ITEXPO begins in:   New Coverage :  Asterisk  |  Fax Software  |  SIP Phones  |  Small Cells
January 2007 SIP Magazine
Volume 2 / Number 1
SIP Magazine January 2007 Issue

Session Border Control

By Richard “Zippy” Grigonis, Feature Articles



SIP has gone through many changes since its humble beginnings. Still, SIP retains just enough of its simple former “endpoint-to-endpoint” characteristics to make it a bit difficult to pass across network borders and through firewalls. NAT (Network Address Translation) and PAT (Port Address Translation) ensure that both real IP addresses and port numbers are disguised behind a few public ones facing the Internet. This is essentially true of a “proxy” server that sits between a client application (e.g., web browser) and a real server (i.e., web server), grabbing all requests sent to the real server and fulfilling them itself.

In the enterprise, one solution is a “SIP-aware” firewall such as those sold by Intertex and Ingate; the other, more general solution is a Session Border Controller (SBC), which can “punch a hole” through network borders and NAT/PAT-friendly firewalls so that SIP-based VoIP devices can connect to each other. Some advanced SBCs also resolve peering, quality of service (QoS), and other issues, as we shall see.

Of course, an SBC should ideally support such protocols as TDP/UDP (Traffic Distribution Protocol/(User Datagram Protocol) and interwork with TLS (Transport Layer Security, the successor to SSL or the Secure Socket Layer) to successfully deal with SIP. These capabilities and more can be found in high performance SBCs such as the nCite by (news - alert) Netrake (http://www.netrake.com), now an AudioCodes (http://www.audiocodes.com) company. (news - alert) The nCite can do load balancing, offers H.323/SIP interworking, handles up to 21,000 concurrent sessions, achieves less than 31 microseconds of latency, offers a built-in protocol debugger and downstream failure detection, and even supports lawful intercept of calls via its CALEA compliance.

As IP Communications continues to expand globally, so will SBCs and the devices that harbor SBC functionality. A report entitled “Service Provider Next Gen Voice and IMS Equipment”, by the market research firm Infonetics Research shows that up until the third quarter of 2006, the session border controller segment grew 8% QoQ and up 102% YoY. Infonetics projects that the SBC market will grow from $86 million in 2005 to $613 million in 2009, and worldwide service provider revenues for VoIP and IMS equipment will more than double between 2005 and 2009, from $2.5 billion to $5.8 billion.

Interestingly, (news - alert) Acme Packet (http://www.acmepacket.com) leads what Infonetics calls “the fast-growing session border controller (SBC) segment”. That’s not surprising, since Acme Packet’s Net- Net family is used by over 240 service providers, including 21 of the top 25 wireline and wireless providers worldwide. Their success owes in part to the flexibility of their SBC in deployments ranging from VoIP trunking to hosted enterprise and residential services, and support for such varied protocols as SIP, H.323, MGCP/NCS and H.248. Acme Packet SBCs can cross multiple border points — at the interconnect, access edge and in terms of providing the kind of comprehensive security necessary at the edge but without impacting performance or scalability.”


Peering Edge & Access Edge SBCs

We’ve been speaking of SBCs as if they were a specific, well-defined item. Actually, we can now define two broad types of SBCs: The original “peering edge” and “access edge” SBCs.

Rod Hodgman is VP of Marketing at Covergence (news - alert) (http://www.covergence.com) which offers the Eclipse, a second-generation IMS-compliant, access edge session border controller that has all sorts of capabilities not found in earlier peering-session SBCs.

“We provide a specialized session border controller that’s specifically designed for the access edge,” says Hodgman. “To tie this to IMS, just look at what IMS and TISPAN does. Within that standards body they’ve defined both an access edge SBC and peering edge SBC. They did that because issues faced in those two environments are inherently different.”

“To date, almost all SBC implementations have been peering edge SBCs,” says Hodgman, “where you are setting up peering relationships among a few trusted providers. Access edge SBCs, on the other hand, are very different. Rather than a few trusted network interfaces, it must deal with hundreds of thousands or even millions of untrusted subscribers along with a diversity of endpoints, applications and interoperability issues. It’s about a lot more than VoIP — it’s about instant messaging, presence, find-me/follow-me, click-to-talk and all of these kinds of things. It must allow service providers and enterprises to use such non-VoIP services too. So it’s a very different and difficult environment in the areas of scaling the access edge and in terms of providing the kind of comprehensive security necessary at the edge but without impacting performance or scalability.”

