March 2004

Session Border Control Solutions

What Is A Session Border Controller?
Session border controllers control real-time interactive communications � voice, video, and multimedia sessions � across IP network borders. They provide new session controls in the areas of security, service reach and interworking, SLA assurance, revenue/profit assurance, and regulatory compliance.


These IP-IP network borders include:
� Service provider to service provider network borders � �peering border.�
� Service provider access network to backbone network borders � �access network border.� These access networks may connect enterprise, residential, and mobile subscribers using any technology including leased line, frame relay, DSL, cable, Wi-Fi, 3G, satellite, etc.
� Service provider data center to managed network or the Internet border � �data center border.�
� Enterprise network to service provider network border � �enterprise border.�
From a technical perspective, session border controllers tightly integrate signaling and media control in a single system. This means that they support one or more signaling protocols such as SIP, H.323 or MGCP/NCS associated with session management, and they are capable of controlling the RTP and RTCP flows associated with the voice, video, or multimedia session content.
Session border controllers also support more than just access control and network address translation for session signaling messages and media.

What Isn�t A Session Border Controller?
1. Firewall/NAT products with SIP, H.323, MGCP.NCS, Megaco, SCCP, etc. support are not session border controllers.
Why? These products only support access control and network address translation.

2. Signaling only products (some people generically call these �session controllers�) including softswitches, SIP servers, H.323 gatekeepers, and MGCP call agents are not session border controllers.
Why? These products do not control media.

3. Media gateways which interconnect IP and TDM networks are not session border controllers.
Why? These products do not address IP-IP network border requirements.

Jim Hourihan is vice president, marketing and product management at Acme Packet. Acme Packet enables network service providers to deliver premium, interactive communications � voice, video, and multimedia sessions � across IP network borders. Established in August 2000 by networking industry veterans, Acme Packet is a privately held company headquartered in Woburn, Massachusetts.

Sonus Networks Q&A

Sonus Networks recently announced that it is delivering new capabilities through its Open Services Architecture (OSA) and voice infrastructure solutions designed to facilitate the development of the ubiquitous all-IP network. With the recently issued Release 5.1 of its industry-leading GSX9000 Open Services Switch and Insignus Softswitch, Sonus is offering new features and functionality that extend the applications of its solutions and create what they are calling a �new category of product,� namely: Network Border Switching.

INTERNET TELEPHONY� asked Michael O�Hara, vice president, marketing, Sonus Networks, Inc., about these developments.

IT: What is a Network Border Switch?

MO: A Network Border Switch is a new category of product designed to enable the development of �all-IP� carrier voice networks, networks in which voice is transported end-to-end via IP. As packet voice networks continue to proliferate, service providers are moving to connect to others using IP, rather than circuits. This trend opens up new opportunities for carriers in a number of key areas:
� Peering � Carriers can interconnect or �peer� with one another using VoIP, which enables capital and operational efficiencies by eliminating the need to convert between VoIP and circuit voice.
� Enterprise access � Service providers are increasingly using IP as the interface of choice to enterprise customers. Because those customers now expect a bundle that includes both voice and IP data, using IP for transport offers cost and operational benefits. With a direct packet-to-packet interface, enterprise voice services can be converted to VoIP using an enterprise gateway, or may be provided directly as VoIP from the PBX.
� End user access � Communica-tions providers may want to connect end users to the carrier voice service through IP. In this scenario, the customer device can be one of several options, such as an IP phone, a �soft� phone, or a standard telephone attached to an adapter or Integrated Access Device (IAD).
� Application Service Provider (ASP) access � As they continue to deploy VoIP technologies, carriers are eschewing complex SS7-based protocols in favor of IP as the interface to enhanced services application platforms. This offers increased opportunity for implementation of enhanced services by ASPs, who use the IP interface to interact with carrier systems.
However, these new business opportunities introduce a set of new challenges for service providers, specifically in the areas of security, network availability, address translation and interoperability. While products such as NAT devices, firewalls and session border controllers (SBCs) have been used to solve pieces of the overall problem, until now, there has been no single solution that addresses all of these issues.

IT: What capabilities does a Network Border Switch offer? How is it different from session border controllers or other solutions?

