See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/343968886

The Role of Session Border Controllers in Next-Generation IMS-Based Networks

Article · December 2006

CITATIONS READS
0 978

1 author:

Mallik Tatipamula
Ericsson
64 PUBLICATIONS   686 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

SDN controller assignment View project

SURFnet View project

All content following this page was uploaded by Mallik Tatipamula on 29 August 2020.

The user has requested enhancement of the downloaded file.


The Role of Session Border Controllers
in Next-Generation IMS–Based Networks
Mallik Tatipamula
Vice President, Strategy and Planning
Juniper Networks
Sohel Khan
Principal Technology Strategist
Sprint
Abstract
Session border controllers (SBCs) are border
devices widely deployed in telecommunications
next-generation voice over Internet protocol (VoIP)
and multimedia networks to provide critical func-
tions across the following major control areas: bor-
der security, service reach maximization, service
assurance and quality of service (QoS), QoS theft
protection, regulatory support, and law enforcement.
Some IP multimedia subsystem (IMS) border func-
tions and critical functions not yet addressed by the
standards bodies are realized by SBCs.
Nevertheless, some of the SBC functions comple-
ment IMS functions. We are beginning to see
deployment of SBCs in IMS–based next-genera-
tion networks (NGNs).
This paper provides an overview of SBC functions
and their deployment scenarios, the role of SBC
functions in IMS networks, and a functional com-
parison of SBCs and IMS functions.
Introduction
With the proliferation of real-time interactive sig-
naling protocol such as session initiation protocol
(SIP) to provide IP–based voice, video, or multi-
IEC Annual Review of Communications, Vol. 59
Kevin Klett
Vice President, Product Management
Acme Packet, Inc.
media services, providers need to protect their IMS
network through some border control functions.
These functions guarantee security, service reach,
service assurance, resource protection, and inter-
working of incompatible signaling protocols. In
addition, these functions enable regulatory and law
enforcement services. IMS standards either com-
plement or lack some of the SBC functions.
Providers deploy SBCs depending on the IP–IP net-
work border such as between an end customer and
an access network (SBC–customer-premises edge
[SBC–CE]), between an access network and a core
network, and between two core networks. These
SBCs are, respectfully, customer-premises edge
(SBC–CE), SBC network edge (SBC–NE), and SBC
network core (SBC–NC). Figure 1 depicts these
SBC deployment scenarios in an IMS/MMD–based
wireless network, with SBC–NE called an access
SBC and network core or peering SBC (SBC–NC)
an interconnect SBC. Depending on the network
border, SBC functions differ slightly.
SBCs provide the functions needed to interconnect
these carrier and access networks and provide the
following service provider benefits:
• Ensures security of provider’s service infra-
structure and customer privacy by denial of
311
The Role of Session Border Controllers in Next-Generation IMS–Based Networks
Figure 1: SBC Deployment Scenarios in a Wireless Network
service (DoS) protection, access control, topol-
ogy hiding and privacy, virtual private network
(VPN) separation, service infrastructure DoS
prevention, and fraud prevention
• Overcomes network barrier by network address
translation (NAT) traversal, VPN bridging, sig-
naling mediation, protocol normalization, and
transcoding
• Guarantees capacity and quality on congested
or oversubscribed access links/networks
• Enables service provider to deliver and report
on SLAs
• Ensures service quality by performing admis-
sion control, bandwidth policing and QoS
marking, traffic shaping, and load balancing
• Increases service reach by interworking incom-
patible signaling protocols
• Satisfies emerging law enforcement and emer-
gency service requirements
This paper first depicts four major SBC functions—
signaling, resource policy, security, and media—
then briefly describes SBC functional decomposi-
tion. Then, it addresses the role of SBCs in
Telecoms and Internet Converged Services and
Protocols for Advanced Networks (TISPAN)–based
312
wireline IMS network and third-generation partner-
ship project (3GPP)–based wireless IMS network.
Thereafter, it addresses SBC functions that are not
addressed by 3GPP and TISPAN. The paper then
comes to a conclusion.
SBC Functions
The SBC is comprised of the following four logical
functions:
• Signaling function—The session control func-
tion provides call signaling and session han-
dling, including session routing, protocol inter-
working, address translations, session layer
classification and policy enforcement, session
layer authentication, accounting and session
layer topology hiding, and privacy. The session
control function interfaces with the
resource/bandwidth control function for call
admission control policy enforcement and for
allocating/controlling media resources in the
media control function.
• Resource policy function—This functional ele-
ment is responsible for gate control and
resource allocation in the media control func-

