Blog Viewer

Off Box Security Services Solution

By Horia Miclea posted 08-02-2023 00:00


Title Off Box Services

The Juniper Off Box Security Services Solution defines a common security services complex to be used in conjunction with MX Provider Edge (PE) deployments for Service Providers and Enterprises which leverage the vSRX or SRX4600 security products to provide scale-out IPsec, CGNAT and Firewall (Universal Threat Management) services. This solution is developed in collaboration by the Juniper Automated WAN Solutions and Juniper Connected Security groups. 

Market Drivers

First let’s try to answer why consider this new solution approach?

The two primary drivers for considering this new solution approach include:

  • Wireline and Mobile Broadband markets are evolving to cloud-based digital services delivery. 
  • New engineering design choices for enabling new higher speed, cost-efficient routing products. 

Let’s review them in more depth.

Market Evolution

The Broadband Market continues to grow in subscribers and throughput per subscriber. IPv4 address space is shrinking while cost per IP address is increasing driving to CGNAT growth for next years. Also, RAN densification and disaggregation as well as control and user plane separation drive distributed Security Gateway and IPSec deployments. Here are some additional details pertaining to these market drivers:

  • More than 10B Broadband Subscribers
    • Mobile growing at 14.7% CAGR.
    • Wireline has 1.2B connections and grows at 8%.
    • Mobile Broadband connections will be more than 74% of total connections by 2024. 

  • Limited IPv6 Adoption
    • More than 70% of the broadband deployments require CGNAT.
    • IPv6 adoption is around 30%, and while many public cloud services are available in IPv6 and dual stack IP services are feasible and deployed in some markets, this still means many more years of CGNAT.
  • Emerging Service Providers
    • Dependent on investing and growing a CGNAT deployment.
    • Public IPv4 price continues to increase 18%-33% YoY and public IPv4 subnet sizes are shrinking by nearly 50% (in APJC and LATAM).

  • COVID lifestyle changes
    • COVID driven teleworking/learning and emerging hybrid work culture will drive Broadband CGNAT to grow in both capacity and scale with increased adoption of Cloud Video and Collaboration services.
  • RAN densification and 5G build-out
    • Separation of user plane with control plane is happening in Mobile Evolved Packet Core (EPC) and Wireline BNG (Broadband Network Gateways) and 5G drives the Radio Access Networks (RAN) disaggregation.
    • Pushing user mobile and wireline broadband planes along with services like Mobile Security Gateway, CGNAT and Firewall closer to the subscriber in distributed deployments.

Engineering Design Choices for Next Generation Routers 

Integrating Security Service Cards in a platform is not feasible, nor easy, nor power and cost efficient for compact routing platforms or high capacity per slot modular platforms in the current generation of ASIC technology.

  • Engineering modular routing platforms targeting multiple Tbps per slot makes inefficient the integration for the security services cards that deliver at best in hundreds of Gbps per slot.
  • With ASICs delivering 1.6Tbps, and chassis slots that go up to 10Tbps, an off-box scale-out approach for security services becomes more economical while using 100Gbps and 400Gbps interconnects between the router and the security appliances. Compute technology evolved making 100G security services feasible in a 1RU edge compute server that is i-TEMP, depth optimized, and power efficient. 

Value Proposition

The Off Box Security Services Solution proposes a scale-out model for enabling high capacity CGNAT and IPSec services. A scale out approach follows Cloud services designs and is theoretically limitless; practically only limited by number of ports in the routing system. It delivers the following values:

  • Common Services Delivery:
    • Common Security services capability in any MX platform.
    • Support for both modular and compact MX platforms. Future extension to ACX platforms possible.
  • Scale Out based Scalability:
    • Scale Out Model.
    • Pay as you grow approach.
    • Benefit from compute/appliance ecosystem advancements (CPU, smart NIC, etc.) and from SRX4600 ASIC based performance.
  • Service Velocity and Flexibility:
    • Improved TTM for Security services on new platforms.
    • Flexible placement for Security services in the network.
  • Operational Simplicity:
    • The Python script hosted on MX automates the vSRX onboarding/ installation.
    • ECMP Consistent Hashing Load Balancing provides automatic reactions to changes in the services complex (failures, additions) with minimal impact.
  • Enhanced Return of Investment:
    • Brings Security services to all platforms, including those without previous services capability. 
    • Maximizes router investment by optimizing the utilization of the slots inside the router platform or the ASIC capacity of the router. A service appliance or server in the services cluster consumes 100G or 400G ports instead of a complete 10Tbps slot. 

Solution Overview

The Off Box Security Services Solutions provides a scale out model for enabling high capacity CGNAT and IPSec services combining Juniper MX modular and compact routers with Juniper vSRX and SRX4600 security products (Virtual Network Functions or Appliances):

