services to IP flows. The IPSG is situated on the network side of legacy, non-service capable GGSNs, PDSNs, HAs, and other subscriber management devices. The IPSG can provide per-subscriber services such as enhanced charging, stateful firewall, traffic performance optimization, and others.
 
The IPSG allows the carrier to roll out advanced services without requiring a replacement of the HA, PDSN, GGSN, or other access gateways and eliminates the need to add multiple servers to support additional services.
Important: The IPSG is a license-dependent feature.
 
Service Modes
The IPSG supports the following service modes:
 
 
RADIUS Server Mode
When configured in RADIUS server mode, the IPSG inspects identical RADIUS accounting request packets sent to the RADIUS accounting server and the IPSG simultaneously.
 
As shown in the following figure, the IPSG inspects the RADIUS accounting request, extracts the required user information, then sends a RADIUS accounting response message back to the access gateway. The IPSG has three reference points: sn, si, and sr. The sn interface transmits/receives data packets to/from the access gateway (GGSN, HA, PDSN, etc.). The si interface transmits/receives data packets to/from the Internet or a packet data network. The sr interface receives RADIUS accounting requests from the access gateway. The system inspects the accounting request packets and extracts information to be used to determine the appropriate service(s) to apply to the flow.
 
IPSG Message/Data Flow (RADIUS Server Mode)
 
RADIUS Proxy
In the event that the Access Gateway is incapable of sending two separate RADIUS Start message, the IPSG can be configured as a RADIUS Proxy. As shown in the following figure, the IPSG receives an IPSG RADIUS proxy Access request, then generates the Authentication and Accounting requests to the AAA Server.
 
IPSG Message/Data Flow (RADIUS Server Mode - RADIUS Proxy)
 
RADIUS Snoop Mode
When configured in RADIUS snoop mode, the IPSG simply inspects RADIUS accounting request packets sent to a RADIUS server through the IPSG.
 
As shown in the following figure, the IPSG has three reference points: sn, si, and sr. The sn interface transmits/receives data packets to/from the access gateway (GGSN, HA, PDSN, etc.). The si interface transmits/receives data packets to/from the Internet or a packet data network. The sr interface receives RADIUS accounting requests from the access gateway. The system inspects the accounting request packets and extracts information to be used to determine the appropriate service(s) to apply to the flow. Information is not extracted from the RADIUS accounting responses so they are sent directly to the access gateway by the RADIUS Server, but can also be sent back through the IPSG.
 
IPSG Message/Data Flow (RADIUS Snoop Mode)
 
In-line Services
As described previously, the IPSG provides a method of inspecting RADIUS packets to discover user identity for the purpose of applying enhanced services to the subsequent data flow. Internal applications such as the Enhanced Charging Service, Content Filtering, and Peer-to-Peer Detection are primary features that take advantage of the IPSG service.
 
Enhanced Charging Service
Enhanced Charging Service (ECS)/Active Charging Service (ACS) is the primary vehicle performing packet inspection and applying rules to the session which includes the delivery of enhanced services.
 
For more information, refer to the Enhanced Charging Service Administration Guide.
 
Content Filtering
Content Filtering is an in-line service feature that filters HTTP and WAP requests from mobile subscribers based on the URLs in the requests. This enables operators to filter and control the content that an individual subscriber can access, so that subscribers are inadvertently not exposed to universally unacceptable content and/or content inappropriate as per the subscribers’ preferences.
For more information, refer to the Content Filtering Services Administration Guide.
 
Peer-to-Peer
Peer-to-Peer is an in-line service feature that detects peer-to-peer protocols in real time and applies actions such as permitting, blocking, charging, bandwidth control, and TOS marking.
For more information, refer to the Peer-to-Peer Detection Administration Guide.
 
Enhanced Feature Support
This section describes the enhanced features supported by IPSG.
 
IMS Authorization Service
To support roaming IMS subscribers in a GPRS/UMTS network, the IPSG must be able to charge only for the amount of resources consumed by the particular IMS application and bandwidth used. The IPSG must also allow for the provisioning and control of the resources used by the IMS subscriber. To facilitate this, the IPSG supports the R7 Gx interface to a Policy Control and Charging Rule Function (PCRF).
For detailed information on the Gx Interface support, refer to the Gx Interface Support chapter of the System Enhanced Feature Configuration Guide.
Note the following for IPSG:
 
The following figure shows the interface and basic message flow of the Gx interface.
 
PSG Message/Data Flow (RADIUS Server Mode - IMS Auth Service)
IPSG also supports IMS Authorization Service Session Recovery with the following limitations:
 
 
Content Service Steering
Content Service Steering (CSS), defines how traffic is handled by the system based on the content of the data presented by a mobile subscriber. CSS can be used to direct traffic to in-line services that are internal to the system. CSS controls how subscriber data is forwarded to a particular in-line service, but does not control the content.
IPSG supports steering subscriber sessions to Content Filtering Service based on their policy setting. If a subscriber does not have a policy setting (ACL name) requiring Content Filtering, their session will bypass the Content Filtering Service and will be routed on to the destination address.
If subscriber policy entitlements indicate filtering is required for a subscriber, CSS will be used to steer subscriber sessions to the Content Filtering in-line service.
If a subscriber is using a mobile application with protocol type not supported, their session will bypass the Content Filtering Service and will be efficiently routed on to destination address.
For more information regarding CSS, refer to the Content Service Steering chapter of the System Enhanced Feature Configuration Guide.
 
Multiple IPSG Services
Multiple IPSG services, can be configured on the system in different contexts. Both source and destination contexts should be different for the different IPSG services. Each such IPSG service functions independently as an IPSG.
 
Session Recovery
The Session Recovery feature provides seamless failover and reconstruction of subscriber session information in the event of a hardware or software fault within the system preventing a fully connected user session from being disconnected.
For more information on this feature, please refer to the Session Recovery chapter in the System Enhanced Feature Configuration Guide.
Inter-Chassis Session Recovery is not supported.
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883