See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/343968886

The Role of Session Border Controllers in Next-Generation IMS-Based Networks

Article · December 2006

CITATIONS READS
0 978

1 author:

Mallik Tatipamula
Ericsson
64 PUBLICATIONS   686 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

SDN controller assignment View project

SURFnet View project

All content following this page was uploaded by Mallik Tatipamula on 29 August 2020.

The user has requested enhancement of the downloaded file.

 IEC Annual Review of Communications, Vol. 59

The Role of Session Border Controllers

in Next-Generation IMS–Based Networks
Mallik Tatipamula Kevin Klett
Vice President, Strategy and Planning Vice President, Product Management
Juniper Networks Acme Packet, Inc.

Sohel Khan
Principal Technology Strategist
Sprint

Abstract media services, providers need to protect their IMS

network through some border control functions.
Session border controllers (SBCs) are border These functions guarantee security, service reach,
devices widely deployed in telecommunications service assurance, resource protection, and inter-
next-generation voice over Internet protocol (VoIP) working of incompatible signaling protocols. In
and multimedia networks to provide critical func- addition, these functions enable regulatory and law
tions across the following major control areas: bor- enforcement services. IMS standards either com-
der security, service reach maximization, service plement or lack some of the SBC functions.
assurance and quality of service (QoS), QoS theft
protection, regulatory support, and law enforcement. Providers deploy SBCs depending on the IP–IP net-
work border such as between an end customer and
Some IP multimedia subsystem (IMS) border func- an access network (SBC–customer-premises edge
tions and critical functions not yet addressed by the [SBC–CE]), between an access network and a core
standards bodies are realized by SBCs. network, and between two core networks. These
Nevertheless, some of the SBC functions comple- SBCs are, respectfully, customer-premises edge
ment IMS functions. We are beginning to see (SBC–CE), SBC network edge (SBC–NE), and SBC
deployment of SBCs in IMS–based next-genera- network core (SBC–NC). Figure 1 depicts these
tion networks (NGNs). SBC deployment scenarios in an IMS/MMD–based
wireless network, with SBC–NE called an access
This paper provides an overview of SBC functions SBC and network core or peering SBC (SBC–NC)
and their deployment scenarios, the role of SBC an interconnect SBC. Depending on the network
functions in IMS networks, and a functional com- border, SBC functions differ slightly.
parison of SBCs and IMS functions.
SBCs provide the functions needed to interconnect
Introduction these carrier and access networks and provide the
following service provider benefits:
With the proliferation of real-time interactive sig-
naling protocol such as session initiation protocol • Ensures security of provider’s service infra-
(SIP) to provide IP–based voice, video, or multi- structure and customer privacy by denial of

311
The Role of Session Border Controllers in Next-Generation IMS–Based Networks

Figure 1: SBC Deployment Scenarios in a Wireless Network

service (DoS) protection, access control, topol- wireline IMS network and third-generation partner-
ogy hiding and privacy, virtual private network ship project (3GPP)–based wireless IMS network.
(VPN) separation, service infrastructure DoS Thereafter, it addresses SBC functions that are not
prevention, and fraud prevention addressed by 3GPP and TISPAN. The paper then
• Overcomes network barrier by network address comes to a conclusion.
translation (NAT) traversal, VPN bridging, sig-
naling mediation, protocol normalization, and SBC Functions
transcoding
• Guarantees capacity and quality on congested The SBC is comprised of the following four logical
or oversubscribed access links/networks functions:
• Enables service provider to deliver and report
on SLAs • Signaling function—The session control func-
• Ensures service quality by performing admis- tion provides call signaling and session han-
sion control, bandwidth policing and QoS dling, including session routing, protocol inter-
marking, traffic shaping, and load balancing working, address translations, session layer
• Increases service reach by interworking incom- classification and policy enforcement, session
patible signaling protocols layer authentication, accounting and session
• Satisfies emerging law enforcement and emer- layer topology hiding, and privacy. The session
gency service requirements control function interfaces with the
resource/bandwidth control function for call
This paper first depicts four major SBC functions— admission control policy enforcement and for
signaling, resource policy, security, and media— allocating/controlling media resources in the
then briefly describes SBC functional decomposi- media control function.
tion. Then, it addresses the role of SBCs in • Resource policy function—This functional ele-
Telecoms and Internet Converged Services and ment is responsible for gate control and
Protocols for Advanced Networks (TISPAN)–based resource allocation in the media control func-

