Network Tokens A DPI-alternative to deploy network services ONF Spotlight: 5G Transformation with Open Source Yiannis Yiakoumis, Co-Founder & CEO, Selfie Networks Work with Nick McKeown (Stanford), Frode Sorensen (NKOM) https://networktokens.org | yiannis@selfienetworks.com
Overview 2 1. Network traffic differentiation is at a tipping point 2. Why we need a DPI alternative 3. Network Tokens
Network Services are at a tipping point 2010 2020 2025 bandwidth zero-rating 5G slicing IoT, entertainment, enterprise market validation market growth no demand technology sucks technology…? $0 [*] GSMA Network Slicing Usecase Requirements
Network Services are at a tipping point 2010 2020 2025 bandwidth zero-rating 5G slicing IoT, entertainment, enterprise market validation market growth no demand technology sucks technology…? $2B $0
Network Services are at a tipping point 2010 2020 2025 $300B* bandwidth zero-rating 5G slicing IoT, entertainment, enterprise market validation market growth no demand technology sucks technology…? $2B $0 [*] GSMA Network Slicing Usecase Requirements
DPI/traffic classification can’t support expected growth Low Level Mechanism High-level Policy / Enforcement 5QI, DiffServ, QCI, bearers Traffic Classification / DPI (application signatures) In conflict with Expensive Onboarding is hard encryption, privacy, High overhead Poor adoption net neutrality
DPI/traffic classification can’t support expected growth Each datapath service can be a $100M+ opportunity. Exposing them through DPI means: Poor user and partner adoption ● High cost and time-to-market to deploy and operate ● Regulatory risk to be banned/restricted ● Obsolete with new encryption schemes (ESNI, DOH) ● 100+ 15% 9+ months integrations success rate onboarding on integration time
Can we do any better? 8 How can we expose and access traffic differentiation services in a way that ... 1. is easy for operators to deploy and operate 2. is easy for end-users and app providers to access 3. Works with privacy and net neutrality 4. works with encryption and modern infrastructure (ESNI, multi-cloud, 3rd-party APIs)
“ Traffic Classification / DPI → Access Management
Network Tokens 10 » Explicit and secure coordination between end-users/apps and the network » They replace heuristics and application signatures/DPI with deterministic mechanism » Heavily influenced by Json Web Tokens (JWT), access tokens, and OAUTH2 workflows
Network Tokens 11 Tokens carry simple claims (e.g., “I need low latency” , “I am Skype” ) ● Encrypted and/or signed based on trust relationships and requirements ● Provisions against replay and spoofing attacks (expiration, binding, revocation) ● Represented as JWT, CWT, Custom Formats ● Inserted as extensions/attributes in existing protocols (e.g. IPv6, TLS, STUN) ●
Network Tokens 12 Tokens are policy agnostic. Policy dictated by token distribution, crypto functions, E2E workflows User-centric, application agnostic token (e.g. for QoS service) ● App-specific token (e.g., firewall whitelist, zero-rating) ●
Sample workflow: user-centric, application-agnostic tokens 13
Sample workflow: user-centric, application-agnostic tokens 14 1 Application asks user-permission to access premium network quality service
Sample workflow: user-centric, application-agnostic tokens 15 2 Client agent fetches premium quality token with user’s credentials 1 Application asks user-permission to access premium network quality service
Sample workflow: user-centric, application-agnostic tokens 16 2 Client agent fetches premium quality token with user’s credentials 1 3 Application asks user-permission to Application attaches token access premium network quality service to flows of interest
Sample workflow: user-centric, application-agnostic tokens 17 4 Network detects tokens and provides service 2 Client agent fetches premium quality token with user’s credentials 1 3 Application asks user-permission to Application attaches token access premium network quality service to flows of interest
DEMO Premium network quality for video calls
DEMO
Current Status with DPI privacy-invasive, no user control Manual, expensive, error-prone 1000+ apps Proprietary app signatures
How it works with Network Tokens User-centric, application driven, application-agnostic, multi-network Automated and self-serve control logic Simple, fast, stable dataplane
Network Tokens: Standardization and Open-Source 22 https://github.com/network-tokens ● Apache 2 License ○ Integrated or stand-alone ○ Integrated with ONFs OMEC ○ IETF: Network tokens as interface between network and apps/end-users ● 3GPP : How do network tokens fit in 3GPP architecture? ● Integrate through existing 4G/5G TDF interfaces (Gy, Gw, Sd, …) ○
Access Management Ecosystem ID access mgmt Low-level JWT, ID & access mechanism tokens Open-Source Standards SSO, OAUTH2, Workflows scopes/permissions Okta, Auth0, IBM, Open-Source Solutions Microsoft, ... Proprietary
Access Management Ecosystem ID access mgmt Network access mgmt Low-level JWT, ID & access Network Tokens mechanism tokens Open-Source Standards SSO, OAUTH2, User Centric, App Centric, Workflows scopes/permissions Custom, Multi-network Okta, Auth0, IBM, Open-Source Solutions , ... Microsoft, ... Proprietary
Get Involved! 25 » https://networktokens.org | network-tokens@ietf.org » https://github.com/network-tokens » Try it with ONF’s infrastructure Thank you! yiannis@selfienetworks.com
Get involved! https://networktokens.org yiannis@selfienetworks.com
Appendix
Premium Network Quality tailored for voice and video LTE Bearer VoLTE Network Core QoS 5G slicing Control Plane Application + Driver + OS ⇅ priority + low latency priority + low latency
Net Neutrality Controversy and consensus 29 Traffic differentiation is controversial, but there is common ground and consensus on specific use cases. QoS: User-centric, application-agnostic, privacy-aware Zero-Rating: Category-based, inclusive, money-free agreements Enterprise/Firewall Whitelist: do what you want
Recommend
More recommend