“We definitely play in the access edge SBC segment,” says Hodgman. “We see the market in 2007 recognizing these two different types of products and we think a lot of what happens in 2007 will center on connecting users to their services, rather than just connecting networks, which is what people have done for the last two or three years.”

“Our customers fall into two categories,” says Hodgman. “They’re either companies that have begun to scale their access edge and have found that a peering SBC doesn’t support the number of endpoints, the registration rates, the kind of devices and applications they want to support, or the stateful connections and comprehensive security they need. For those customers in those categories, we come in and provide the access edge solution for them.”

“For us, the access edge market really consists of three customers segments,” says Hodgman. “First, companies providing consumer services that really need to scale the access edge; they have some experience with it, but they’ve run into some problems and they’re out in the marketplace looking for a more optimized solution to that problem. Second are those providing services for business. They need to provide what we call ‘business-grade’ VoIP to be able to provide service to enterprise customers. By ‘business-grade VoIP’ I mean VoIP that is secure, reliable, available and of high quality. Generally, this comes down to providing the comprehensive security that’s necessary to allow them to deploy the system. It passes the internal requirements of their security teams’ policies. There are companies that need to or want to provide services beyond VoIP. That would be instant messaging, presence, video, conferencing, click-to-call, find-me/follow-me, and those sort of features so that they can not only sell business-grade services to the enterprise but sell advanced services and therefore get more revenue per customer out of the enterprise. This is a rapidly emerging market. The third category is the enterprise customer, who by definition requires a business-grade communications and collaboration systems for them to be able to deploy either VoIP or real-time collaboration. This is an early-stage, emerging market, in which we also participate.”

“Our customers don’t need SBCs,” says Hodgman. “They need results. If they’re service providers, they need to increase high-value enterprise customers; to do that, they need business-grade services and they need to increase revenues through the provisioning of additional services such as multimedia services beyond VoIP. They need to reduce their costs and improve customers satisfaction by improved management — I can’t emphasize this enough. Our product has some really sophisticated and advanced management tools in it, and one of the things we’ve spent a lot of time doing, when we visit customers, is cleaning up what is essentially a rats’ nest of these malconfigured TAs and devices that are themselves sending up registration storms and causing a lot of mayhem on the network.”

“For the larger providers, clearly migrating to IMS is a big, important factor for them,” says Hodgman. “At the enterprise, it’s all about reducing costs and streamlining business processes. They can do that via broad deployment of real-time communications systems, either VoIP or collaboration as long as it needs there internal security policies and external regulatory compliance.”


Integrated versus Stand-alone SBCs

With the flexibility and miniaturization afforded by today’s technology, we no longer have to talk about SBCs as if each were a discrete “box”. We’re really talking about SBC functionality, and that can be situated anywhere and in any form. Gateways can be combined with session border control functionality — indeed, you may find SBC functionality embedded or integrated into other network elements, as opposed to existing as a separate SBC box.

For example, take Cisco’s 7600 Series Routers, said to be the industry’s first comprehensive Carrier Ethernet service edge platform for converged IP video, voice and data offerings with mobility. You can find an integrated SBC on the Cisco 7600 Series Routers, which provides per-session control and management of IP multimedia traffic based on SIP and H.323. Such a unified SBC implementation obviates the need for additional appliances and overlay networks, enabling multi-service scalability with lower costs. The Cisco SBC is also integrated with the Cisco XR 12000 Multiservice Edge platform for business services.


SBCs on the Move

Even when SBC functionality is concentrated in a single box, it’s a good idea to have a system flexible enough so that it can be situated anywhere in the network. In this vein, Tekelec (www.tekelec.com) a developer of highperformance network applications for next-gen fixed, mobile and packet networks, offers the Tekelec 6000 VoIP Application Server that includes automatic disaster recovery features. The Tekelec 6000 can re-route all IP phone calls automatically to a wireline or mobile phone if an operator’s network is disrupted by a natural catastrophe such as wind, or flooding. The architecture of the Tekelec 6000 thus allows operators to situate system servers and session border controllers in geographically diverse locations, ensuring no single points of failure and continued operation because of extreme weather conditions.

