Design and Implementation of a Charging and Accounting ...

Design and Implementation of a Charging and Accounting Architecture for QoS-differentiated VPN Services to Mobile Users Thanasis Papaioannou and George D. Stamoulis Athens University of Economics & Business (AUEB) {pathan, gstamoul}@aueb.gr

ICQT ‘02, Zurich, Switzerland, October 2002 Work supported by E.U. through IST-1999-20017 project INTERNODE under a subcontract with INTRACOM S.A.

Overview n Motivation

and Contribution n Background on Charging n Charging and the Business Roles in M-VPN Provision n The Details of the Charging Scheme n The Accounting and Charging Architecture n Concluding Remarks Charging Mobile VPNs - 2

Motivation and Contribution

Charging Mobile VPNs - 3

Mobile VPNs n In

mobile Internet the provision of VPN services will be important l

Key issue for commercial viability: VPN services should match user preferences on security and QoS

n IST

project INTERNODE designed, specified and implemented a platform for multi-domain QoS-differentiated VPN services to mobile users èM-VPN

services Charging Mobile VPNs - 4

Why Charge ? n M-VPN

service providers should account and charge for their services, in order to: Recover their provision costs l Increase their profits l Provide the right incentives to users regarding resource usage, while charging them fairly l

§ Closely related to the form of the charging scheme § e.g. usage-based vs. flat-rate charging


Multi-domain Feature n M-VPN

service provision spans multiple network domains The total charge should be shared among the involved providers in a fair and efficient way èThus, the right incentives will be maintained on the provider level too l


Our contribution (I) n We

specify in detail and justify a charging scheme for M-VPN services, which: Includes all chargeable features of the service l charges users fairly l achieves fair sharing of revenue among providers l provides all involved parties with the right incentives, thus helping providers be competitive l


Our contribution (II) n We

specify a complete yet lightweight accounting and charging architecture

n It

can be combined with previous related works of projects: IST MobyDick on AAAC architecture for IPv6 QoSenabled access services to mobile users l CATI on accounting and charging for QoS-enabled static VPN services l


Background on Charging


Charging Guaranteed Services: The Time-Volume Approach n F.P.Kelly,

“Tariffs and Effective Bandwidths in Multiservice Networks”, Proceedings of ITC’94 a·T + b·V + c = T · (a + b·M) + c l a, b are derived from the effective bandwidth curve

n The

charge is a function of

the SLA, l the anticipated mean rate m, and l the actual mean rate M, l and can be minimized if the user chooses a, b appropriately l


Charging Elastic Services n Proportionally

to the volume of the inserted traffic (volume-based)

n According

to some measure of burstiness (burstiness-based) l

e.g., by measuring the top 90-percentile of the distribution of the load produced per minute


Charging Static VPN Services nA l

theoretically justified approach: Apply additive charging over all individual flows arising within the VPN

n Commercial

approaches vary:

Additive charging plus some extra charges for value-adding features (as security, always-on, etc.) l On a per customer basis l


Charging and the Business Roles in M-VPN Provision


User Types, Applications, QoS n

Users are classified into different types: l

n

e.g. technical employees, managers, etc.

Assumption: each user-type utilizes a specific set of applications, for each of which: there is a set of permissible QoS classes l an estimate for the anticipated mean rate per QoS class è The particular QoS class to serve the application each time is specified in the SLA l


What Should Charging Reflect? n The

charge for the transport of traffic for an individual IPsec flow in a QoS class

n The

charge for mobility support

n The

charge for security support


Business Roles Federation Agreement VPN SPS

IPsec tunnel

M-VPN Provider Network

IPsec flow

FA

VPN contract

Customer C SG

Visited Connectivity Provider Network Users of Customer C

SG

Connect. Connect. Provider A Provider B Network Network

HA

Home Connectivity Provider Network Users of Customer C Charging Mobile VPNs - 16

… and their Tasks for Charging and Accounting n The l

federated CPs serve as 3rd-Party providers

each offers a certain part of the M-VPN service

n Each

CP has to:

Measure resource usage and associate it to its users l Charge for transport, mobility and security support in his domain, and allocate charges to users l Send the accounting and charging information to VPN SPS platform l

n M-VPN

provider charges for packing the complete M-VPN service Charging Mobile VPNs - 17

The Details of the Charging Scheme


Charging for Transport n Time-Volume

approach is adopted for guaranteed services, as it: Benefits from the available a priori knowledge of the anticipated mean rate of an IPsec flow l Can distinguish among different QoS classes l Includes a fixed charge for each IPsec connection l

§ Useful for charging security and mobility support l

Is also applicable to elastic services


Determining a, b, c n For

each application and for each type of user, statistical estimates of the anticipated mean rate m are maintained for each QoS class l The optimal [a, b, c] tariff is uniquely determined by the pair [user identity, SLA]

n Trade-off

between accuracy in the estimation of the mean rate of an IPsec flow and the monitoring and storage overhead l

e.g. keeping statistics per user or per user-type ? Charging Mobile VPNs - 20

Charging for Security

Cs : encapsulation traffic

processing capacity

... Bs : capacity of

encapsulation buffer

n Packet

encapsulation according to IPsec Charging Mobile VPNs - 21

Per Volume Charge for Security n Encapsulation

capacity constraint is similar to that of a transmission link with buffer Traffic served by DiffServ QoS classes conforms to the restrictions imposed by DiffServ èIPsec encapsulation can be dimensioned so as to be free of losses èno scarce resources are involved and no extra charge is required l

n For

best-effort traffic, an extra charge should be introduced according to burstiness