MO: The Network Border Switch eliminates the need for partial solutions by providing basic functionality required, including:
� Network Address Translation (NAT) and topology hiding;
� Access control via a pinhole firewall;
� DoS protection;
� Bandwidth and QoS theft protection;
� Signaling-based admission control (SIP or H.323);
� SIP and H.323 proxy, back-to-back and interworking functions.
The Network Border Switch goes beyond session border controllers to add sophisticated functions required for a true carrier-grade solution:
� Sophisticated control � The Network Border Switch enables carriers to control firewall pinholes and routing with options not only based on IP addresses, but with call-related information such as calling subscriber, called subscriber, applicable calling plan and others.
� Media interworking � The Network Border Switch is able to resolve most of the media incompatibilities that can arise in interconnecting IP devices, such as different codecs, different voice packet sizes and protocol incompatibilities (raw fax versus T.38, DTMF versus RFC2833
� Services on packet-to-packet calls � Carriers must have the ability to provide standard services on packet-based calls and must be able to apply tones, announcements and prompts as necessary. The Network Border Switch provides the same types of services on VoIP calls as carriers currently provide on circuit-based calls.
� Support of SIP-T � When peering with another carrier via IP, carriers typically use Session Initiation Protocol for Telephones (SIP-T), allowing end-to-end call signaling via embedded ISUP information. As the practice of packet peering expands, carriers will increasingly need the ability to inter-work between incompatible ISUP variants within SIP-T. To enable this advanced level of peering, the Network Border Switch supports SIP-T and dozens of different ISUP variants.

IT: How will Network Border Switches impact the session border controller market?

MO: We believe that the functionality delivered through products like session border controllers will be absorbed into solutions such as Network Border Switches, as a natural evolution of the product, much like session border controllers have incorporated functions such as firewall and NAT. That said, while the Network Border Switch eliminates the need for multiple, separate devices, it is likely that session border controllers will still play a role in carriers networks.

IT: What are the implications for service providers?

MO: Carriers have been deploying packet technologies as the foundation of their voice networks for some time now, enabling them to reduce the cost of their infrastructure and deliver new services. At this stage of the market, we see many �islands of IP,� and carriers are now ready to take the next step in the evolution of their networks by securely connecting to other carriers, enterprises and even to end users in native IP.
From an operational perspective, the Network Border Switch reduces the number of devices that must be deployed, thereby reducing the cost and complexity of the network and streamlining provisioning and management of the network. With Network Border Switching, service providers now have the ability to expand their business opportunities.

The Necessary Nine: Beyond Basic VoIP Interconnection

By Micaela Giuhat

As service providers grow their voice and multimedia over IP businesses, the need to interconnect natively over IP with other networks becomes more critical. For service providers, the underlying expectation is that this VoIP interconnection functionality will perform in the same manner as a traditional time division multiplexed (TDM) handoff, while also delivering greater efficiency and significant cost savings. This is a critical difference between traditional IP-to-IP peering of pure data, and IP-to-IP peering for VoIP. In the VoIP scenario, the behavior is expected to more closely emulate a TDM handoff than a more conventional IP-to-IP handoff.
Fortunately, a new class of products has arrived to meet this expectation: Ssession Controllers. But all session controllers are not the same, and Tier 1 carriers should be aware of the �necessary nine� key functions that will help them take their network peering to the next level and interconnect their global VoIP networks while maintaining network privacy and security.
To be able to efficiently and securely interconnect VoIP networks, session controllers must provide true IP-to-IP gateway functionality, which requires supporting the following �necessary nine� functions:

1) Clearly Define the Demarcation Point
Supporting VoIP interconnection between Tier 1 carriers first involves clearly defining the demarcation point by managing all the traffic on a call-by-call basis, where a call is defined as a combination of both signaling and media streams, from set-up to tear-down. This capability also takes care of session/call admission control, which can be done based on bandwidth or number of calls allowable per customer.

2) Grow Interconnections While Maintaining Network Simplicity
Being able to grow the number of interconnections as well as the traffic load without increasing the network�s overall complexity is critical when supporting peering between Tier 1 networks. It is important to make sure that one session controller can support many customers/networks and that there is no one-to-one relationship between the session controller and customers. This capability will allow carriers to expand their peering points with no impact to the internal network, therefore causing no disruption and achieving economies of scale. The session controller should be able to grow the number of simultaneous sessions, the number of calls per second, the number of singularly defined customers, the number of registrations, and the number of VLANs, meaning that they can support customers that have overlapping address space.