Figure 2: SBC Functions
tion. It also performs policy management for
bandwidth and session capacity that are
enforced by the session control function. This
element may utilize local policies (e.g., local
policy decision function [PDF]) and/or inter-
face with external policy managers.
• Security function—This element’s principal
role is to protect the SBC from DoS and over-
load conditions and manage security associa-
tions (e.g., transport-layer security [TLS], IP
security [IPSec]) with adjacent elements and
endpoints. Other functions include enforcement
of IP layer access control lists, dynamic trust
classification of endpoints, signaling traffic
policing, and other functions required to protect
the SBC and the upstream service infrastructure.
• Media function—The media control function is
often referred to as the border gateway (BG)
and is responsible for opening and closing gates
for media streams, packet marking, media layer
network address port translation (NAPT),
media latching for hosted NAT traversal, band-
width policing, and optional transcoding. The
media control function is controlled by the
resource/bandwidth control function and vis-à-
vis the session control function.
Many of the higher-level SBC functions require
interaction among these logical components.
Mallik Tatipamula, Sohel Khan, and Kevin Klett
Signaling Functions
• Authentication and access control—The ses-
sion control function performs user/endpoint
authentication in conjunction with upstream
session control elements such as registrars. The
session control function also enforces static and
dynamic layer 5+ access control policies that
define trusted endpoints and adjacent service
elements (e.g., proxies).
• Firewall management—The session control
function inspects SIP messages to instruct the
firewall in the media control function to open
and close pinholes (for the media streams) and
apply bearer policy enforcement (i.e., rate lim-
iting) accordingly per flow.
• DoS and overload protection—DoS and over-
load protection is performed in conjunction
with the security front end. Capabilities include
the following:
• Access control and signaling packet filtering
• Deep packet inspection
• Dynamic endpoint trust binding
• Malicious source detection and isolation
• Local overload and congestion controls
• L5 traffic filtering (e.g., signature detection)
• Signaling rate policing (e.g., registration
rate, session rate)
• Network topology or end-user identity hid-
ing—End-user identity and network topology
313
The Role of Session Border Controllers in Next-Generation IMS–Based Networks
hiding are performed by adding, removing, or
modifying the identity and IP address informa-
tion in the SIP header. The topology hiding is
performed by removing routing information or
modifying the from/contact information in the
signaling headers. This ensures the privacy of
end users and network service providers. This is
accomplished by an SIP back-to-back user
agent (B2BUA).
• Privacy—As a border device, the SBC main-
tains trust relationships associated with user
endpoints, adjacent network elements, and
entire networks. These trust relationships are
key to privacy. The session control function
applies privacy policies in the following areas:
• User identity anonymization
• Header privacy
• Privacy of signaling information (e.g.,
encryption of signaling path by IPSec or
TLS)
• Signaling protocol harmonization and inter-
working—The session control function per-
forms signaling interworking among protocols
and protocol implementations. Examples
include call management server signaling
(CMSS) and SIP, H.323 and SIP, SIP to SIP–T/I,
and 3GPP and non–3GPP SIP. The B2BUA in
the session control function ensures that differ-
ent SIP implementations by different vendors at
the two ends of the SBC are harmonized.
• Protocol verification and repair—Verification
of the integrity of incoming signaling messages
is performed by session control function. In
addition, the session control function verifies
and repairs basic signaling syntax.
• NAPT (near-end)—NAPT is required at the
service-provider edge to traverse address
domain boundaries, perform media relay, and
hide network topology. The session control
function instructs the media control function
(via resource/bandwidth control) whether the
address (and optionally port) translation is
required. Based on the response from the media
control function (detailing the appropriate
address/port translations), the session control
function modifies SIP messages accordingly.
• NAPT and NAT/firewall (FW) traversal (far-
end)—Far-end NAT traversal requires the close
coordination between the session control and
media control functions. For traversal of signal-
314
ing streams, session control inspects signaling
messages to determine whether an endpoint is
behind a NAT device and employs mechanisms
to maintain signaling connectivity between the
user endpoint and the SBC. For the traversal of
media streams, the session control function
interacts with the media control function’s
media relay to discover and latch on the
ephemeral port used by the NAT device for
media streams. The resulting media binding is
passed to the session control function.
• Digital signal processor (DSP) service con-
trol—A session control function engages in
codec negotiation procedures and enforces pol-
icy on codecs being negotiated and allocates
transcoding resources in the media control
function (if present).
• DTMF digit insertion/extraction—The session
control function performs interworking
between DTMF telephone event packets and
signaling.
• Session admission control—The session con-
trol function is a policy enforcement point for
policies such as network bandwidth, session
capacity, and session rate. Admission control
policies may be maintained locally by a local
policy decision function or alternatively by an
external policy decision function. Policy inter-
action is the role of the resource/bandwidth
control function.
• Bandwidth and resource allocation—The ses-
sion control function derives the required band-
width values and media resources from the
SIP/session description protocol (SDP) mes-
sage and passes the information to the
resource/bandwidth control function. If there
are insufficient bandwidth and/or media
resources available, the reservation is rejected
and the session control function may attempt an
alternate route or send the appropriate SIP mes-
sage to the originator to reject the session
request. If the resource/bandwidth control func-
tion determines that there are sufficient
resources, the reservation is accepted, the ses-
sion request is allowed, and the appropriate
media resources are allocated in the media con-
trol function.
• Session accounting—Accounting functions are
included in SBC session control function for
generating call detailed records (CDRs).

