Session Border Control

In the early days of VoIP, packet voice networks existed in isolation from one another, interconnecting primarily to the public switched telephone network (PSTN) to complete off-network calls. Eventually, VoIP service providers sought to establish direct peering relationships between their networks, and to do so they installed back-to-back time-division multiplexing (TDM) media gateways as bridges between their separate VoIP "islands." Although this architecture was functional, it introduced new problems because the repeated voice encoding and decoding at the media gateways reduced voice quality.

The session border controller (SBC) was introduced to replace the back-to-back media gateway pairs and allow native IP interconnects between VoIP networks. Early SBCs focused solely on voice, controlling and managing real-time VoIP sessions at the borders between IP networks. The SBC reduced TDM interconnects, improving voice quality and minimizing operational expenses, while interconnecting IP networks in a secure, accountable and fair manner.

Although SBCs were initially designed for VoIP communications because these types of sessions generated the most revenue for service providers, their utility is equally applicable to other types of real-time communications over IP, such as video, interactive gaming, and multimedia conferencing. Because they sit at the edge of a network, SBCs are ideally situated to address the security, interworking, and quality-of service (QoS) challenges of interconnecting disparate networks supporting any real-time communications services. While SBCs were gaining acceptance among VoIP carriers, the Third-Generation Partnership Project (3GPP) consortium of mobile wireless operators and vendors developed the IP Multimedia Services (IMS) architecture to standardize the delivery of multimedia services over both the cellular world and IP networks. IMS uses open, standards-based protocols such as Session Initiation Protocol (SIP) to allow service providers to control and distribute multimedia services independent of the access network or end-user device. Originally conceived with wireless networks in mind, IMS and its session control and signaling infrastructure are also being adopted by standards bodies in the wireline (i.e., TISPAN) and cable (i.e., CableLabs®) markets. IMS incorporates SBC functions in a distributed manner across several functional elements of the IMS architecture at access aggregation points and for interconnection to other IP carriers.

The services promised by IMS - along with other non-IMS real-time services such as IP video - are placing greater requirements on SBCs to manage real-time communications sessions combining voice, video, and data services. These challenges notwithstanding, SBCs will allow service providers to tap a multitude of new revenue streams while reducing overall network expenditures. Most of the technical challenges for VoIP network peering have been solved; now the question is how to profitably and securely scale IP networks to support a broad range of multimedia services.

Today's SBCs must allow operators to scale a wide range of applications over networks whose peer connections are increasing in size, number, and complexity. SBCs must also provide comprehensive network security and provide a way for service providers to monetize services running across their networks. Operators must comply with regulatory directives regarding lawful session interception as well as honor service-level agreements (SLAs) with peers and customers. SBCs sit at a variety of places in the network, including the edge of service providers' IP networks as well as the boundaries of enterprise converged networks, and they provide a point of demarcation for interconnection to other IP networks. SBCs perform a variety of functions in managing both the signaling and media paths for a multimedia session, and typically include most or all of the following capabilities:

SBCs provide Network Address Translation (NAT) at the edge of the service provider's IP network to transmit media across network boundaries while hiding network address information from other "untrusted" networks. SBCs also perform signaling translation and interworking between the protocols in use in IP networks, including SIP, H.323, Media Gateway Control Protocol (MGCP), H.248, and others.

SBCs perform a variety of security functions, including signaling and media firewalls, network topology hiding, authentication, denial-of-service (DoS) prevention, and signal and media encryption termination.

SBCs support Call Admission Control (CAC) to control resource utilization policies so that the network can make an informed decision concerning available bandwidth before a voice or video session is established. SBCs often support type-of-service (TOS) marking or other class-based weighted queuing to ensure prioritization of the different types of real-time multimedia sessions. SBCs can also track per-session QoS metrics (for example, packet delay, loss, and jitter) and enable per-session policies.

SBCs support the lawful-intercept requirements of national regulators by directing the media path under lawful surveillance to the appropriate law enforcement agencies. In supporting E911, the SBC can determine the necessary information about the originating caller and forward it to the emergency service provider.

SBCs support authentication, authorization, and accounting (AAA) to extract session detail information for use in billing and call-detail-record (CDR) normalization. Billing for individual sessions allows service providers to monetize their investment in the network.

SBC capabilities, deployed at IP network boundaries, manage real-time multimedia traffic flows between IP networks. The precise function of a given SBC will vary, depending on the types of networks it interconnects. For example, an SBC between a service provider and a managed enterprise VoIP network may not need to perform protocol interworking, whereas a service provider-to-service provider peering SBC may. Many service providers have differing approaches in the manner in which they use SBCs to scale and secure their network. Following are three typical SBC deployment scenarios and the challenges each present. (Figure 1)

One of the first commercial VoIP applications involved service providers bypassing TDM toll charges by handing off calls to other IP-based networks on a commercial basis or as peering partners. At the time, the vast majority of local-to-long distance carrier voice call handoffs were TDM-based, and many "pure-play" VoIP carriers arose offering highly reduced tariffs for international calls. These carriers deployed SBCs to interconnect with other next-generation carriers using VoIP and the H.323 signaling protocol. With the increasing adoption of VoIP transit by traditional carriers as well as the increasing number of broadband operators offering consumer VoIP and enterprise IP telephony services, it is no longer just the pure-play VoIP carriers interconnecting over IP. As a result, TDM interconnects are decreasing as these carriers increasingly interconnect their IP networks directly. Furthermore, many of the current H.323 VoIP networks operating must interconnect to the growing number of VoIP networks architected around SIP and IMS.

