90系列DFX设备技术白皮书-V1 3_EN

Technical White Paper for Series 90 DFX EquipmentCommunication Data Reconnaissance Station System System Design Manual Technical White Paper for Series 90 DFX Equipment CEIECContents1Overview11.1Product positioning11.2Product advantages11.3Production form22System architecture32.1System hardware architecture32.2System software architecture53System specifications63.1Technical specifications63.2Service processing board83.2.148-port 10GE83.2.224-port 10GE84Functional characteristics94.1Advanced application identification technology94.2Full-traffic logging94.3Fine traffic distribution based on application104.4Key metadata extraction105Typical application125.1Ordinary deployment125.2Network auditing135.3Traffic control141 Overview 1.1 Product positioning With the popularization of intelligent terminals and the prosperous development of network technologies, new types of service successively spring up and application categories and the number of various operating systems emerge in endlessly, so application perception and service segmentation are pressing. Series 90 DFX Equipment has a built-in DPI module which is capable of deep message parsing and application protocol parsing, and is able to obtain the behavior data of the relevant fixed networks and mobile Internet in a real-time manner to provide for the back-end service system so that it lays a rapid, comprehensive and professional technical base for the back-end to display user behavior, application characteristics and security situation analysis. DFX Equipment supports independent deployment, as well as use combined with the serial-connection equipment or the traffic-distributing and parallel-connection equipment. When it is integrated deployed with serial-connection equipment, the traffic data obtained by the serial-connection equipment will be sent to DFX for traffic parsing and then sent to the back-end service system for in-depth analysis. Next, the updated policy will be written into the serial-connection equipment to achieve network management. When it is integrated deployed with the traffic-distributing equipment, in addition to the functions that the existing traffic-distributing equipment, the new DPI module will perform finer screening of data traffic, not only relying on the quintuple or keyword ACL under the traditional mode, but also relying on the ability to improve the three-/four-layer message structure perception to the seven-layer application perception, to achieve more accurate data segmentation and convergence. 1.2 Product advantages Series 90 DFX owns the product advantages as below: u Achieve massive and accurate application identification on the access collection layer Provide finer identification granularity compared with flow/connection/sessions; The identification method superior to the pattern matching. u Be able to provide the rich full-traffic logs for the back-end big data and service system to realize holographic and visual user behavior Contact and user logs; Be compatible with the standard big data format specification; Full-traffic logs effectively supplement the existing system. u Flexible deployment Support integrated deployment with the traffic-distributing equipment or the serial-connection equipment; It is also possible to install externally to the traffic-distributing equipment and be compatible with the existing system. u Superior performance to effectively meet the long-term development needs such as service expansion Each DPI single board is of up to 100Gbps processing performance; The whole equipment is of up to 2Tbps processing performance. u Telecommunications-class reliability Operator-class software and hardware architecture design; Actual deployment exceeding 20Tbps bandwidth. u Convenient operation and maintenance Hot upgrade of the application plug-in library and service free from interruption; Graphical management interface, what you see is what you get. 1.3 Production form Series 90 DFX Equipment is composed of four models, namely, 9002, 9005, 9012 and 9020, detailed as below: Figure 1-1 Product form 2 System architecture 2.1 System hardware architecture The system hardware of the product is of the distributed architecture design, so that it is able to flexibly configure the service processing board based on the actual application, to achieve large-capacity and high-density service processing. Figure 2-1 System hardware architecture The service processing board can access the traffic, process and analyze the service and output the log file. If the service is in need of cross-single board processing, it could be forwarded to the destination service processing board via the high-speed backboard for processing. The backboard switching matrix can work under the redundancy mode or the load balancing mode. Table 2-1 Hardware architecture Master control switching board The single board consists of the master control unit and the switching unit of the equipment. The latter completes the data switching among all service processing boards, provides 1+1 host-backup redundancy and reaches the telecommunications -class reliability. Backboard Provide Crossbar/CLOS switching and provide the single-slot 480Gbps switching bandwidth now. Service processing board The main processing chip is a MCP chip, which could provide physical ports outward, for traffic classification processing on L4-L7. 2.2 System software architecture The system software of Series 90 DFX products is of the function modularization design, which effectively maintains mutual independence among all functions, lowers down software coupling and program dependence, and reduces the failure rate and the risk effect. Figure 2-2 System software architecture DFX system software is mainly composed of the application classification and identification module and the flow management module. The application classification module could be further divided into the initialization module, the control module, the application data extraction module, the application identification engine and the application protocol library, which is realized mainly relying on the service processing board. The initialization module and the control module are inherent modules of the software, mainly in charge of loading and control of other modules. The application data extraction module is in charge of extracting the application data from traffic; The application identification engine is able to compare the traffic data with the protocol library to achieve identification. Meanwhile, the application protocol library will be continuously updated online to ensure the latest protocol library. The flow management module could be segmented into L2-L4 protocol parsing, tunnel management, flow table, IP fragmentation and restructuring, TCP flow restoration, quintuple screening and feature code screening. The fine traffic distribution is achieved mainly relying on cooperation of the circuit processing board with the service processing board. Mainly target processing operation of the traffic or flow table. Figure 2-3 DFX product data packet processing process The data traffic enters DFX which identifies the traffic information such as the application ID of the data traffic and the metadata via the application plug-in library in the application perception engine and outputs the holographic log of all traffic. In addition, it is also capable of configuring the detailed rules based on the application layer for fine traffic distribution and outputting the full-traffic data and fined classification traffic to the back-end service system. 