• Session-based routing—The session control
function contains a SIP proxy to route SIP mes-
sages. Session based routing utilizes a combi-
nation of local routing policies, telephone num-
ber mapping (ENUM) and domain name server
(DNS).
• Load-related services—The session control
function may perform message rate throttling
when the network is congested or load balanc-
ing when it sends messages to multiple
upstream/downstream servers. The session con-
trol function may perform load balancing to
multiple IP functions.
• Call statistics—The session control function
collects various call-signaling statistics to
determine and manage call capacity and rate
performance.
• Lawful intercept—The session control function
incorporates a signaling intercept access point
for lawful intercept.
• Emergency services—The session control func-
tion provides emergency session (e.g., enhanced
911 [E911]) handling and priority processing of
emergency telecommunications service (ETS)
calls and government ETS (GETS).
Resource Policy Functions
• Bandwidth policy control—The resource/band-
width control function is responsible for mak-
ing policy decisions regarding bandwidth reser-
vation and allocation when interrogated by the
session control function. Bandwidth policies
may be maintained locally or via an external
policy manager.
• Session-based policy control—The
resource/bandwidth control also makes policy
decisions regarding session capacity and ses-
sion rate. Policies may be applied at the level of
user endpoint or upstream/downstream signal-
ing element.
• Media gate and NAPT control—The
resource/bandwidth control function includes
support for controlling the opening and closing
of media bindings (gates) in the media control
function. Gate control also compasses elements
of media NAPT and NAT traversal functions.
Security Functions
• Access control—Static and dynamic access
control lists are enforced by the SF.
Mallik Tatipamula, Sohel Khan, and Kevin Klett
• Signaling DoS protection—The SF classifies
signaling traffic based on dynamic trust binding
and enforces associated security policies.
• Signaling flow policing—Signaling traffic is
policed at the individual flow level and the
aggregate level based on trust class.
• Encryption—The SF supports encryption and
decryption resources for signaling and media
(i.e., IPSec, TLS, secure real-time transport
protocol [SRTP]).
Media Functions
• Firewall media pinhole control—The media
control function opens and closes pinholes (or
gates) for media streams on a per-session basis.
The session control function inspects the sig-
naling messages and instructs the media control
function to open and close pinholes via the
resource/bandwidth control function.
• NAPT and NAT/FW traversal—The media
control function performs IPv4–IPv4,
IPv4–IPv6, and IPv6–IPv6 address mediation,
translation of IP address of port numbers
(NAPT) in both direction, implementation of
NAT/FW traversal, and media relay function.
This ensures Layer 3 privacy by hiding network
address and topology. Address translation is
also the means by which media may be
anchored to this QoS and security demarcation
point.
• Bandwidth allocation and modification—The
media control function allocates and modifies
media resources as instructed by the
resource/bandwidth control function. It also
informs the higher-layer functions about the
reservation’s status.
• Rate limiting—The media control function per-
forms rate limiting, either on an aggregate or
per-flow basis.
• Differentiated services code point (DSCP)
marking—The media control function performs
marking and re-marking of IP packets and pro-
vides priority as per DSCP under the control of
resource/bandwidth control function.
• Virtual local-area network (VLAN) tagging—
The media control function performs 802.1q
VLAN tagging as instructed by the
resource/bandwidth control function.
• Data DoS protection—The media control func-
tion performs data DOS protection by ensuring
315
The Role of Session Border Controllers in Next-Generation IMS–Based Networks
only authorized flows are allowed to traverse
the boundary. All other flows are filtered com-
pletely.
• DSP services—The media control function sup-
ports DSP–based services such as codec inter-
working (transcoding). DSP service negotiation
is normally done between endpoints, but in
some cases, transcoding may be required at the
network boundary.
• Media supervision—The media control func-
tion supervises each media flow and, in the
event of a media fault (e.g., inactivity timer),
notifies the session control function to termi-
nate the session.
• Dual-time multifrequency (DTMF) digit han-
dling—The media control function performs
interworking between DTMF event types.
Interworking of audio DTMF–to–request for
comment 2833 (RFC2833) is supported.
Interworking of in-band DTMF events and out-
of-band signaling events is performed in con-
junction with the session control function.
• Lawful intercept—The media control function
supports media intercept under the control of the
Figure 3: Decomposed SBC Model
316
session control function via bandwidth/resource
control. Media streams are replicated, encapsu-
lated, and forwarded to lawful intercept media-
tion systems.
• Status notification—The media control func-
tion notifies session control function about crit-
ical status changes such as resource shortage or
performance degradation. This is a part of the
operations, administration, and management
(OAM) function.
SBC Functional Decomposition
Although current SBCs in networks are single
devices, SBC functions can be implemented either in
composed/decomposed fashion or centralized/
distributed fashion. In the composed model, all four
SBC functions reside in a single network element, as
in Figure 2. The simplest form of decomposition
involves splitting the media function component
from other functions across two network elements
described here, and depicted in Figure 3 as the ses-
sion controller (SC) and the BG.