Per Time Charge for Security n The

identity of an IPsec tunnel as well as the number of IPsec flows that can be multiplexed in it are scarce resources l

A charge per time-unit should be included to prevent aimless maintenance of IPsec tunnels and flows

n Volume

and time overhead induced by security support are already accommodated by charging for transport Charging Mobile VPNs - 23

Additional Fixed Charges n The

M-VPN provider introduces:

A fixed charge depending on the security level for the overhead of creating an IPsec flow, and l A fixed charge for the “packing” of the M-VPN service l

§ “Packing” of the M-VPN service implies management of the security gateways, which provides the duplex nature of the M-VPN service and a uniform (i.e. end-toend) security level


Charging for Mobility n Packet

encapsulation according to Mobile IP

èCharging

can be treated similarly to the case of security support

n The

terminal or/and IP address allocated are both “scarce” resources l

A charge per time unit should be introduced


The Complete Charging Scheme nA

user of type j using an application i that is served by a DiffServ QoS class q is charged according to the formula:

(p + a

ijq

(mijq ) )⋅ T + bijq ( mijq ) ⋅V + cs

l p is the sum of the charges for mobility and

security support per time unit l cs is the fixed charge for security support l mijq is the anticipated mean rate n These

terms should be added for all (i,j,q)


Sharing of Revenue n Connectivity

Providers collect:

The charges for transport l The charges for mobility support l The variable charges for security support l

n The

M-VPN provider also collects the fixed charges for: security support l “packing” the M-VPN services l


The Complete Accounting and Charging Architecture


The architecture ... n is

compliant the main relevant standards:

IETF AAA on forwarding of accounting information l TMN Layers’ hierarchy l TINA Accounting Ladder Model l TINA format of the accounting and charging records l TMForum on the generation and content of the accounting and charging records l

n can

be combined with previous related works Charging Mobile VPNs - 29

Access Layer

Accounting Management Console

Customer Accounting Console

Service Layer

Charging 5. Records

Accounting Server

Rating Center QoSSLAInfoContract/ FederatedContract

Resource Layer

Charging Records

AO

Accounting Records 3.

6. Charging Records

Federated Accounting Center 2. Accounting Records

4.

Accounting Repository 1. Accounting Records

Accountable Objects Accounting and Charging Subsystem of 3rd-party Provider

Resource Layer of the Accounting and Charging Subsystem of the VPN Provider

AO Accountable Objects

Concluding Remarks


Concluding Remarks n The

charging scheme developed

covers all details for charging M-VPNs l is fair for users and providers, l provides them with the right incentives l enables fair sharing of revenue among providers l

n The

Accounting and Charging architecture

meets all requirements of the context l is conformant to the main relevant standards l was implemented and tested successfully in INTERNODE trials l


Support Slides


The Time-Volume Approach αon /off (s, t)

f(m; M ) = a(m) + b(m) ⋅ M

penalty due to inaccurate declaration

charge =

T * f(m; M)

= a(m) ⋅T +b(m)⋅V

slope

b(m) effective bandwidth

αON /OFF

accurate declaration charge = T *α

a(m)

ON / OFF

m declared

M Charging Mobile VPNs - 34

ON/OFF Source Model The notion of effective bandwidth summarizes resource usage of a bursty source described with many parameters ON/OFF source: ON & OFF periods are exponentially distributed with mean ON period = 1/a, mean OFF period = 1/b 1/h on h b

a off

mean rate m = b*h/(a+b)

on

time

off

(

)

1  m sh  a ( m , h ) = log 1 + e − 1 effective bandwidth  h  s Charging Mobile VPNs - 35

Background: IETF AAA Considerations Billing Billing Server Server Intra- domain Transfer Transfer Intra-domain session records protocol protocol session records Inter -domain Accounting Accounting Proxy/Server session records Server or Accounting Accounting protocol protocol Network Device Serving Network

Home Network Charging Mobile VPNs - 36

Background: TMForum Considerations Roaming Performance / Usage Trends Customer Care Processes

Customer QoS Management

Invoicing Collection

Customer QoS Management

Invoicing Collection

Service Layer Management

Service Quality Management

Rating and Discounting

Service Quality Management

Rating and Discounting

SP

NO

Network Layer Management

Network Data Management Serving Network

Network Data Management Home Network Charging Mobile VPNs - 37

Related Work: IST MobyDick n

Hasan, J. Jähnert, S. Zander, and B. Stiller. “Authentication, Authorization, Accounting, and Charging for the Mobile Internet”. Mobile Summit 2001, Barcelona, Spain, September 2001.

n

An inter-domain Authorization, Authentication, Accounting and Charging architecture for IPv6-based QoS-enabled access services to mobile users l Inter-domain negotiation of each service flow by AAAC servers l Our charging and accounting subsystem can serve as part of the AAAC server. Charging Mobile VPNs - 38

Related Work: CATI Project n

n n

B. Stiller, T. Braun, M. Günter and B. Plattner. “The CATI Project: Charging and Accounting Technology for the Internet”. (ECMAST'99), Madrid, May 1999 An accounting and charging architecture and a charging scheme for QoS-enabled static VPN services The charging scheme is prescribed to have: l a variable charge per time, a variable charge per volume, and a fixed charge l our charging scheme is of the same form, and specified in detail Charging Mobile VPNs - 39