312
 Mallik Tatipamula, Sohel Khan, and Kevin Klett

Figure 2: SBC Functions

tion. It also performs policy management for Signaling Functions

bandwidth and session capacity that are • Authentication and access control—The ses-
enforced by the session control function. This sion control function performs user/endpoint
element may utilize local policies (e.g., local authentication in conjunction with upstream
policy decision function [PDF]) and/or inter- session control elements such as registrars. The
face with external policy managers. session control function also enforces static and
• Security function—This element’s principal dynamic layer 5+ access control policies that
role is to protect the SBC from DoS and over- define trusted endpoints and adjacent service
load conditions and manage security associa- elements (e.g., proxies).
tions (e.g., transport-layer security [TLS], IP • Firewall management—The session control
security [IPSec]) with adjacent elements and function inspects SIP messages to instruct the
endpoints. Other functions include enforcement firewall in the media control function to open
of IP layer access control lists, dynamic trust and close pinholes (for the media streams) and
classification of endpoints, signaling traffic apply bearer policy enforcement (i.e., rate lim-
policing, and other functions required to protect iting) accordingly per flow.
the SBC and the upstream service infrastructure. • DoS and overload protection—DoS and over-
• Media function—The media control function is load protection is performed in conjunction
often referred to as the border gateway (BG) with the security front end. Capabilities include
and is responsible for opening and closing gates the following:
for media streams, packet marking, media layer • Access control and signaling packet filtering
network address port translation (NAPT), • Deep packet inspection
media latching for hosted NAT traversal, band- • Dynamic endpoint trust binding
width policing, and optional transcoding. The • Malicious source detection and isolation
media control function is controlled by the • Local overload and congestion controls
resource/bandwidth control function and vis-à- • L5 traffic filtering (e.g., signature detection)
vis the session control function. • Signaling rate policing (e.g., registration
rate, session rate)
Many of the higher-level SBC functions require • Network topology or end-user identity hid-
interaction among these logical components. ing—End-user identity and network topology

313
The Role of Session Border Controllers in Next-Generation IMS–Based Networks

hiding are performed by adding, removing, or ing streams, session control inspects signaling
modifying the identity and IP address informa- messages to determine whether an endpoint is
tion in the SIP header. The topology hiding is behind a NAT device and employs mechanisms
performed by removing routing information or to maintain signaling connectivity between the
modifying the from/contact information in the user endpoint and the SBC. For the traversal of
signaling headers. This ensures the privacy of media streams, the session control function
end users and network service providers. This is interacts with the media control function’s
accomplished by an SIP back-to-back user media relay to discover and latch on the
agent (B2BUA). ephemeral port used by the NAT device for
• Privacy—As a border device, the SBC main- media streams. The resulting media binding is
tains trust relationships associated with user passed to the session control function.
endpoints, adjacent network elements, and • Digital signal processor (DSP) service con-
entire networks. These trust relationships are trol—A session control function engages in
key to privacy. The session control function codec negotiation procedures and enforces pol-
applies privacy policies in the following areas: icy on codecs being negotiated and allocates
• User identity anonymization transcoding resources in the media control
• Header privacy function (if present).
• Privacy of signaling information (e.g., • DTMF digit insertion/extraction—The session
encryption of signaling path by IPSec or control function performs interworking
TLS) between DTMF telephone event packets and
• Signaling protocol harmonization and inter- signaling.
working—The session control function per- • Session admission control—The session con-
forms signaling interworking among protocols trol function is a policy enforcement point for
and protocol implementations. Examples policies such as network bandwidth, session
include call management server signaling capacity, and session rate. Admission control
(CMSS) and SIP, H.323 and SIP, SIP to SIP–T/I, policies may be maintained locally by a local
and 3GPP and non–3GPP SIP. The B2BUA in policy decision function or alternatively by an
the session control function ensures that differ- external policy decision function. Policy inter-
ent SIP implementations by different vendors at action is the role of the resource/bandwidth
the two ends of the SBC are harmonized. control function.
• Protocol verification and repair—Verification • Bandwidth and resource allocation—The ses-
of the integrity of incoming signaling messages sion control function derives the required band-
is performed by session control function. In width values and media resources from the
addition, the session control function verifies SIP/session description protocol (SDP) mes-
and repairs basic signaling syntax. sage and passes the information to the
• NAPT (near-end)—NAPT is required at the resource/bandwidth control function. If there
service-provider edge to traverse address are insufficient bandwidth and/or media
domain boundaries, perform media relay, and resources available, the reservation is rejected
hide network topology. The session control and the session control function may attempt an
function instructs the media control function alternate route or send the appropriate SIP mes-
(via resource/bandwidth control) whether the sage to the originator to reject the session
address (and optionally port) translation is request. If the resource/bandwidth control func-
required. Based on the response from the media tion determines that there are sufficient
control function (detailing the appropriate resources, the reservation is accepted, the ses-
address/port translations), the session control sion request is allowed, and the appropriate
function modifies SIP messages accordingly. media resources are allocated in the media con-
• NAPT and NAT/firewall (FW) traversal (far- trol function.
end)—Far-end NAT traversal requires the close • Session accounting—Accounting functions are
coordination between the session control and included in SBC session control function for
media control functions. For traversal of signal- generating call detailed records (CDRs).