  • Security Services: 
    • CGNAT: NAT44 (Deterministic NAT, Port Block Allocation), NAT64, DSLite, MAP-E, MAP-T, 6RD, high amount of flows and throughput. 
    • IPsec: tunnel mode, high tunnel scale, SHA, CBC and GCM ciphers
  • Network Based Solution: 
    • Focused on all Provider Edge deployments with MX and future ACX, be that MPLS VPN/IP PE, BNG, IPSec VPN PE, Security Gateway as infrastructure for security services in Service Provider or Enterprise Networks. 
  • Scale-Out Load Balancing: 
    • The MX platforms provide 100G and 400G connectivity to the services complex. If high scale and lower throughput is targeted in the services complex, the connectivity between the MX platforms and the security appliances can be virtualized at L2 by means of IEEE 802.1Q VLANs. 
    • In all cases with vSRX or SRX4600 in the services cluster, the MX enabled load balancing through ECMP source IP consistent hashing, routing being based on eBGP and failure detection based on BFD. The load balancing solution is stateless, meanwhile the ECMP Consistent Hash limits the failure impact to the failed flows and the new additions in cluster bring limited flow redistributions just to maintain the Equal Cost Multi Path.
  • Physical or Virtual Security Appliances: 
    • The Security Services Cluster can be built as virtualized services cluster based on vSRX and latest Intel (IceLake, Sapphire Rapids 32 core) or AMD (EPYC 96 cores) based servers or with SRX4600 appliances that integrate Intel CPUs with Juniper Trio 4 ASIC for security services.
  • Unified Management and Operations: 
    • The MX platforms enable a unified management solution that automates the Ubuntu server, vSRX onboarding and installation on KVM and access into the vSRX configuration.
    • The server running vSRX is assumed to be provided by the customer based on the vSRX specifications shared in the reference section.

MX and Services Cluster Networking

The Juniper MX routers provide 100GE or 400GE interfaces to the vSRX servers or the SRX4600s forming the services cluster. Both Access side and Internet side peering is enabled through MX, dedicated ports being used for high throughput. With new Trio 6 MX 10004 and 10008 systems, capacity per slot is up to 9.6 Tbps and with compact MX304 systems capacity can be up to 4.8 Tbps, enabling a high number of 100G ports. An MX304 can provide up to 48x 100GE interfaces and an LC9600 line card in a modular 10000 system, up to 96x 100GE ports.

For both CGNAT and IPSec services, MX and SRX systems (virtual or physical) peer in global routing or virtual routing and forwarding with eBGP enabling scalable and flexible routing exchange for the Access and the Internet side. The failure detection is based on BFD with timers as low as 100ms, enabling fast reconvergence but also fast and automatic adjustment for the ECMP load balancing. 

The Access Side traffic is load balanced in the services clusters dynamically and automatically based on ECMP Consistent Hashing, source IPv4 or IPv6 based. For the CGNAT and IPSec in tunnel mode, on the Internet side, only eBGP routing and BFD failure detection is required. ECMP Consistent Hashing destination IPv4 or IPv6 based is used on the Internet side only with stateful Firewall services without NATing. ECMP Consistent Hashing limits the impact on cluster failures or additions. On failure only impacted flows are rehashed and rebalanced, while on additions, limited, equal number or flows from each member in cluster are rehashed and rebalanced in the new member in the cluster, limiting the impact while maintaining the equal cost load balancing.

The cluster can have tens to hundreds of members (servers with vSRX, or SRX4600 appliances). The eBGP routing scales beyond Internet tables to millions of routes if required and easily beyond a cluster needs in eBGP sessions, to thousands.


Services Cluster Structuring and Performance

The Security Services Cluster can be built using SRX4600 physical appliances or vSRX, a SRX KVM or VMware virtual network function, running on open compute servers:

  • SRX4600 Services Cluster:
    • SRX4600 is an 1RU security appliance, with up to 4x 100G interfaces, combining Intel compute and Juniper Trio 4 based forwarding for security services and networking. 
    • CGNAT (NAT44, Deterministic NAT, Port Block Allocation, Maximum Performance: 400Gbps packet size independent, up to 10M flows, based on express path offload in the ASIC. Up to 100Gbps done in CPU for other NAT flavors or higher flows scale.
    • IPSec VPN Maximum Performance: up to 50Gbps based on the packet size.
  • vSRX Services Cluster:
    • Bring Your Own Server based on prescribed specifications (CPU cores, memory, LINUX OS, KVM versions). Please refer to the vSRX server specifications in the references.
    • vSRX is a Virtual Network Function (VNF) running on KVM or VMware hypervisors, with a flexible compute allocation by number of cores (up to 32) and memory (up to 64G). Networking wise, vSRX can use virtio or SRIOV with smart NICs like Mellanox ConnectX 6.
    • CGNAT Maximum Performance:  With 1RU edge compute server like Dell XR11, with a single Intel Icelake 32-core socket, it provides a single VNF 100Gbps with reasonable broadband IMIX
    • IPsec Maximum performance: up to 40G based on packet size.

Useful links


  • BFD: Bidirectional Failure Detection protocol, used to detect failures between MX and SRX, and trigger proactively eBGP convergence and ECMP C-HASH adjustment.

  • CGNAT: Carrier Grade NAT, implies all NAT44 and NAT64 technologies. 
  • ECMP: Equal Cost Multi Path, with Consistent HASH, source or destination-based IP load balancing becomes more consistent to failures or addition in the ECMP group.
  • IPSec: Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication over an Internet Protocol network. It is used in virtual private networks (VPNs) and we assume all cipher models like SHA, CBC, GCM.


The solution was developed in collaboration between JAWS and CSEC groups with many contributors. Special recognition goes  to Abhishek Bagalad for developing the automation script for vSRX onboarding, to Pankaj Kumar and Reema Ray for testing end to end the solution and to Paul Lachapelle, Sandeep Patel and Girish Dadhich for their leadership, guidance, and support.


If you want to reach out for comments, feedback or questions, drop us a mail at:

Revision History

Version Author(s) Date Comments
1 Horia Miclea August 2023 Initial Publication