Basic Features And Functionality; Shallow Packet Inspection; Deep Packet Inspection; Charging Subsystem - Cisco ASR 5000 Series Administration Manual

Enhanced Charging Service Overview

Basic Features and Functionality

This section describes basic features of the ECS in-line service.

Shallow Packet Inspection

Shallow packet inspection is the examination of the layer 3 (IP header) and layer 4 (for example, UDP or TCP header)
information in the user plane packet flow. Shallow packet analyzers typically determine the destination IP address or
port number of a terminating proxy.

Deep Packet Inspection

Deep-packet inspection is the examination of layer 7, which contains Uniform Resource Identifier (URI) information. In
some cases, layer 3 and 4 analyzers that identify a trigger condition are insufficient for billing purposes, so layer 7
examination is used. Whereas, deep-packet analyzers typically identify the destination of a terminating proxy.
For example, if the Web site "www.companyname.com" corresponds to the IP address 1.1.1.1, and the stock quote page
(www.companyname.com/quotes) and the company page (www.companyname.com/business) are chargeable services,
while all other pages on this site are free. Because all parts of this Web site correspond to the destination address of
1.1.1.1 and port number 80 (http), determination of chargeable user traffic is possible only through the actual URL
(layer 7).
DPI performs packet inspection beyond layer 4 inspection and is typically deployed for:
 Detection of URI information at level 7 (for example, HTTP, WTP, RTSP URLs)
 Identification of true destination in the case of terminating proxies, where shallow packet inspection would only
reveal the destination IP address/port number of a terminating proxy such as the OpCo's WAP gateway
 De-encapsulation of nested traffic encapsulation, for example MMS-over-WTP/WSP-over-UDP/IP
 Verification that traffic actually conforms to the protocol the layer 4 port number suggests

Charging Subsystem

ECS has protocol analyzers that examine uplink and downlink traffic. Incoming traffic goes into a protocol analyzer for
packet inspection. Routing rules definitions (ruledefs) are applied to determine which packets to inspect. This traffic is
then sent to the charging engine where charging rules definitions are applied to perform actions such as block, redirect,
or transmit. These analyzers also generate usage records for the billing system.

Traffic Analyzers

Traffic analyzers in ECS are based on configured ruledefs. Ruledefs used for traffic analysis analyze packet flows and
create usage records. The usage records are created per content type and forwarded to a prepaid server or to a billing
system.
The Traffic Analyzer function can perform shallow (layer 3 and layer 4) and deep (above layer 4) packet inspection of
IP packet flows. It is able to correlate all layer 3 packets (and bytes) with higher layer trigger criteria (for example, URL
detected in an HTTP header). It also performs stateful packet inspection for complex protocols like FTP, RTSP, and SIP
that dynamically open ports for the data path and this way, user plane payload is differentiated into "categories". Traffic
Cisco ASR 5x00 Enhanced Charging Services Administration Guide ▄
Basic Features and Functionality ▀
13