Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Our new, consolidated Junos CLI Reference is now available.

close
external-header-nav
keyboard_arrow_up
close
keyboard_arrow_left
list Table of Contents
file_download PDF
keyboard_arrow_right

PMI Flow Based CoS functions for GTP-U

date_range 28-Nov-23

Power-Mode IPsec (PMI) is a new mode of operation that provides IPsec performance improvements.

PMI Flow Based CoS functions for GTP-U scenario with TEID Distribution and Asymmetric Fat Tunnel Solution

With non-GTP traffic, the per-flow CoS solution assumes that all the packets of the same session should have same DSCP value. This won’t work for GTP -U because it carries different user data. Therefore, there will be different DSCP code points for the same 5-tuple GTP session. If you combine the GTP-U session distribution solution together with per-flow CoS solution, you can provide a per-flow CoS solution for GTP-U scenario even if it carries multiple streams with different DSCP code inside one GTP tunnel.

The following information gives an overview on TEID based hash distributions and asymmetric fat tunnel solution.

TEID based hash distributions: GTP-U uses a fixed UDP port-2152 as its source port and destination port. There may be data streams from different users multiplexed within a single flow session, so 5-tuple is not enough to separate these data streams. There is a 4-byte field inside GTP payload called tunnel endpoint identifier (TEID), which is used to identify different connections in the same GTP tunnel. In order to migrate the GTP sessions to the anchor PIC, you need IPsec session affinity. Hence, a 6-tuple (including TEID) hash distribution is introduced for creating GTP-U sessions to different cores on anchor PIC, instead of creating GTP-U sessions only on the Anchor PIC.

Figure 1: LTE Networking ArchitectureLTE Networking Architecture

The Figure 1 shows a typical LTE network architecture where an SRX Series Firewall is deployed as security gateway. A fat GTP tunnel carries data from different users. IPsec tunnels on the security gateway could be a fat tunnel due to the fat GTP tunnel. The SRX Series Firewall can create one GTP session with a high-bandwidth of GTP traffic. However, the throughput is limited to one core processor's performance.

If you use TEID-based hash distribution for creating GTP-U sessions when PMI and IPsec session affinity are enabled, following events take place:

You can an enable SRX Series Firewall to process asymmetric fat tunnels (Example: 30Gbps on encryption direction / 3 Gbps on decryption direction) because PMI provides parallel encryption on multiple cores for one tunnel.

You can split a fat GTP session to multiple sessions and distribute them to different cores. This helps to increase the bandwidth for fat GTP tunnel on the SRX Series Firewalls.

Asymmetric fat tunnel solution: An SRX Series Firewalls support asymmetric fat tunnels because PMI provides parallel encryption on multiple cores for one tunnel. The TEID based hash distribution is introduced for creating GTP-U sessions to multiple cores on anchor PIC. When both PMI and IPsec session affinity are enabled, the clear-txt traffic acts as a fat GTP tunnel. This helps a fat GTP session to split into multiple slim GTP sessions and handle them on multiple cores simultaneously.

Figure 2: Fat GTP Tunnel ProcessingFat GTP Tunnel Processing

The Figure 2 shows how a fat tunnel processed when TEID-based hash distribution for creating GTP-U sessions.

On the encryption path, when one GTP tunnel with the 5-tuple enters, the Input/Output card (IOC) distributes the traffic into different cores according to 6-tuple including TEID hash. If the traffic is destined for the same IPsec tunnel, flow creates multiple GTP sessions on different cores of the anchor SPU.

The flow installs multiple NP caches on the IOC and when subsequent packets hit the NP cache, they are distributed to different cores on the anchor SPU.

Configurations to enable PMI and GTP

The following configuration helps to enable PMI and GTP.

Before you begin determine the following:

Understand how to establish PMI and GTP. Per-flow CoS functions for GTP-U traffic in PMI mode is available. TEID-based hash distribution for creating GTP-U sessions to multiple cores on anchor PIC when both PMI and IPsec session affinity are enabled. TEID-based hash distribution can help split a fat GTP session to multiple slim GTP sessions and process them on multiple cores in parallel. With this enhancement, per-flow CoS for GTP-U traffic is enabled even when the traffic carries multiple streams with different DSCP code within one GTP tunnel.

The following steps explain how to enable PMI and GTP sessions:

  1. Set NP cache mode.
    content_copy zoom_out_map
    [edit]
    user@host# set chassis fpc 1 np-cache
    
  2. Configure power-mode IPsec. When IPsec is enabled, the IPSec tunnel could be a fat tunnel due to the fat flow session.
    content_copy zoom_out_map
    [edit security]
    user@host# set flow power-mode-ipsec
    
  3. Configure GTP-U session distribution.
    content_copy zoom_out_map
    [edit security]
    user@host# set forwarding-process application-services enable-gtpu-distribution
    
  4. Enable IPsec session-affinity.
    content_copy zoom_out_map
    [edit security]
    user@host# set flow load-distribution session-affinity ipsec
    
  5. From the configuration mode, confirm your configuration by entering the show command.
    content_copy zoom_out_map
    [edit security]
    user@host# show 
    flow {
        load-distribution {
            session-affinity {
                ipsec;
            }
        }
        power-mode-ipsec;
    }
    forwarding-process {
        application-services {
            enable-gtpu-distribution;
        }
    }
    
  6. Commit the configuration.
    content_copy zoom_out_map
    [edit security]
    user@host# commit
    
  7. Reboot the device as NP cache requires reboot to take effect.
external-footer-nav