With the rapid enterprise adoption of IP private branch exchanges (IP PBXs) and the integration of voice, video, and data onto converged enterprise IP networks, service providers are deploying SBC functions at the edge of their network to support direct IP interconnects to their enterprise customers. Some of the services that SBCs enable these providers to offer include: SIP trunking services; VPN services that connect multiple independent customers, each with multiple sites in their VPN; and enterprise-to-hosted IP telephony services. The benefits to enterprises and small and medium-sized business (SMBs) include a reduction in costs and transmission latency by eliminating unnecessary IP-to-TDM and TDM-to-IP conversions. The benefit to service providers is the opportunity for new revenue from the enterprise and SMB segments, such as the managed SIP trunking service illustrated in Figure 2. Furthermore, emerging enterprise applications like Telepresence - which combines rich audio, high-definition video, and interactive elements to deliver a unique, "in-person" meeting experience - are examples of new real-time collaborative communications services that will place ever-increasing demands on service provider networks for pervasive quality of service, high availability and secure IP interconnections between their IP transport networks and their enterprise customers' converged IP networks. Because service providers have little control over the signaling protocols their customers choose, they must deploy SBCs to enable protocol interworking between different enterprises, and between the enterprise and the service provider.

With the advent of PacketCableTM VoIP systems, IP-based DSL access multiplexers (DSLAMs), and broadband loop carriers and Class 5-capable soft switches, VoIP services have rapidly spread to access networks serving residential users. With the increased bandwidth provided by advanced cable, DSL, and passive-optical-network (PON) systems, service providers have also begun to offer a richer set of consumer multimedia services beyond VoIP such as IP-based television, IP video on demand, interactive gaming, video telephony, bandwidth on demand, and set-top box (STB) integrated communication services such as Caller ID on TV. Such a suite of capabilities is opening up significant new revenue sources for broadband operators. For this myriad of new services, the SBC in the access network must facilitate NAT and firewall traversal to subscribers' multiple consumer electronics devices such as personal computers, gaming consoles, smart phones, dual-mode handsets, IP set-top-boxes, and digital media players. Intense competition for consumers' profit share will ensure that IP-based services in the access network will continue to grow in number and diversity.

Early deployments of SBCs were based on an overlay model where SBC devices were inserted into the network alongside and connected to network peering routers. Voice traffic was mapped through the peering router to an exit interface that connected to the SBC, which performed functions such as NAT traversal, and then forwarded the traffic back to the peering router for routing toward its intended destination. Although this model has worked, it requires more footprint in the telecom rack for the SBC "appliance" and the added expense of interface transceivers to pass traffic back and forth between the peering router and the SBC. The SBC appliance must also be provisioned and managed separately from the peer router.

Newer implementations integrate the SBC function within the peering router with significant benefits. First, provisioning is simpler because the SBC function and the peering router use the same management interfaces. Second, an SBC that is integrated into the network router takes no additional space in the equipment rack. Furthermore, the operator no longer needs to dedicate expensive optical interfaces simply to route traffic from the peering router to the SBC and back again - all traffic is now contained within the peering router. Most importantly, the SBC can now communicate directly to router line interface cards to implement additional functions, such as mitigating SBC-targeted DoS attacks by directing ingress line interfaces to drop offending packets. In addition, the integrated SBC can take advantage of advanced QoS, reliability, and failover capabilities inherent in carrier-class routers (refer to Figure 3).

Only integrated SBCs can provide the scalability demanded by the growth of service provider-to-enterprise peering, service provider-to-residential access networks, and the continued increase of service provider-to-service provider interconnections. As peering points increase, operators will simply not be able to afford the exponential expense of superfluous transceivers, increased power and cooling requirements, and more complex management for standalone SBC appliances. Furthermore, service providers can lower costs and complexity by incrementally adding SBC services capabilities to their already installed footprint of IP network routers.

SBC functions can be broadly divided into two logical subelements: signaling path border element (SBE) and data path border element (DBE). The SBE provides signaling functions such as protocol interworking (for example, H.323 to SIP), identity and topology hiding, and CAC. The DBE provides media-related functions such as deep packet inspection and modification, media relay, and firewall support under SBE control. To date, the SBE and DBE logical elements have generally been realized within a single, physical SBC device. This model is referred to as unified (refer to Figure 4).