3 System specifications 3.1 Technical specifications Table 3-1 Technical specifications Product 9002900590129020Physical parameters Dimension (mm)175mm(height) 442mm(width) 450mm(depth) 440mm(height) 442mm(width) 450mm(depth) 755mm(height) 442mm(width) 450mm(depth) 1775mm(height) 442mm(width) 512mm(depth) Weight 27kg52kg89kg400,000h MTTR30min Hot plug The master control board and all the service interface boards support hot plug Redundant backup Master control module and power supply module Power supply consumption Power supply condition AC power supply: 100V240V，50Hz 60HzDC power supply: -57V-40VHigh voltage and DC: 192V 400VPower consumption of a single board The maximum power consumption of a single-slot processing board is 350W Full-load power consumption 850W1750W4200W7200WEnvironment requirement Environment temperature Operating environment temperature: -0+45Storage environment temperature: -40+70Environment humidity 10%-90% relative humidity (no condensation) Anti-seismic Resist M7 earthquake Lightning protection 4KV3.2 Service processing board 3.2.1 48-port 10GE This board card could provide 48 10-gigabit Ethernet interfaces, to realize various packet processing ranging from L2 to L7 to satisfy the complex application in actual networking. The optical module used by this board card is a pluggable SFP optical module and any port supports several distances common to the 10-gigabit Ethernet. Figure 3-1 48-port 10GE 3.2.2 24-port 10GE This board card could provide 24 10-gigabit Ethernet interfaces, to realize various packet processing ranging from L2 to L7 to satisfy the complex application in actual networking. The optical module used by this board card is a pluggable SFP optical module and any port supports several distances common to the 10-gigabit Ethernet. Figure 3-2 24-port 10GE 4 Functional characteristics 4.1 Advanced application identification technology DFX supports the accurate application identification technology. Now, it is able to identify over 30,000 applications, including over 60 large application categories such as chatting, Internet access, video, e-mails and VPN and support nearly 100 common protocol types such as HTTP, P2P, DNS and POP3; Cover PC terminals, mobile terminals and various operating systems, and support the continuous updating of protocol features. At present, DFX equipment masters two identification technologies as below: Explicit identification: Match the identification means based on the application protocol field information features. Implicit identification: Perform matching identification for a single data packet; Extract identification information from multiple data packets in the same session for matching; Perform associated matching identification for multiple data packets in different sessions; Perform comprehensive analysis and identification based on the statistical model for private protocols that cannot be analyzed reversely or encrypted. 4.2 Full-traffic logging Under the traditional mode, 70% of data traffic will be directly dropped which may contain some useful information, resulting in difficulty in tracking when some accident occurs subsequently. However, DFX has a built-in DPI module which is capable of full-traffic parsing and log output, so that DFX is able to effectively identify and parse all traffic accessed and convert it into logs to be transmitted to the back-end big data analysis system as the effective supplement to traffic restoration, to realize holographic and visual user behavior. Logs available now include: Contact log: Include terminal ID, application ID, service IP, time, traffic statistics, HTTP URL access, DNS query, as well as login and exit of specific applications; User log: User ID, terminal ID and location information of the mobile network. 4.3 Fine traffic distribution based on application DFX products support application-based fine traffic distribution and the priority of all classification rules could be configured. Figure 4-1 Fine traffic distribution On the basis of traffic distribution according to the application ID rules, DFX also supports: Traffic classification according to the Internet access account; Traffic classification according to the physical location information; Traffic classification according to special rules (such as HTTP URL rules); Moreover, DFX supports mixed employment of various traffic distribution rules above and supports to configure multiple priority. 4.4 Key metadata extraction Metadata refers to key description information of data and information resources, such as the e-mail sender and LBS information (a users longitude and latitude information), all within the scope of metadata. Figure 6 displays the segmentation of the e-mail metadata. Figure 4-2 Segment of the e-mail metadata DFX supports extraction of up to 300+ kinds of metadata now. It not only includes the basic metadata information such as HTTP website, but also includes the metadata types of characteristic service: LBS information: Accurate location information, and longitude and latitude information provided by the user application; User name/password: Login user name and password information transmitted via plaintext targeting some application; 145 Typical application 5.1 Ordinary deployment Figure 5-1 (Integrated) deployment scenario of DFX coordinating with the big data platform As shown in the figure above, DFX equipment supports integrated deployment or independent deployment and could be applied to the traffic parsing of the fixed network and the traffic parsing of the mobile Internet. When the traffic of the fixed network and mobile Internet passes DFX, it will be subject to efficient service identification and segmentation in DFX equipment. Low-value data (such as videos) will be subject to effective convergence or termination in the equipment. The traffic that the customer concerns will be segmented into specific service to be sent to the corresponding data restoration equipment. In addition, other traffic will be sent by DFX equipment in the form of logs to the back-end big data platform, for in-depth data mining and service implementation by the back-end big data system. 5.2 Network auditing Output of government and enterprise networksNetwork traffic statisticsAPP traffic statisticsFeature traffic statisticsAbnormal traffic statisticsLog dataEnterprise gatewayTraffic-distributing equipmentFixed dialingFigure 5-2 Network audit deployment scenarioAs shown in the figure above, DFX can prefix the traffic-distributing equipment which could export part or all of traffic to DFX. Then, DFX will, relying on its application identification and full-traffic logging functions, or according to the feature rules configured, identify feature or abnormal traffic and output and display log data, to achieve network traffic statistics, APP t