3) Provide 99.999 Percent Reliability
The network�s reliability and availability should provide support for system level redundancy for the VoIP application, automatic fail-over when a failure is detected and operational VoIP traffic under normal non-failure conditions. The network should be able to re-route all VoIP traffic through a secondary session controller upon network failure. It should allow an established VoIP call to be re-routed through a secondary session controller without failure of the established call. It should also support normal VoIP call termination after a failure transitions a call to a secondary session controller. Out-of-band mechanisms should allow the paired session controllers to synchronize VoIP information, and there should be a mechanism that allows a failed session controller to be transitioned back to an operational state without disruption of the VoIP service handled by the non-failed session controller.

4) Maintain Privacy
Maintaining privacy of all parties involved in the interconnection is also critical. Carriers can maintain carrier privacy using a multitude of features developed specifically for carrier-to-carrier interconnect, including basic translations, header stripping, and topology hiding.

5) Allow Only Authorized Traffic
Only authorized traffic should be able to reach or traverse the network. Authorization should be based on at least three mechanisms. First, signaling validation allows the session controller to inspect application layer payloads and make decisions based on that information. Second, media validation allows the media flows to be inspected and allowed to pass through based on related signaling flows. Third, general filtering supports general authorization based on different criteria such as ACLs, customer policies, and headers.

6) Optimize Creation of Billable Records
Billable records should be cut at the entry or egress point of the network. Keeping track of detailed session information on discrete flow characteristics is of utmost importance for the IP-to-IP gateway functionality. The detail record reporting provides valuable feedback to customers who are seeking to engineer their networks according to processing loads. By analyzing the results of the detail record reports, service providers can allocate appropriate network resources across network consumers. Detail records also provide valuable feedback to operational support systems (OSS), including service level management and billing. The capability to extract information in real time and dynamically control traffic through the network enables service providers to manage their networks more effectively and provide new enhanced services to their customers. A normal session detail record should contain information such as start/stop records for both signaling and bearer traffic, including key performance indicators such as latency, jitter, and loss.

7) Support and Enforce QoS
When converging voice and data networks, it is imperative to protect and ensure specified QoS levels for services, such as voice, e-mail, and video. This is a difficult task without session controllers that contain large processing power capabilities and thus are able to understand and apply policies based upon information deep in the packet headers and payloads (specifically, Layer 5 information). Session controllers can enforce SLAs by preventing bandwidth theft, assigning QoS markings, and reporting QoS statistics such as jitter, latency, packet loss, etc. in real time. Quality can also be measured and reported based upon network domains.

8) Provide Network Security
Session controllers supporting IP-to-IP gateway functionality must secure the network from any malicious attack, such as TCP SYN Floods, SIP INVITE Floods, or malicious RTP Streams. With traffic flowing between different networks, it is essential to protect them from any of the security breaches that are so common in the IP world, as well as support carrier compliance with the lawful intercept requirements. The session controller should protect the carrier network by providing rogue RTP detection, denial of service prevention/flood prevention, intrusion prevention, theft of service prevention and CALEA.

9) Support Network Monitoring and Troubleshooting
Accurately monitoring the performance and health of the IP-IP interconnection and troubleshooting the network on a call-by-call basis is critical to maintaining high-quality network peering. The session controller has to provide detailed performance reports and must have the ability to debug calls in real time. In addition, it has to provide statistics at a global and call level, delivering information such as number of packets sent, received, and inter-arrival time. This allows the operator to know at all times that the network is performing at the required levels.
Session controllers today are evolving to provide new features and functionality. In the early days of VoIP, session controllers were designed as network appliances to meet specialized requirements such as firewall, NAT, and protocol translation. They worked great for signaling, but they simply could not scale to meet both signaling and media demands as VoIP deployments grew larger.
Today, as large, incumbent carriers adopt VoIP in their networks, a dedicated critical network element is needed to support the ability to process thousands of simultaneous VoIP calls without adding latency at full capacity. Many session controllers on the market today are not up to the task. And while some vendors are attempting to �graft� an IP-to-IP gateway onto their media gateways, these efforts also do not support the �necessary nine� features needed to deliver robust IP-to-IP gateway functionality.
Tier 1 service providers looking to support large VoIP deployments must seek out interconnection solutions that extend the �traditional� functionality of session controllers and support IP-to-IP gateway functionality that can meet their peering needs both today and in the future.
Micaela Giuhat is assistant vice president of product management for Netrake, a provider of session controllers delivering real-time control of voice and multimedia across IP networks for Tier 1 service providers. For more information, visit www.netrake.com.  

[ Return To The March 2004 Table Of Contents ]