There can be a 1:1 relationship or m:n relationships
between SCs and BGs. In [1], definitions of these
deployments and their merits are presented. SCs
communicate with BGs with a vertical protocol. As
proposed, H.248 is used between SCs and BGs.
However, a standard vertical protocol needs to be
developed for smooth operation between SCs and
BGs. Depending on traffic scale and functions
required, providers deploy SBCs either in com-
posed or decomposed entities. SBC functions can
also be distributed among various network func-
tions and components. For example, various exist-
ing IMS functions can complement various SBC
functions. IMS functions can be extended to absorb
many of the missing SBC functions required by
providers. Alternatively, SBC functions can be
enhanced to perform IMS functions.
The Role of SBCs in TISPAN–Based Wireline Networks
The access SBC satisfies the requirements at the
border where subscribers access the IMS core.
TISPAN functions satisfied by the access SBC
include the following:
• Proxy call-state control function (P–CSCF),
B2BUA, and interworking function (IWF)—
Provides key security, interworking, and proxy
functions for both consumer and business serv-
ices at the access network edge
Figure 4: TISPAN Architecture and SBC [2]
Mallik Tatipamula, Sohel Khan, and Kevin Klett
• Local PDF and security PDF (SPDF)—
Provides resource and admission control func-
tions locally or through an external PDF via the
Gq/Rq interface
• Access/core BG function (A–BGF)—IP pack-
et-to-packet gateway functions, including gate
management, NAT/NAPT, transcoding, and
lawful intercept
The interconnect SBC addresses the requirements
at the boundary where service provider networks
interconnect or “peer.” TISPAN functions satisfied
by the interconnect SBC include the following:
• Interconnect border control function (IBCF)—
Provides key security, routing, and admission
control functions at the interconnect border.
The I–CSCF could also be part of the intercon-
nect border controller in some situations.
• IWF—Provides protocol normalization and
interworking (SIP–SIP, SIP–H.323)
• Interconnect BG function (I–BGF)—IP packet-
to-packet gateway functions including gate
management, NAT/NAPT, transcoding, and
lawful intercept.
Figure 5 depicts the functional mapping of SBC
functional elements to IMS functions in the decom-
posed SBC model.
317
The Role of Session Border Controllers in Next-Generation IMS–Based Networks
Figure 5: SBC–TISPAN Functional Mapping
The Role of SBCs in 3GPP Wireless IMS Networks
This section describes how the SBC function fits
onto the IMS–defined functional architecture and
how this architecture is evolving to handle the
increasing requirements. This section describes the
differences between the function required on the
access and network or interconnect and the set of
IMS functions that may be combined into an
IMS–targeted access or network/interconnect SBC.
Access SBCs
For the user network interface (UNI), the session
border controller can provide different functions
depending upon whether the user equipment (UE)
uses a radio access network (RAN) or wireless
LAN (WLAN) interface. The RAN is typically in
the circuit-switched (CS) domain, and the WLAN is
always in the packet-switched (PS) domain. A UE
may be RAN–only, dual-mode RAN and WLAN, or
WLAN–only. An SBC can be used in both RAN
and WLAN environments.
318
One addition in SBC functionality for wireless
environments is the addition of security gateway
(SEG) functionality for securing signaling informa-
tion. If the UE uses its RAN interface, a secure tun-
nel can be created between the P–CSCF and the
core CSCF network using a SEG on each end.
Typically, this tunnel is used to encrypt signaling
traffic between a visited P–CSCF and the home
I–CSCF/S–CSCF of the UE, but a provider has the
option of encrypting this Za interface even when all
CSCF functions reside in the home network.
When the UE uses the WLAN interface, it is now
interfacing the 3GPP/IMS network in the PS
domain, and additional security steps must be
taken. First, all bearer and signaling traffic is
securely tunneled using IPSec from the UE to the
PDG via the Wu interface. In addition, the SIP sig-
naling along the Gm interface between the UE and
the P–CSCF is secured using an additional IPSec
tunnel. This latter signaling security is required for
the SBC, whereas the former PDG security can be
implemented in a GGSN/PDSN, an SBC, or WLAN
access gateway (WAG).
 Mallik Tatipamula, Sohel Khan, and Kevin Klett

