Subscriber-Aware Monitoring for Service Providers

GPRS Tunneling Protocol (GTP) is commonly used to carry mobile data across Service Provider networks and includes control plane (GTP-c) and user-data plane (GTP-u) traffic. Therefore, visibility into a subscriber’s activity requires the ability to understand the stateful nature of GTP (v1 and/or v2) and to correlate subscriber-specific control and data sessions to gain an accurate view of the subscriber’s session. Using Gigamon’s GTP correlation application carriers can gain access to the subscriber’s data in these GTP tunnels by reliably correlating and passing all of the identified subscriber’s control and data sessions to the analytics/monitoring probes and billing subsystems to ensure an accurate view of the monitored session. To help achieve this goal, Gigamon® Visibility Fabric™ nodes correlate the subscriber-IDs exchanged as part of the control sessions to the corresponding tunnel endpoint identifiers (TEID) that are part of the user-data plane traffic.

With GTP correlation enabled, operators have multiple options to act on the subscriber generated GTP sessions including the flexibility to (among other things):

Identify high-value subscribers based on an International Mobile Subscriber Identity (IMSI) or a group of IMSIs and forward the applicable traffic to the operator’s monitoring / CEM (customer experience management) tools, limiting the amount of traffic to those tools
Classify traffic from roaming subscribers based on the IMSI prefix and forward to billing subsystems and/or monitoring tools to apply specific QoE/QoS policies
Implement an infrastructure for load-balancing across a group of monitoring tools leveraging statically configured IMSI-based rules
Classify GTPv1 from GTPv2 traffic and redirect the respective traffic streams to the appropriate analytics and/or monitoring tools
Combine the processing capability of multiple GTP correlation engines to meet the scale needs in a large mobile operator. This capability allows the operator to use a scale-out architecture without being constrained by the capacity of a single GTP correlation engine
Enable 100% of GTP-c traffic to be sent to the tools while sending only a configurable sample of the more voluminous GTP-u traffic to the tools

By combining GTP correlation with other traffic intelligence capabilities in the Unified Visibility Fabric, operators can gain deep insights into their networks that both optimizes their per-subscriber monitoring cost and also enables them to offer new services that increase the Average Revenue Per User (ARPU). This is done with tiered monitoring strategies that separate higher-ARPU subscribers from lower-ARPU subscribers.

Whitelisting allows all traffic from specific IMSIs to be sent to the tools whereas sampling selects a configurable set of user sessions for analysis. These capabilities can be used by operators in a variety of ways to implement highly scalable and efficient monitoring methodologies. Some examples are:

Filter or eliminate entire application sessions corresponding to voluminous Over-The-Top (OTT) traffic such as YouTube, NetFlix and other video sites from reaching the tools, eliminating expensive unnecessary upgrades to the tooling infrastructure
Decrypt SSL traffic destined to servers hosted by the operator and feed them to a security tool for malware inspection
Send only a sample of non-premium sessions to the monitoring tools
Sample a set of sessions to analyze the quality of service at a particular cell site

If a single instance of the monitoring tool cannot keep up with the traffic volumes it receives using IMSI-based rules, these incoming traffic streams can instead be distributed across a group of tools while ensuring that a particular subscriber’s traffic always ends up on the same tool thus maintaining the integrity of the flows.
IMSI-based Load Balancing Across a Group of Monitoring Tools

Diagram below illustrates this traffic being distributed across two monitoring tools. In fact, traffic can be distributed to up to 16 tools. Operators also have the option to forward any traffic that does not match the configured filter rules to a tool port—otherwise called the collector.

Forward all GTP-c and GTP-u using IMSI-based hashing to tools T1 and T2
Send the rest of the traffic to a shared collector

Identifying Traffic from GTP Versions

In an LTE network, LTE sessions on the S1U/S11, S2, S3/S4 and S5/S8 interfaces are maintained using GTPv2 Control plane signaling while legacy 3G sessions on the Gn/Gp interfaces are maintained using GTPv1 Control plane signaling. Utilizing the GTP Version filter allows traffic from 3G networks to be forwarded to 3G focused tools while directing LTE traffic to LTE specific tools. By correlating the control and user-plane sessions, Visibility Fabric nodes can identify, filter, and forward all sessions specific to a GTPv1 or GTPv2 to one or more monitoring/analytic tools.

Distributing traffic based on GTP versions

Filter and forward GTPv1 to tool T1
Filter and forward GTPv2 to tool T2

Implementing GTP Correlated IMSI Whitelist along with GTP Correlated Subscriber Sampling

When GTP Correlated Subscriber Sampling is implemented, the network operator can determine how much subscriber traffic will be monitored. In order for the operator to make sure that their high-value subscribers, or their subscribers who need extra monitoring will be included, inclusion in a whitelis — which ensures their traffic is monitored regardless of the subscriber sampling percentage or random selection. As part of GTP correlation, Gigamon Visibility Fabric nodes provide the flexibility to identify up to 500,000 subscribers by IMSI in a named whitelist to ensure that these subscribers are monitored with a higher priority and outside of sampling.

Below is an example use case of 70% subscriber sampling with a named set of IMSI’s in the whitelist.

Additional Traffic intelligence

In addition to GTP correlation, Gigamon Visibility Fabric provides additional features like:

Adaptive Packet Filtering - provides a powerful filtering engine that identifies content based on signature or patterns across any part of the packet, including the packet payload.

With the flexibility offered by adaptive packet filtering, IT operators can:

Filter across advanced encapsulation headers including VXLAN, VN-Tag, GTP, MPLS, etc., and inner (encapsulated) Layer 3/Layer 4 packet contents
Identify and mask credit card numbers and social security numbers across user-level transactions, phone numbers exchanged across SIP packets
As part of HTTP transactions: filter on URLs or patterns in the user-agents, PCRE-anchors to identify packets
Filter on DNS queries for specific URLs

Application Session Filtering — an optional extension of GigaSMART® technology—provides a powerful filtering engine that identifies applications based on signatures or patterns that can appear across any part of the packet payload.

With the flexibility offered by Application Session Filtering, administrators can implement many useful use cases such as:

Filtering all Netflix and YouTube traffic and not forwarding them to monitoring appliances in order to prevent them from being overwhelmed by voluminous traffic.
Filtering Windows Update traffic from being forwarded to monitoring and security appliances. This phenomenon is called Patch Tuesday, where Microsoft releases patches on the second Tuesday of every month, and Windows machines worldwide are updated with these patches. This volume of traffic often overwhelms monitoring and security appliances worldwide.
Allowing https traffic on non-standard ports: SSL traffic (https) uses port 443 but servers can be configured to listen on any port for https traffic. If this packet needs to be sent for inspection or to a decryption device, Application Session Filtering can be configured to look for https traffic on any port.
Filtering email traffic to only forward emails with links or attachments as these would be most relevant to email security appliances, as emails containing only text are typically not a vector of infection

De-duplication: remove duplicated packets caused by inter-VLAN communication or incorrect switch configuration

ERSPAN termination: terminate ERSPAN tunnels to consolidate, filter, and forward relevant ERSPAN traffic to security tool and translate the ERSPAN III timestamp into a format readable by monitoring tools.