314
 Mallik Tatipamula, Sohel Khan, and Kevin Klett

• Session-based routing—The session control • Signaling DoS protection—The SF classifies

function contains a SIP proxy to route SIP mes- signaling traffic based on dynamic trust binding
sages. Session based routing utilizes a combi- and enforces associated security policies.
nation of local routing policies, telephone num- • Signaling flow policing—Signaling traffic is
ber mapping (ENUM) and domain name server policed at the individual flow level and the
(DNS). aggregate level based on trust class.
• Load-related services—The session control • Encryption—The SF supports encryption and
function may perform message rate throttling decryption resources for signaling and media
when the network is congested or load balanc- (i.e., IPSec, TLS, secure real-time transport
ing when it sends messages to multiple protocol [SRTP]).
upstream/downstream servers. The session con-
trol function may perform load balancing to Media Functions
multiple IP functions. • Firewall media pinhole control—The media
• Call statistics—The session control function control function opens and closes pinholes (or
collects various call-signaling statistics to gates) for media streams on a per-session basis.
determine and manage call capacity and rate The session control function inspects the sig-
performance. naling messages and instructs the media control
• Lawful intercept—The session control function function to open and close pinholes via the
incorporates a signaling intercept access point resource/bandwidth control function.
for lawful intercept. • NAPT and NAT/FW traversal—The media
• Emergency services—The session control func- control function performs IPv4–IPv4,
tion provides emergency session (e.g., enhanced IPv4–IPv6, and IPv6–IPv6 address mediation,
911 [E911]) handling and priority processing of translation of IP address of port numbers
emergency telecommunications service (ETS) (NAPT) in both direction, implementation of
calls and government ETS (GETS). NAT/FW traversal, and media relay function.
This ensures Layer 3 privacy by hiding network
Resource Policy Functions address and topology. Address translation is
• Bandwidth policy control—The resource/band- also the means by which media may be
width control function is responsible for mak- anchored to this QoS and security demarcation
ing policy decisions regarding bandwidth reser- point.
vation and allocation when interrogated by the • Bandwidth allocation and modification—The
session control function. Bandwidth policies media control function allocates and modifies
may be maintained locally or via an external media resources as instructed by the
policy manager. resource/bandwidth control function. It also
• Session-based policy control—The informs the higher-layer functions about the
resource/bandwidth control also makes policy reservation’s status.
decisions regarding session capacity and ses- • Rate limiting—The media control function per-
sion rate. Policies may be applied at the level of forms rate limiting, either on an aggregate or
user endpoint or upstream/downstream signal- per-flow basis.
ing element. • Differentiated services code point (DSCP)
• Media gate and NAPT control—The marking—The media control function performs
resource/bandwidth control function includes marking and re-marking of IP packets and pro-
support for controlling the opening and closing vides priority as per DSCP under the control of
of media bindings (gates) in the media control resource/bandwidth control function.
function. Gate control also compasses elements • Virtual local-area network (VLAN) tagging—
of media NAPT and NAT traversal functions. The media control function performs 802.1q
VLAN tagging as instructed by the
Security Functions resource/bandwidth control function.
• Access control—Static and dynamic access • Data DoS protection—The media control func-
control lists are enforced by the SF. tion performs data DOS protection by ensuring

