The need for an effective packet core in IoT: A guide to choosing the right GTP solution

Thus, in order to counter dynamically and on demand those cyber-threats in a 5G-enabled IoT network, the network operator might need to filter, mirror, divert, and differentiate IoT packets in the edge access network and in the core of the 5G network. Ideally, this traffic control and management should be performed accordingly at any packet encapsulation level required in LTE/5G Networks. This may include multiencapsulation required to support user mobility and carrier-isolation, any field of the inner packet headers, the tenant the IoT device is associated with, or even any field of a particular IoT-specific protocol, e.g., the Constrained Application Protocol (CoAP) [8], used by the affected IoT device, among others.

The need for an effective packet core in IoT

Download File: https://3rostleycauso.blogspot.com/?file=2vA4Ds

Our proposed filtering mechanism in this paper allows inspecting and analyzing traffic without having to create any tunnel interfaces to deencapsulate the traffic. It allows filtering beyond the first encapsulated layer and dealing with any packet and header of any inner encapsulated traffic to cope with mobility and multitenancy requirements of virtualized 5G networks. The filtering predicates allow classifying packets in Linux kernel space based on any packet fields in any header and encapsulated packet. The benefits are manifold, encompassing scalability, performance, and flexibility, since there is no need to create tunnel interface to perform the deencapsulation, and traffic filtering in kernel space provides an efficient approach.

There are a number of specific requirements for network traffic filtering in 5G IoT networks, listed as follows:(i)Multitenant support: in 5G architectures, the network functional blocks are virtualized as VNFs and different network operators, carriers, and verticals can share the physical infrastructure. The packets need to be encapsulated (e.g., in VXLAN) to differentiate the traffic among them, for management and security reasons. The filtering system needs to deal with this encapsulation.(ii)Mobility support: LTE and 5G networks are subject to the mobility of the UE and, in this case, the mobility of the IoT devices. Although in NB-IoT handover is not supported in a connected stage, cell reselection is supported in the idle state. Mobility in 5G architectures means that packets need to be encapsulated towards the mobility anchor component (UPF in 5G), e.g., using the GTP protocol. The traffic filter will need to be able to handle directly these encapsulation headers.(iii)Application layer filtering: the network traffic filtering system should allow filtering packets for any header/field of any protocol of the OSI stack, including IoT application layer protocols such as CoAP [8].(iv)Scalability: despite that NB-IoT is a Low-Power Wide-Area Network (LPWAN) protocol that requires low bit data rate, the CIoT-RAN and the core of the 5G network will need to cope with the packets of massive IoT devices. Therefore, the network filter(s) will need to efficiently manage the packet filtering process for numerous devices.(v)Dynamic management: IoT networks are volatile and traffic is subject to changing security conditions. Therefore, the management framework needs to automatically adapt the security filtering policies, by enforcing and decommissioning dynamically the rules according to the actual context obtained from real-time monitoring. This dynamic and intelligent management requires relying on softwarized network management and Network Function Virtualization (NFV) technologies for handling such adaptation.(vi)Uplink/downlink differentiation: 5G architectures require having two different Tunnel Endpoint Identifiers (TEIDs) per user, which needs to be handled by the management framework and the filtering agent.(vii)Nested encapsulation: the filtering agent needs to support nested encapsulation for handling simultaneously the traffic encapsulation for both mobility and multitenancy.

NB-IoT networks are expected to deal with up to 52,500 devices per cell [6], meaning that, even with low-rate packets per second, the filtering system will need to scale up properly to handle a huge amount of packets in the mobile backhaul. In the worst case there could be a filtering rule per device; however, with current software-based filtering implementations it is not feasible to handle such large quantities of rules and massive traffic in just one firewall. Moreover, this is further complicated in light of the complex rules defined herein that require inspecting the packets according to multiencapsulation imposed in 5G-based NB-IoT networks.

