Session Border Control
What Is A Session Border Controller?
Session border controllers control real-time interactive communications ï¿½
voice, video, and multimedia sessions ï¿½ across IP network borders. They
provide new session controls in the areas of security, service reach and
interworking, SLA assurance, revenue/profit assurance, and regulatory
These IP-IP network borders include:
ï¿½ Service provider to service provider network borders ï¿½ ï¿½peering border.ï¿½
ï¿½ Service provider access network to backbone network borders ï¿½ ï¿½access
network border.ï¿½ These access networks may connect enterprise,
residential, and mobile subscribers using any technology including leased
line, frame relay, DSL, cable, Wi-Fi, 3G, satellite, etc.
ï¿½ Service provider data center to managed network or the Internet border ï¿½
ï¿½data center border.ï¿½
ï¿½ Enterprise network to service provider network border ï¿½ ï¿½enterprise
From a technical perspective, session border controllers tightly integrate
signaling and media control in a single system. This means that they
support one or more signaling protocols such as SIP, H.323 or MGCP/NCS
associated with session management, and they are capable of controlling
the RTP and RTCP flows associated with the voice, video, or multimedia
Session border controllers also support more than just access control and
network address translation for session signaling messages and media.
What Isnï¿½t A Session Border Controller?
1. Firewall/NAT products with SIP, H.323, MGCP.NCS, Megaco, SCCP, etc.
support are not session border controllers.
Why? These products only support access control and network address
2. Signaling only products (some people generically call these ï¿½session
controllersï¿½) including softswitches, SIP servers, H.323 gatekeepers, and
MGCP call agents are not session border controllers.
Why? These products do not control media.
3. Media gateways which interconnect IP and TDM networks are not session
Why? These products do not address IP-IP network border requirements.
Jim Hourihan is vice president, marketing and product management at
Acme Packet. Acme Packet enables network service providers to deliver
premium, interactive communications ï¿½ voice, video, and multimedia
sessions ï¿½ across IP network borders. Established in August 2000 by
networking industry veterans, Acme Packet is a privately held company
headquartered in Woburn, Massachusetts.
Sonus Networks Q&A
Sonus Networks recently announced that it is delivering new
capabilities through its Open Services Architecture (OSA) and voice
infrastructure solutions designed to facilitate the development of the
ubiquitous all-IP network. With the recently issued Release 5.1 of its
industry-leading GSX9000 Open Services Switch and Insignus Softswitch,
Sonus is offering new features and functionality that extend the
applications of its solutions and create what they are calling a ï¿½new
category of product,ï¿½ namely: Network Border Switching.
INTERNET TELEPHONYï¿½ asked Michael Oï¿½Hara, vice president, marketing,
Sonus Networks, Inc., about these developments.
IT: What is a Network Border Switch?
MO: A Network Border Switch is a new category of product designed
to enable the development of ï¿½all-IPï¿½ carrier voice networks, networks in
which voice is transported end-to-end via IP. As packet voice networks
continue to proliferate, service providers are moving to connect to others
using IP, rather than circuits. This trend opens up new opportunities for
carriers in a number of key areas:
ï¿½ Peering ï¿½ Carriers can interconnect or ï¿½peerï¿½ with one another using
VoIP, which enables capital and operational efficiencies by eliminating
the need to convert between VoIP and circuit voice.
ï¿½ Enterprise access ï¿½ Service providers are increasingly using IP as the
interface of choice to enterprise customers. Because those customers now
expect a bundle that includes both voice and IP data, using IP for
transport offers cost and operational benefits. With a direct
packet-to-packet interface, enterprise voice services can be converted to
VoIP using an enterprise gateway, or may be provided directly as VoIP from
ï¿½ End user access ï¿½ Communica-tions providers may want to connect end
users to the carrier voice service through IP. In this scenario, the
customer device can be one of several options, such as an IP phone, a
ï¿½softï¿½ phone, or a standard telephone attached to an adapter or Integrated
Access Device (IAD).
ï¿½ Application Service Provider (ASP) access ï¿½ As they continue to deploy
VoIP technologies, carriers are eschewing complex SS7-based protocols in
favor of IP as the interface to enhanced services application platforms.
This offers increased opportunity for implementation of enhanced services
by ASPs, who use the IP interface to interact with carrier systems.
However, these new business opportunities introduce a set of new
challenges for service providers, specifically in the areas of security,
network availability, address translation and interoperability. While
products such as NAT devices, firewalls and session border controllers (SBCs)
have been used to solve pieces of the overall problem, until now, there
has been no single solution that addresses all of these issues.
IT: What capabilities does a Network Border Switch offer? How is it
different from session border controllers or other solutions?