315
The Role of Session Border Controllers in Next-Generation IMS–Based Networks

only authorized flows are allowed to traverse session control function via bandwidth/resource
the boundary. All other flows are filtered com- control. Media streams are replicated, encapsu-
pletely. lated, and forwarded to lawful intercept media-
• DSP services—The media control function sup- tion systems.
ports DSP–based services such as codec inter- • Status notification—The media control func-
working (transcoding). DSP service negotiation tion notifies session control function about crit-
is normally done between endpoints, but in ical status changes such as resource shortage or
some cases, transcoding may be required at the performance degradation. This is a part of the
network boundary. operations, administration, and management
• Media supervision—The media control func- (OAM) function.
tion supervises each media flow and, in the
event of a media fault (e.g., inactivity timer), SBC Functional Decomposition
notifies the session control function to termi-
nate the session. Although current SBCs in networks are single
• Dual-time multifrequency (DTMF) digit han- devices, SBC functions can be implemented either in
dling—The media control function performs composed/decomposed fashion or centralized/
interworking between DTMF event types. distributed fashion. In the composed model, all four
Interworking of audio DTMF–to–request for SBC functions reside in a single network element, as
comment 2833 (RFC2833) is supported. in Figure 2. The simplest form of decomposition
Interworking of in-band DTMF events and out- involves splitting the media function component
of-band signaling events is performed in con- from other functions across two network elements
junction with the session control function. described here, and depicted in Figure 3 as the ses-
• Lawful intercept—The media control function sion controller (SC) and the BG.
supports media intercept under the control of the

Figure 3: Decomposed SBC Model

316
 Mallik Tatipamula, Sohel Khan, and Kevin Klett

There can be a 1:1 relationship or m:n relationships • Local PDF and security PDF (SPDF)—
between SCs and BGs. In [1], definitions of these Provides resource and admission control func-
deployments and their merits are presented. SCs tions locally or through an external PDF via the
communicate with BGs with a vertical protocol. As Gq/Rq interface
proposed, H.248 is used between SCs and BGs. • Access/core BG function (A–BGF)—IP pack-
However, a standard vertical protocol needs to be et-to-packet gateway functions, including gate
developed for smooth operation between SCs and management, NAT/NAPT, transcoding, and
BGs. Depending on traffic scale and functions lawful intercept
required, providers deploy SBCs either in com-
posed or decomposed entities. SBC functions can The interconnect SBC addresses the requirements
also be distributed among various network func- at the boundary where service provider networks
tions and components. For example, various exist- interconnect or “peer.” TISPAN functions satisfied
ing IMS functions can complement various SBC by the interconnect SBC include the following:
functions. IMS functions can be extended to absorb
many of the missing SBC functions required by • Interconnect border control function (IBCF)—
providers. Alternatively, SBC functions can be Provides key security, routing, and admission
enhanced to perform IMS functions. control functions at the interconnect border.
The I–CSCF could also be part of the intercon-
The Role of SBCs in TISPAN–Based Wireline Networks nect border controller in some situations.
• IWF—Provides protocol normalization and
The access SBC satisfies the requirements at the interworking (SIP–SIP, SIP–H.323)
border where subscribers access the IMS core. • Interconnect BG function (I–BGF)—IP packet-
TISPAN functions satisfied by the access SBC to-packet gateway functions including gate
include the following: management, NAT/NAPT, transcoding, and
lawful intercept.
• Proxy call-state control function (P–CSCF),
B2BUA, and interworking function (IWF)— Figure 5 depicts the functional mapping of SBC
Provides key security, interworking, and proxy functional elements to IMS functions in the decom-
functions for both consumer and business serv- posed SBC model.
ices at the access network edge

Figure 4: TISPAN Architecture and SBC [2]

317
The Role of Session Border Controllers in Next-Generation IMS–Based Networks

Figure 5: SBC–TISPAN Functional Mapping

The Role of SBCs in 3GPP Wireless IMS Networks One addition in SBC functionality for wireless
environments is the addition of security gateway
This section describes how the SBC function fits (SEG) functionality for securing signaling informa-
onto the IMS–defined functional architecture and tion. If the UE uses its RAN interface, a secure tun-
how this architecture is evolving to handle the nel can be created between the P–CSCF and the
increasing requirements. This section describes the core CSCF network using a SEG on each end.
differences between the function required on the Typically, this tunnel is used to encrypt signaling
access and network or interconnect and the set of traffic between a visited P–CSCF and the home
IMS functions that may be combined into an I–CSCF/S–CSCF of the UE, but a provider has the
IMS–targeted access or network/interconnect SBC. option of encrypting this Za interface even when all
CSCF functions reside in the home network.
Access SBCs
When the UE uses the WLAN interface, it is now
For the user network interface (UNI), the session interfacing the 3GPP/IMS network in the PS
border controller can provide different functions domain, and additional security steps must be
depending upon whether the user equipment (UE) taken. First, all bearer and signaling traffic is
uses a radio access network (RAN) or wireless securely tunneled using IPSec from the UE to the
LAN (WLAN) interface. The RAN is typically in PDG via the Wu interface. In addition, the SIP sig-
the circuit-switched (CS) domain, and the WLAN is naling along the Gm interface between the UE and
always in the packet-switched (PS) domain. A UE the P–CSCF is secured using an additional IPSec
may be RAN–only, dual-mode RAN and WLAN, or tunnel. This latter signaling security is required for
WLAN–only. An SBC can be used in both RAN the SBC, whereas the former PDG security can be
and WLAN environments. implemented in a GGSN/PDSN, an SBC, or WLAN
access gateway (WAG).