The set of experiments indicated in Table 3 aims to validate the feasibility of the proposed traffic filtering mechanism to handle the traffic coming from thousands of NB-IoT devices in the core of a multitenant 5G-network simulating a low-rate DDoS attack that might send packets every 30s to keep connection/sessions open to collapse the target service. To this end, each of the experiment ranges exponentially (power 2) the number of filtering rules being loaded from (1, 2, 4, 8, 16, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384, and 32768) according to the packets per seconds that arrive to the filtering agent. In the worst case in terms of scalability, the administrator would need the most finest grain of details in the control of the traffic and thus considering one rule per each of the services being running in each of the NB-IoT devices of the infrastructure. Usually, one NB-IoT device hosts one service. Therefore, a 1:1 match correspondence between the number of filtering rules and devices can be assumed in the experiments. In summary, four different infrastructures are analyzed against three different complexities in the rules, and each of these scenarios will be ranged against the different number of rules previously described.

One of the key challenges for enterprises interested in using LoRaWAN is operating an NS as part of a privately managed network. An NS is required to manage LoRaWAN device and gateway connections. LoRaWAN gateways serve as a bridge between the LoRa devices and the NS in the cloud. Today, enterprise network engineers have two options; either operate an in-house NS, or use a commercially managed NS service. When operating in-house, engineers invest in custom development work starting with an open-source or licensed NS software and combining it with multiple AWS services, which is time-consuming and distracts from core business goals. It also incurs the operational overhead of managing the associated infrastructure and providing technical assistance to internal teams building applications. Alternatively, when using commercially managed NS services, customers find the accompanying up front license or subscription-based bundle pricing costly to operate. Lastly, network engineers also need to make it easy for developers in their company to deliver business applications and solutions with the data collected from connected devices.

Cisco has a large footprint and supports more than 15 virtual networks as part of its Network Functions Virtualization (NFV) portfolio for carriers, and more than 350 Packet Core Customers across the globe. Carriers, such as AT&T in North America, are focused on using NFV with the packet core on network elements and services that attach to the packet core, such as Voice over LTE infrastructure, firewalls, and load balancers.

Since the network can effectively override the PSM values for a device, IoT devices need to effectively communicate their sleep duration to the LwM2M Servers to prevent de-registration. The LwM2M Client must send a registration update to extend the lifetime of the registration based on the configured PSM values.

Unlike in most 4G networks based on purpose-built appliances, the 5G packet core is implemented as virtualized or cloud-native software running on servers located within edge and core data centers. As CSPs worldwide scale up the deployments of their 5G networks, they face strong financial pressure to maximize the number of users that can be supported on each server, whether individual subscribers or IoT devices, thereby minimizing the net cost-per-user.

Napatech addresses the key business challenges around packet core deployments through its new, integrated hardware/software solution that delivers UPF performance. The solution comprises a fully offloaded UPF fast path implemented within the Link-Inline software stack, running on programmable PCI-Express (PCIe) SmartNICs available in configurations that support a total bandwidth of either 100Gbps (NT100 card) or 200Gbps (NT200 card).

To help manage the migration of cellular networks from LTE to the 5G New Radio standard, the 3GPP codified two deployment modes for 5G networks: Non-Standalone Architecture (NSA) and Standalone Architecture (SA). NSA 5G leverages existing networking infrastructure, while SA 5G modernizes core network infrastructure to suit the myriad needs of enterprise.

Standalone 5G does not depend on an LTE EPC to operate. Rather, it pairs 5G radios with a cloud-native 5G core network. The 5G core itself is designed as a Service Based Architecture (SBA) which virtualizes network functions altogether, providing the full range of 5G features enterprise needs for factory automation, autonomous vehicle operation, and more.

Packet cores are fundamental to a mobile network and a lot of innovation in the telecom industry is focused on making the packet cores efficient, open and cost effective. This in turn democratizes the access to mobile networks and their builders to new regions and subscribers. This innovation is the right step towards closing the digital divide gap.

Today we rely upon smart and connected technologies not only for basic communications but also to drive devices and machines which need to work at faster speeds with lower latency. While 5G gets all the buzz for the opportunity it unlocks, the current 5G infrastructure in the U.S. is not established enough to support widespread, cost-effective adoption of 5G in both public and private network use cases. 2ff7e9595c