Smart, sexy edges: session border controllers deliver interactive communications across IP network borders - Spotlight: At the Edge

Telecommunications Americas, Oct, 2002 by Jim Hourihan

How many times have you heard "IP networks don't make any money!" Probably way too many. Compared to the PSTN, IP networks are big zeroes in terms of financial sex appeal. Today, while data consumes more than half of network bandwidth, ordinary telephone calls generate about 80 percent of total earnings.

There definitely is money in interactive communication services--real-time, high-quality voice and video communications between people. Interactive communications over IP networks opens up several business opportunities:

* Transport-only services;

* HIP (hosted IF) voice services (i.e., IP Centrex or Glass 5 services) including unified messaging, conferencing, etc.

* New services not possible in the PSTN such as presence with instant calling or video conferencing from Windows XP PCs, multimedia customer care Web sites, and distance learning with real-time Q&A capabilities.

New interactive communication services and applications must ultimately span business and consumer, wired and wireless networks. Consequently, simply building standalone voice, video and multimedia over IP network islands is not enough. They must be built and interconnected in a way that ensures security and peak performance end-to-end (see Figure 1).

Connecting even just two IP networks, such as an enterprise and a provider's network, introduces new network edge requirements in three major areas--security, service assurance and law en forcement. These requirements have spawned a new product category called SBCs (session border controllers):

SBCs sit at the network edge and complement existing routers. They perform required control functions by tightly integrating session signaling and media control. SBCs operate as SIP back-to-back user agents, MGCP proxy/NATs (network address translators), and/or H.323 back-to-back gateways/gatekeepers. This simply means that SBCs are the source and destination for all signaling messages and media streams coming into and leaving the provider's network.

Security

The security agenda is driven by the fact that no one trusts anyone else--especially when it comes to their IP network. A provider must allow authorized users into their network while protecting internal service infrastructure from denial of service attacks. This infrastructure is also geographically distributed, making the security problem even more difficult. There is also a requirement to conceal valuable route information from inquisitive customers and competitors. If a provider is providing transit or termination services through another provider, a knowledgeable large enterprise customer might approach that provider directly for a better price.

SBCs work with the provider's signaling infrastructure to perform access control based upon Layer 5 signaling messages to support user mobility, not Layer 3 IP addresses used by firewalls or routers. For authorized communications, SBCs let the media streams into the network by opening and closing firewall pinholes. SBCs hide network topology by performing NAPT (network address and port translations) on all signaling and media IP packets. However, Layer 3-only NAPT is simply not enough. Internal IP addresses can also be exposed in signaling messages including error messages. Consequently, signaling and error messages are inspected by SBCs for embedded IP addresses and rewritten if present. These Layer 3 and 5 NAPT features can also be used to preserve IP addresses by enabling the use of private addresses for CPE.

To protect against infrastructure overloads, incoming signaling messages may also have to be intelligently throttled. If a softswitch can only handle 50 calls per second, the SBC must gracefully reject new call requests when activity reaches this threshold. Lastly, these security functions must be performed at Gigabit Ethernet wirespeed with sub-millisecond latency in order to minimize the impact of any attacks on the SBC itself and end-to-end call setup and media stream latency.

Service assurance

The service assurance agenda divides into two major areas. SLA assurance is concerned with guaranteeing session capacity and quality for customers. Revenue and profit assurance is focused on maximizing service provider revenue arid minimizing costs.

The biggest SLA assurance challenge today entails converging premium revenue-generating voice, video and multimedia with data traffic--e-mail, IM, Internet and corporate data applications--on constrained and oversubscribed access links connecting enterprise or residential customer locations. These access links (see Figure 1) include low bandwidth T1 or DSL connections or the shared bandwidth cable HFC network. None of today's products or IP QoS mechanisms including DiffServ, MPLS and RSVP have the capability to understand access link capacity and utilization, and can make call admission control decisions based upon that intelligence.

Admission control policies implemented at the signaling level within the SBC can guarantee the total number of calls (measured on a bandwidth basis by looking at the codec), the number by type of call--voice vs. video, and the ability to make preemptive calls such as emergency 911 calls. If the access link is at capacity, new call set-up requests will be rejected (except for that 911 call). Adding just one more call will deteriorate the quality of every active call.