318
 Mallik Tatipamula, Sohel Khan, and Kevin Klett

Figure 6: SBCs in 3GPP Architecture in CS Domains

Figure 7: SBCs in 3GPP Architecture in PS Domains

319
The Role of Session Border Controllers in Next-Generation IMS–Based Networks

On the UNI, the set of IMS functions providing ses- SBC Functions Not Addressed by 3GPP and TISPAN
sion border controller depends on the access
method. The following diagram shows how the Neither 3GPP nor TIPSAN architecture have yet to
IMS functions could be combined to build a single satisfy all the border requirements associated with
box SBC for Release 6 and Release 7 network delivering multimedia services. Examples of these
access. requirements include the following:

Network SBCs • DoS/distributed DoS (DDoS) protection for

SBC and IMS core elements
The SBC–related functions in the network or inter- • Interactive connectivity establishment
connect have a similar architecture to the access (ICE)/traversal using relay NAT (TURN)/sim-
side. Figure 8 presents a high-level architecture dia- ple traversal of user datagram protocol (UDP)
gram showing how network border control func- through NAT (STUN) support on access SBC
tions fit into the IMS architecture. • Overload protection for IMS core elements
• Configurable policies on the SBC

Table 1: IMS Functions and Access SBC Feature Mapping

320
 Mallik Tatipamula, Sohel Khan, and Kevin Klett

Figure 8: 3GPP IMS View of Interconnect or Network (NNI) SBC [3]

Table 2: IMS Functions and Network SBC Feature Mapping

• Constraint-based admission control: num- • Limit number of inbound and outbound

ber of sessions, session rates, bursts, etc. sessions per device
• Session load balancing and route hunting • Destination code gapping
• Session signaling rate limiting (“call gap- • 911 exceptions and prioritization
ping”) • Enterprise-related functions

321
 The Role of Session Border Controllers in Next-Generation IMS–Based Networks

• Registration of aggregate endpoints— assurance and QoS, QoS theft protection, regulato-
SBCs may register on behalf of aggregate ry support, and law enforcement. Current IMS
non-registering endpoints such as IP private functions lack many of these features required by
branch exchanges (PBXs) and customer- providers. Functional comparisons of commercially
premises equipment (CPE) GWs, thus the available SBCs with IMS components show that
delivery allows IMS services to endpoints SBCs—with IMS function integration—are poten-
that do not explicitly register with the tial candidates to be used as IMS networks’ border
S–CSCF entities and eliminate the need for separate IMS
• H.323–SIP IMS interworking— components such as P–CSCF, I–CSCF, and PDF.
Interworking the SIP IMS core (Mw inter-
face) with H.323 for connectivity with a SBCs functional decomposition aids providers to
variety of legacy access GWs such as deploy session controller and BGs separately in line
IP–PBXs with providers’ scaling requirement. However, the
• SIP IP Centrex service support vertical interface between session controllers and
• VPN bridging/overlapping IP address BGs is not yet matured. Further study is needed to
domain mediation—Necessary functions define an interface protocol between session con-
include 802.1q VLAN aggregation and trollers and BGs. This paper discussed the role of
mediation and support for mediating over- SBC functions in IMS networks and a functional
lapping IP address domains comparison of SBCs and IMS functions.
• Border transcoding
• Wireless-wireline Reference
• Wireline-wireline
[1] Sohel Khan et al.,”SPEERMINT Peering Architecture,”
draft-khan-ip-serv-peer-arch-03, February 2007, IETF,
Conclusion Internet Society.
[2] 3GPP–ETSI TISPAN workshop, March 2005.
SBCs enhance providers’ networks by facilitating [3] 3GPP TS 23.228 “IP Multi-media System: Stage 2,”
Release 7.
border security, service reach maximization, service

322

View publication stats