However, many carriers are finding that as their voice networks grow, the challenges of managing the networks grow proportionately. Service providers today want the option to decouple SBC data-path functions from signaling functions. They want to be able to distribute SBE functions in the network separately from the DBE element to simplify management, operations, and troubleshooting. In this distributed model, communication between the SBE and DBE takes place over a well-defined standard, such as ITU-T H.248 adopted in IMS, which allows a multiplatform implementation of the SBE and DBE elements in the network. The distributed approach to SBCs is in alignment with the directional approach of IMS, ITU, and TISPAN architectures where the SBE functionality can be provided by a variety of different elements and applications in the network (refer to Figure 5).

A flexible network component with integrated SBC supports both the unified and the distributed model. Networks continually grow and evolve, and a multimedia IP transport network that scales adequately today with a unified SBC will likely outgrow the unified model and necessitate a distributed approach. Operators want SBCs that can grow with their networks - they do not want to make capital-intensive complete equipment upgrades of in-service network elements.

The Cisco IP Next-Generation Network (IP NGN) architecture enables service providers to plan and develop their network architectures and successfully transition to new IMS and non-IMS multimedia service opportunities. The Cisco IP NGN architecture focuses around three primary areas of convergence: an application layer that interfaces with the customer; a secure network layer that delivers the services; and in between, a service control layer that orchestrates the delivery, operations, features, and billing of the service itself. Within the service control layer of the Cisco IP NGN architecture, Cisco has developed the Service Exchange Framework (SEF), a set of enabling technologies that allow service providers to effectively control and optimize the delivery of multimedia services while adding mobility, presence, and innovative subscriber-aware capabilities. When the Cisco SEF is deployed with intelligent network layer solutions from Cisco, service providers can effectively address a variety of concerns that confront next-generation networks today - policy management, traffic optimization, mobile service management, security, and fixed-mobile convergence.

Cisco's integrated SBC capabilities are a critical element of the Cisco SEF. Cisco has a comprehensive portfolio of network platforms that transparently integrate the SBC function into the Layer 2 and Layer 3 services of the routers - and eliminate the need for overlay networks of standalone SBC appliances. Cisco offers a broad portfolio of router-based SBCs, ranging from the Cisco Integrated Services Routers for SMB and enterprise networks, through the Cisco 7600 Series service provider edge router and up to the Cisco XR 12000 Series core carrier network router (refer to Figure 6).

Cisco's open and flexible architecture for SBC deployments optimizes IP interconnections of all types: service provider-to-service provider peering, service provider-to-access network border control, and service provider interconnection to their enterprise customers at the edge. Cisco supports both unified and distributed SBC signaling deployment approaches. Cisco SBCs provide extensive flexibility to both large and small service providers building IP next-generation networks. Support for SIP, H.248, and other signaling protocols paves a path for building future IMS architectures on existing Cisco transport networks.

The modular design of the Cisco integrated network platforms allows network operators to cost-effectively scale SBC functions for their multimedia IP networks by adding additional capacity only as needed. Service providers further benefit by deploying an SBC that is integrated within a network component - exploiting common power, cooling, and switching fabric systems - rather than deploying a nonintegrated, standalone SBC device.

The integrated Cisco SBC also simplifies provisioning and operations. It is managed by existing command-line interfaces and management systems, and does not require a separate management interface for the peering router and the SBC functions. The tight integration between the SBC function and Layer 2 and Layer 3 services allows operators to map customer VPNs through the peering point without having to additionally map the VPNs out an interface on a VLAN to an external SBC.

Cisco's portfolio of network components with integrated SBC functions uses Cisco IOS® Software and Cisco IOS XR Software to enable numerous service possibilities for network operators. With the integration of SBC capability in high-end core routing products such as the Cisco 7600 and Cisco XR 12000 Series, Cisco gives providers a graceful upgrade path for their installed base of routers as they transition toward a converged Cisco IP NGN infrastructure.

The rapid increase in service provider, enterprise, and residential VoIP interconnects has multiplied the number of network boundary points that SBCs need to support. Furthermore, emerging IP-based multimedia applications are beginning to offer a growing revenue stream for service providers, new and exciting personalized online services for consumers, and leading-edge productivity tools for business enterprises. Only integrated SBCs will equip service providers with the necessary management and control capabilities that can scale to meet the explosive growth in subscribers who will access these new multimedia services across any network - wireless, wireline, and cable. As part of the Cisco Service Exchange Framework of service delivery and control technologies, the Cisco integrated SBC helps service providers meet the needs of their growing, dynamic, IP-based multimedia networks.

For more information about the integrated Cisco Session Border Controller, please visit the following:

Cisco SBC Portfolio for Enterprises and Service Providers: http://www.cisco.com/en/US/prod/collateral/voicesw/ps6790/gatecont/ps5640/product_data_sheet09186a00801da698.html

Cisco XR 12000 Session Border Controller: http://www.cisco.com/en/US/prod/collateral/routers/ps6342/product_data_sheet0900aecd80395cef.html