Over at (news - alert) NexTone (http://www.nextone.com), their IntelliConnect™ System has earned acceptance from the Rural Utilities Service (RUS) branch of the United States Department of Agriculture (USDA). Therefore, it’s now easier for the Independent Operating Companies (IOCs) servicing rural markets to extend VoIP services to all of their wireline subscribers via RUS financing to purchase and deploy NexTone's IntelliConnect System, which includes its Session Border Controller (SBC) for securing bilateral interconnects and the Multiprotocol Session Exchange (MSX), a platform for interconnecting SIP and H.323 networks.

But wherever an SBC happens to be, it must be subject to periodic testing. Although VoIP quality steadily improves, it’s still possible for a phone call to suffer problems as jitter buffers in session border controllers and media gateways overflow and begin discarding voice packets. Now, however, service providers can remotely test to a customer’s multimedia telephone adapter (MTA) or SBC to monitor and troubleshoot VoIP quality using (news - alert) Tektronix’ (http://www.tektronix.com) loopback testing offering. Over 50 service-quality metrics can be measured on-demand including speech quality (MOS, echo), call connectivity (PDD, CCR), DTMF transmission, packet-loss, jitter and delay.


Attacks on SBCs

As both workers and their devices become increasing mobile under IMS (IP Multimedia Subsystem) and FMC (Fixed/Mobile Convergence), the concept of a defensible perimeter around an organization lorded over by conventional security devices and software (firewalls, session border controllers, intrusion detection/prevention systems, etc.) is starting to evaporate. Since every device has an independent interface and vulnerable internal workings, every device now essentially has its own perimeter that is what really must be protected by attacks by hackers or crackers, such as SIP-specific denial-ofservice (DoS) attacks.

Fortunately, SBCs have become more secure at a pace slightly ahead of the hackers. NexTone's Multiprotocol Session Exchange (MSX), for example, successfully passed the most call-intensive attack test plan executed against any SBC tested by Chris Bajorek’s CT Labs, a testing facility that’s now part of (news - alert) Empirix (http://www.empirix.com). In the course of the test, NexTone’s MSX successfully processed over 18.7 million legitimate SIP calls in a 62-hour period while rejecting a SIP-specific DoS attack.


Future SBCs

As the network expands in size and bandwidth, and as more processing-intensive applications make their appearance, SBC hardware will have to expand in power too. New form factors such as AdvancedTCA (ATCA), MicroTCA and ATCA Mezzanine Cards (AMCs) will come into play. (news - alert) RadiSys (http://www.radisys.com), for example, recently expanded its ATCA and AMC family with two new products based on the Cavium Networks’ latest OCTEON™ processors: The Promentum ATCA-72xx, a high performance, modular Gigabit Ethernet Line card for ATCA systems offering 4, 8, 12 or 16 Gigabit Ethernet interfaces, and the RadiSys AMC-7211 to provide power efficient, packet and security processing for customers requiring AMC modules for their ATCA and uTCA platforms. These new ATCA and AMC solutions provide high density Gigabit Ethernet interfaces with sophisticated dataplane hardware acceleration, and will power the next generation of high performance products such as SBCs, Media Gateways, Edge Routers, and Security Gateways.

But if you want to know what will definitely happen to the future of many SBC companies, at least in the short term, then look no further than Netrake Corporation, a leading provider of SBCs, media gateways and security gateways, which has been acquired by AudioCodes, makers of voice network products such as their superlative packetization boards. There has been a profusion of SBC makers in the past, and one suspects that some shake-out/mergers and acquisition goings-on will continue for quite a while.

Richard Grigonis is Executive Editor of TMC's IP Communications Group.



Today @ TMC
Upcoming Events
ITEXPO West 2012
October 2- 5, 2012
The Austin Convention Center
Austin, Texas
The World's Premier Managed Services and Cloud Computing Event
Click for Dates and Locations
Mobility Tech Conference & Expo
October 3- 5, 2012
The Austin Convention Center
Austin, Texas
Cloud Communications Summit
October 3- 5, 2012
The Austin Convention Center
Austin, Texas