MO: The Network Border Switch eliminates the need for partial
solutions by providing basic functionality required, including:
ï¿½ Network Address Translation (NAT) and topology hiding;
ï¿½ Access control via a pinhole firewall;
ï¿½ DoS protection;
ï¿½ Bandwidth and QoS theft protection;
ï¿½ Signaling-based admission control (SIP or H.323);
ï¿½ SIP and H.323 proxy, back-to-back and interworking functions.
The Network Border Switch goes beyond session border controllers to add
sophisticated functions required for a true carrier-grade solution:
ï¿½ Sophisticated control ï¿½ The Network Border Switch enables carriers to
control firewall pinholes and routing with options not only based on IP
addresses, but with call-related information such as calling subscriber,
called subscriber, applicable calling plan and others.
ï¿½ Media interworking ï¿½ The Network Border Switch is able to resolve most
of the media incompatibilities that can arise in interconnecting IP
devices, such as different codecs, different voice packet sizes and
protocol incompatibilities (raw fax versus T.38, DTMF versus RFC2833
ï¿½ Services on packet-to-packet calls ï¿½ Carriers must have the ability to
provide standard services on packet-based calls and must be able to apply
tones, announcements and prompts as necessary. The Network Border Switch
provides the same types of services on VoIP calls as carriers currently
provide on circuit-based calls.
ï¿½ Support of SIP-T ï¿½ When peering with another carrier via IP, carriers
typically use Session Initiation Protocol for Telephones (SIP-T), allowing
end-to-end call signaling via embedded ISUP information. As the practice
of packet peering expands, carriers will increasingly need the ability to
inter-work between incompatible ISUP variants within SIP-T. To enable this
advanced level of peering, the Network Border Switch supports SIP-T and
dozens of different ISUP variants.
IT: How will Network Border Switches impact the session border
MO: We believe that the functionality delivered through products
like session border controllers will be absorbed into solutions such as
Network Border Switches, as a natural evolution of the product, much like
session border controllers have incorporated functions such as firewall
and NAT. That said, while the Network Border Switch eliminates the need
for multiple, separate devices, it is likely that session border
controllers will still play a role in carriers networks.
IT: What are the implications for service providers?
MO: Carriers have been deploying packet technologies as the
foundation of their voice networks for some time now, enabling them to
reduce the cost of their infrastructure and deliver new services. At this
stage of the market, we see many ï¿½islands of IP,ï¿½ and carriers are now
ready to take the next step in the evolution of their networks by securely
connecting to other carriers, enterprises and even to end users in native
From an operational perspective, the Network Border Switch reduces the
number of devices that must be deployed, thereby reducing the cost and
complexity of the network and streamlining provisioning and management of
the network. With Network Border Switching, service providers now have the
ability to expand their business opportunities.
The Necessary Nine: Beyond Basic VoIP Interconnection
By Micaela Giuhat
As service providers grow their voice and multimedia over IP
businesses, the need to interconnect natively over IP with other networks
becomes more critical. For service providers, the underlying expectation
is that this VoIP interconnection functionality will perform in the same
manner as a traditional time division multiplexed (TDM) handoff, while
also delivering greater efficiency and significant cost savings. This is a
critical difference between traditional IP-to-IP peering of pure data, and
IP-to-IP peering for VoIP. In the VoIP scenario, the behavior is expected
to more closely emulate a TDM handoff than a more conventional IP-to-IP
Fortunately, a new class of products has arrived to meet this expectation:
Ssession Controllers. But all session controllers are not the same, and
Tier 1 carriers should be aware of the ï¿½necessary nineï¿½ key functions that
will help them take their network peering to the next level and
interconnect their global VoIP networks while maintaining network privacy
To be able to efficiently and securely interconnect VoIP networks, session
controllers must provide true IP-to-IP gateway functionality, which
requires supporting the following ï¿½necessary nineï¿½ functions:
1) Clearly Define the Demarcation Point
Supporting VoIP interconnection between Tier 1 carriers first involves
clearly defining the demarcation point by managing all the traffic on a
call-by-call basis, where a call is defined as a combination of both
signaling and media streams, from set-up to tear-down. This capability
also takes care of session/call admission control, which can be done based
on bandwidth or number of calls allowable per customer.
2) Grow Interconnections While Maintaining Network Simplicity
Being able to grow the number of interconnections as well as the traffic
load without increasing the networkï¿½s overall complexity is critical when
supporting peering between Tier 1 networks. It is important to make sure
that one session controller can support many customers/networks and that
there is no one-to-one relationship between the session controller and
customers. This capability will allow carriers to expand their peering
points with no impact to the internal network, therefore causing no
disruption and achieving economies of scale. The session controller should
be able to grow the number of simultaneous sessions, the number of calls
per second, the number of singularly defined customers, the number of
registrations, and the number of VLANs, meaning that they can support
customers that have overlapping address space.
