Tcp Proxy - Cisco ASR 5000 Series Administration Manual

▀ Enhanced Features and Functionality
AES encryption is available for 128 and 256 bit keys. For AES encryption with CBC mode of operation, a key-phrase is
taken as configurable field from the operator. This key phrase is internally converted to a 128/256 bit key. An additional
field value ("salt") is also allowed as a configurable field. This configurable field is optional.
Security of the subscriber sensitive attributes is enhanced with a more robust encryption algorithm. This helps protect
subscriber specific information sent to different servers, thus helping operators to adhere to regulatory policies.
For more information on these commands, see the ACS Charging Action Configuration Mode Commands chapter in the
Command Line Interface Reference.

TCP Proxy

The TCP Proxy feature enables the ASR 5x00 to function as a TCP proxy. TCP Proxy is intended to improve ECS
subsystem's functionality in case of Content Filtering, ICAP, RADIUS Prepaid, Redirection, Header Enrichment,
Stateful Firewall, Application Detection and Control, DCCA, and Partial Application Headers features.
TCP Proxy along with other capabilities enables the ASR 5x00 to transparently split every TCP connection passing
through it between sender and receiver hosts into two separate TCP connections, and relay data packets from the sender
host to the receiver host via the split connections. This results in smaller bandwidth delay and improves TCP
performance.
The TCP Proxy solution comprises of two main components:
 User-level TCP/IP Stacks — The TCP Proxy implementation uses two instances of the User Level TCP/IP stack.
The stack is integrated with ECS and acts as packet receiving and sending entity. These stacks modify the
behavior in which the connection is handled.
 Proxy Application — The Proxy application binds ECS, stack, and all the applications. It is the only
communicating entity between the two stacks and the various applications requiring the stack. The TCP Proxy
application manages the complete connection. It detects connection request, connection establishment, and
connection tear-down, and propagates the same to the applications. Whenever the buffers are full, the Proxy
application also buffers data to be sent later.
On an ASR 5x00 chassis, the TCP Proxy functionality can be enabled or disabled and configured from the CLI,
enabling the ASR 5x00 to perform either in proxy or non-proxy mode. TCP Proxy can either be enabled for all
connections regardless of the IP address, port, or application protocol involved, or for specific flows based on the
configuration, for example, TCP Proxy can be enabled for some specific ports. TCP Proxy must be enabled at rulebase
level. When enabled in a rulebase, it is applied on subscribers' flows using that rulebase.
TCP Proxy can be enabled in static or dynamic modes. In static mode TCP proxy is enabled for all server ports/flows
for a rulebase. In the dynamic mode/Socket Migration TCP Proxy is enabled dynamically based on specified conditions.
In case TCP proxy is started dynamically on a flow, the original client (MS) first starts the TCP connection with the
final server. ECS keeps on monitoring the connection. Based on any rule-match/charging-action, it may happen that the
connection will be proxied automatically. This activity is transparent to original client and original server. After
dynamically enabling the proxy, ECS acts as TCP endpoint exactly in the same way it is when connection is statically
proxied.
The functional/charging behavior of ECS for that particular connection before the dynamic proxy is started is exactly
same as when there is no proxy. After the dynamic proxy is started on the connection, the functional/charging behavior
of the ECS for that particular connection will be exactly similar to the ECS static proxy behavior. When the socket
migration is underway, the functional/charging behavior for that particular connection is exactly the same as when there
is no proxy for that flow.
TCP Proxy impacts post-recovery behavior and the charging model. With TCP Proxy, whatever packets are received
from either side is charged completely. The packets that are sent out from the ECS are not considered for charging. This
approach is similar to the behavior of ECS without proxy.
▄ Cisco ASR 5x00 Enhanced Charging Services Administration Guide
54
Enhanced Charging Service Overview