Juniper Carrier AAA roadmap May 2008 Bart Brinckman

The Current Identity and Policy Management portfolio Copyright © 2007 Juniper Networks, Inc. www.

Service The Identity and Policy portfolio FR VPN ATM VPN PSTN IPTV Home Vo. IP Internet Video Telephony Mobile Vo. IP Video Roaming FMC Push to Talk Provider Unique Services OPEN INTERFACES Policy Signaling Specific Security OPEN INTERFACES Network Wireless Access CPE Edge Core Data Center Routing and Security Portfolio Industry-leading packet handling and security solutions for thousands of customers worldwide Copyright © 2007 Juniper Networks, Inc. www. juniper. net 3 3

AAA functions today: different products aimed solving different problems Access Network x. DSL Network Attachment SBR/SPE UMA Femtocell Resource Assignment SBR/SLM Public Wi-Fi GPRS/ UMTS SBR/HA Policy Network Mobility Service Delivery SBR/MIM CDMA 1 XRTT/Ev. DO Network Identity Wi. MAX (simple IP & proprietary) SBR/SIM Charging & Billing IMS AAA Copyright © 2007 Juniper Networks, Inc. www. juniper. net 4 4

Policy Engine: Any Service - On Demand Subscriber Initiated – Self Service Portal Server with SRCPE portal API • Turbo • Tiered Internet Application Initiated Walled Garden + Over the Top (Web 2. 0) • Vo. D • Games • Streaming Media • Video Conferencing SOAP IMS Service Complex • Vo. IP • Video Telephony • Multi-media DIAMETER SRC Service Profile Initiated • Activate on Login • To. D Activated • Volume/Time Controlled Acces Copyright © 2007 Juniper Networks, Inc. Network Detection Initiated Core DPI or IDP Platforms • P 2 P Controls • Threat Mitigation www. juniper. net 5 5

Carrier AAA Roadmap Copyright © 2007 Juniper Networks, Inc. www. juniper. net 6 6

Legal statement This product roadmap sets forth Juniper Networks’ current intention and is subject to change at any time without notice. No purchases are contingent upon Juniper Networks delivering any feature or functionality depicted on this roadmap. Copyright © 2007 Juniper Networks, Inc. www. juniper. net 7 7

AAA Evolution to FMC and Wi. MAX Wireline GSM/UMTS SBR/HA SBR/SPE SBR/HA Wi. MAX

One AAA to Manage All Access § A centralized AAA Architecture that supports all access technologies and user credentials is an important element of the NGN network § A benefit of centralizing AAA is that it allows for the centralization of subscriber session information on the networks § Enhancement to service delivery and new services can be delivered by leveraging this active subscriber database. LDA P Services PKI Sess ions DSL UMA GPRS/UMTS Copyright © 2007 Juniper Networks, Inc. Applications/ CDMA Wi. MAX www. juniper. net 9 9

Step 1: SBR Carrier v 7. 0 Modular AAA for Wireless and Wireline carriers • Standalone AAA server • combining all previously existing Juniper AAA carrier functionality into 1 modular product • Adding a mobile Wi. MAX module (target August 08) SNMP LDAP GUI CLI ces OSS Interfa Optional modules SQL Scripting nds Front-E SIM auth LDAP Mobility modules Authentication modules SMS auth CDMA Mobility SBR Carrier Core Wi. MAX Mobility Back-End s RADIUS HLR Gateways Proxy RADIUS *CDMA mobility and SMS auth EFT only in v 7. 0 Copyright © 2007 Juniper Networks, Inc. www. juniper. net 10 10

SBR Carrier Core Built on Industry-proven SBR SPE technology! • Open and flexible AAA functionality regardless of end user access technology (through RADIUS, EAP, Http-digest), integrated into 1 platform • Supports SQL or LDAP based user repository, regardless of DB schema • Advanced service delivery features • Carrier grade proxy engine and filtering features • Virtualization support • Network integration features + • All 3 GPP support built into SBR Carrier Core • Comes with all EAP methods enabled out of the box (except SIM/AKA): MD 5, LEAP, GTC, POTP, PEAP, TLS, TTLS, FAST • Supports unlimited virtualization (directed realms) • Multiple additional optional features available Copyright © 2007 Juniper Networks, Inc. www. juniper. net 11 11

SBR Carrier 7. 0 core new features Location based profiles • Enables policy granularity on location basis • Access technology based policy Available in 2 flavors: • Location based profiles for users • Location based profiles for groups Enhanced scripting features • Enabling precise implementation of custom service and business logic • Providing unparalleled flexibility in implementing and growing service and business logic • Java. Script realm selection and Java. Script filter selection can: • Query and modify any AVP • Query LDAP or SQL databases Copyright © 2007 Juniper Networks, Inc. SBR Carrier 7. 0 Improved Management • Web delivered Administration UI • Downloadable to any station • No permanent UI install • A browser is sufficient • UI managed EAP configuration • UI based filter management • Administration audit logs ensuring administration accountability Flexible sub-TLV support • Support for sub-TLV’s in the core AAA engine • allow any sub-TLV requirement to be configured in the AAA core www. juniper. net 12 12

SBR Carrier: Authentication Modules, Mobility Modules and Optional Modules SIM auth SMS auth SIM authentication methods for PWLAN and UMA § SIM authentication and authorization (against HLR over SS 7 or SIGTRAN) § Kineto INC S 1 interface (UMA & Femtocell) SMS OTP provisioning and authentication methods CDMA Mobility module CDMA MIM Scrip ting § CDMA mobility, resource assignment and prepaid features § CDMA Rev. A Qo. S support Java. Scripting module § LDAP Java. Scripting § Java. Scripted Filters § Core routing Java. Scripting Copyright © 2007 Juniper Networks, Inc. www. juniper. net 13 13