3) Provide 99.999 Percent Reliability
The networkï¿½s reliability and availability should provide support for
system level redundancy for the VoIP application, automatic fail-over when
a failure is detected and operational VoIP traffic under normal
non-failure conditions. The network should be able to re-route all VoIP
traffic through a secondary session controller upon network failure. It
should allow an established VoIP call to be re-routed through a secondary
session controller without failure of the established call. It should also
support normal VoIP call termination after a failure transitions a call to
a secondary session controller. Out-of-band mechanisms should allow the
paired session controllers to synchronize VoIP information, and there
should be a mechanism that allows a failed session controller to be
transitioned back to an operational state without disruption of the VoIP
service handled by the non-failed session controller.
4) Maintain Privacy
Maintaining privacy of all parties involved in the interconnection is also
critical. Carriers can maintain carrier privacy using a multitude of
features developed specifically for carrier-to-carrier interconnect,
including basic translations, header stripping, and topology hiding.
5) Allow Only Authorized Traffic
Only authorized traffic should be able to reach or traverse the network.
Authorization should be based on at least three mechanisms. First,
signaling validation allows the session controller to inspect application
layer payloads and make decisions based on that information. Second, media
validation allows the media flows to be inspected and allowed to pass
through based on related signaling flows. Third, general filtering
supports general authorization based on different criteria such as ACLs,
customer policies, and headers.
6) Optimize Creation of Billable Records
Billable records should be cut at the entry or egress point of the
network. Keeping track of detailed session information on discrete flow
characteristics is of utmost importance for the IP-to-IP gateway
functionality. The detail record reporting provides valuable feedback to
customers who are seeking to engineer their networks according to
processing loads. By analyzing the results of the detail record reports,
service providers can allocate appropriate network resources across
network consumers. Detail records also provide valuable feedback to
operational support systems (OSS), including service level management and
billing. The capability to extract information in real time and
dynamically control traffic through the network enables service providers
to manage their networks more effectively and provide new enhanced
services to their customers. A normal session detail record should contain
information such as start/stop records for both signaling and bearer
traffic, including key performance indicators such as latency, jitter, and
7) Support and Enforce QoS
When converging voice and data networks, it is imperative to protect and
ensure specified QoS levels for services, such as voice, e-mail, and
video. This is a difficult task without session controllers that contain
large processing power capabilities and thus are able to understand and
apply policies based upon information deep in the packet headers and
payloads (specifically, Layer 5 information). Session controllers can
enforce SLAs by preventing bandwidth theft, assigning QoS markings, and
reporting QoS statistics such as jitter, latency, packet loss, etc. in
real time. Quality can also be measured and reported based upon network
8) Provide Network Security
Session controllers supporting IP-to-IP gateway functionality must secure
the network from any malicious attack, such as TCP SYN Floods, SIP INVITE
Floods, or malicious RTP Streams. With traffic flowing between different
networks, it is essential to protect them from any of the security
breaches that are so common in the IP world, as well as support carrier
compliance with the lawful intercept requirements. The session controller
should protect the carrier network by providing rogue RTP detection,
denial of service prevention/flood prevention, intrusion prevention, theft
of service prevention and CALEA.
9) Support Network Monitoring and Troubleshooting
Accurately monitoring the performance and health of the IP-IP
interconnection and troubleshooting the network on a call-by-call basis is
critical to maintaining high-quality network peering. The session
controller has to provide detailed performance reports and must have the
ability to debug calls in real time. In addition, it has to provide
statistics at a global and call level, delivering information such as
number of packets sent, received, and inter-arrival time. This allows the
operator to know at all times that the network is performing at the
Session controllers today are evolving to provide new features and
functionality. In the early days of VoIP, session controllers were
designed as network appliances to meet specialized requirements such as
firewall, NAT, and protocol translation. They worked great for signaling,
but they simply could not scale to meet both signaling and media demands
as VoIP deployments grew larger.
Today, as large, incumbent carriers adopt VoIP in their networks, a
dedicated critical network element is needed to support the ability to
process thousands of simultaneous VoIP calls without adding latency at
full capacity. Many session controllers on the market today are not up to
the task. And while some vendors are attempting to ï¿½graftï¿½ an IP-to-IP
gateway onto their media gateways, these efforts also do not support the
ï¿½necessary nineï¿½ features needed to deliver robust IP-to-IP gateway
Tier 1 service providers looking to support large VoIP deployments must
seek out interconnection solutions that extend the ï¿½traditionalï¿½
functionality of session controllers and support IP-to-IP gateway
functionality that can meet their peering needs both today and in the
Micaela Giuhat is assistant vice president of product management for
Netrake, a provider of session controllers delivering real-time control of
voice and multimedia across IP networks for Tier 1 service providers. For
more information, visit www.netrake.com.
Return To The March 2004
Table Of Contents ]