Wi. MAX in SBR Carrier 7. 0 Wi. MAX § Modular approach, SBR Carrier Core + • Wi. MAX Module for wireline integration (EAP-TLS, EAP-TTLS) • Wi. MAX module + SIM authentication module for GSM/UMTS integration (EAP-AKA) • Wi. MAX Module + CDMA mobility module for CDMA integration § Wi. MAX mobility management: • Mobile IP v 4 support • ASN and CSN authentication authorization • ASN and CSN key management § Wi. MAX resource management • Home Agent Management • Home Address (IP-address) Management § § Wi. MAX Qo. S support Charging Roaming: H-AAA and V-AAA Standards: Wi. MAX Forum NWG Stage 3 rev. 1. 0, 1. 1 and 1. 2 compliant Copyright © 2007 Juniper Networks, Inc. www. juniper. net 14 14

Modular Carrier Grade AAA Step 2: SBR Carrier v 7. 2 • Available standalone or with HA cluster • combining all previously existing carrier functionality into 1 product • Adding central address allocation, concurrency and Session Control modules SNMP LDAP GUI ces OSS Interfa Xml/ https** CLI Optional modules Session Control RADIUS Scripting nds SMS auth Front-E * Only in combination with Session control module Copyright © 2007 Juniper Networks, Inc. Address Allocation Wi. MAX Mobility CDMA Mobility SBR Carrier Core DB HA Cluster Session DB SQL LDAP Mobility modules Authentication modules SIM auth Concur rency SQL* Back-End s (target Q 1 09) HLR Gateways Proxy RADIUS DB www. juniper. net 15 15

Service SBR Carrier Non-Stop AAA and Service Delivery FR VPN ATM VPN PSTN IPTV Home Vo. IP Internet Video Telephony Mobile Vo. IP Video Roaming FMC Push to Talk Applications Provider Unique Services SQL/LDAP/CLI/Https Policy & Control SBR Session DB cluster RADIUS/RADIUS Co. A Network Wireless Access CPE Copyright © 2007 Juniper Networks, Inc. Edge Core Data Center www. juniper. net 16 16

SBR Carrier 7. 2: New Optional Modules In-session service changes Session Control § RADIUS Co. A based § XMLover. Https and CLI (scripting) based interfaces § Applications: In session Hotlining, Legal Intercept, Disconnect, Prepaid, Tiered Services User/ Group based concurrency Concur rency Address Allocation § § Requires HA Cluster session DB for enforcement across the network Concurrency limitations on a per-user basis Concurrency limitations on a configurable attribute Concurrency limitations on a group basis (wholesale) Centralized IP-address allocation § Requires HA Cluster session DB for central ip-address pool management § All SBR Carrier Frontend AAA nodes use the same address pools § Splitting of address pools per AAA no longer required Copyright © 2007 Juniper Networks, Inc. www. juniper. net 17 17

SBR Carrier 7. 2: Other features § Session database query support: • • • SQL LDAP (limited scalability: 150 attributes/sec) https (requires session control module) CLI GUI § Extendable session database both in HA mode and Standalone mode: • Service providers now have the ability to extend their session database with any attribute (available in HA and standalone mode) § EAP-TTLS secondary authentication support: • It is now possible to perform a secondary authentication on a the content of a client certificate used during EAP-TTLS authentication as already supported in SBR Carrier 7. 0 EAP-TLS implementation § Proxy enhancements: • Exclude-unknown in filters: The ability to filter out attributes that proxy server is not able to interpret when proxying a message. • Disable strobe when target goes in fastfail: Allow the server not to use the strobe mechanism to detect if a server is up, but solely rely on the timer mechanism § SNMP proxy alarming improvements: • SNMP trap when proxy target goes out of service • SNMP trap when proxy realm (all targets) goes out of service § Logging enhancements: • Time based SBR Log rollover: Next to already supported volume based log rollover, now a time based rollover will also be supported • Session identifier in log files: allows easy correlation of messages belonging to the same session Copyright © 2007 Juniper Networks, Inc. www. juniper. net 18 18

SBR Carrier 7. x: Feature Candidates § Charging Module: • Accounting reconciliation, combination, pacing • CDR generation § LDAP: • Scalable and performant LDAP interface to the session database § Extended wholesale features (Group based concurrency) • Hard and Soft limits with notification • Time of day • Region support § Asynchronous Inter-cluster replication: Node 3 A Node 3 B Node Group 3 Node 2 B Node Group 2 Node 2 A Node 2 B Node Group 2 Node 1 B Node Group 1 Node 1 A Node 1 B Node Group 1 Node 3 A Node 2 A Node 1 A DC 1 Node 3 B Node Group 3 Stateless Front-end AAA Asynchronous replication Stateless Front-end AAA DC 2 Stateless Front-end AAA § IMS-AAA session cluster integration § SRC-PE Session Cluster integration § Juniper Hardware (appliance) based solution Copyright © 2007 Juniper Networks, Inc. www. juniper. net 19 19

Services & Applications SBR Carrier 7. x: Feature candidate: NASS AF AF Policy & Control E 2 CLF SBR Carrier 7. x CLF gateway E 2 (diameter) E 4 (di am ete r) UAAF/NACF SBR Carrier 7. x RADIUS node Gq’ CSCF Rq SPDF SBR Carrier 7. x RADIUS node A-RACF SRC-PE SRC-NASS Ra Transport A 3 (RADIUS) A 1 (RADIUS) Copyright © 2007 Juniper Networks, Inc. Ia Re RCEF AMF Ds Di A 1 (DHCP) L 2 T Point Border Node IP Edge www. juniper. net 20 20