Figure 6: SBCs in 3GPP Architecture in CS Domains

Figure 7: SBCs in 3GPP Architecture in PS Domains

319
The Role of Session Border Controllers in Next-Generation IMS–Based Networks

On the UNI, the set of IMS functions providing ses-
sion border controller depends on the access
method. The following diagram shows how the
IMS functions could be combined to build a single
box SBC for Release 6 and Release 7 network
access.
SBC Functions Not Addressed by 3GPP and TISPAN
Neither 3GPP nor TIPSAN architecture have yet to
satisfy all the border requirements associated with
delivering multimedia services. Examples of these
requirements include the following:

Network SBCs • DoS/distributed DoS (DDoS) protection for

The SBC–related functions in the network or inter-
connect have a similar architecture to the access
side. Figure 8 presents a high-level architecture dia-
gram showing how network border control func-
tions fit into the IMS architecture.
SBC and IMS core elements
• Interactive connectivity establishment
(ICE)/traversal using relay NAT (TURN)/sim-
ple traversal of user datagram protocol (UDP)
through NAT (STUN) support on access SBC
• Overload protection for IMS core elements
• Configurable policies on the SBC

Table 1: IMS Functions and Access SBC Feature Mapping

320
 Mallik Tatipamula, Sohel Khan, and Kevin Klett

Figure 8: 3GPP IMS View of Interconnect or Network (NNI) SBC [3]

Table 2: IMS Functions and Network SBC Feature Mapping

• Constraint-based admission control: num- • Limit number of inbound and outbound

ber of sessions, session rates, bursts, etc. sessions per device
• Session load balancing and route hunting • Destination code gapping
• Session signaling rate limiting (“call gap- • 911 exceptions and prioritization
ping”) • Enterprise-related functions

321
 The Role of Session Border Controllers in Next-Generation IMS–Based Networks
• Registration of aggregate endpoints—
SBCs may register on behalf of aggregate
non-registering endpoints such as IP private
branch exchanges (PBXs) and customer-
premises equipment (CPE) GWs, thus the
delivery allows IMS services to endpoints
that do not explicitly register with the
S–CSCF
• H.323–SIP IMS interworking—
Interworking the SIP IMS core (Mw inter-
face) with H.323 for connectivity with a
variety of legacy access GWs such as
IP–PBXs
• SIP IP Centrex service support
• VPN bridging/overlapping IP address
domain mediation—Necessary functions
include 802.1q VLAN aggregation and
mediation and support for mediating over-
lapping IP address domains
• Border transcoding
• Wireless-wireline
• Wireline-wireline
Conclusion
SBCs enhance providers’ networks by facilitating
border security, service reach maximization, service
322
View publication stats
assurance and QoS, QoS theft protection, regulato-
ry support, and law enforcement. Current IMS
functions lack many of these features required by
providers. Functional comparisons of commercially
available SBCs with IMS components show that
SBCs—with IMS function integration—are poten-
tial candidates to be used as IMS networks’ border
entities and eliminate the need for separate IMS
components such as P–CSCF, I–CSCF, and PDF.
SBCs functional decomposition aids providers to
deploy session controller and BGs separately in line
with providers’ scaling requirement. However, the
vertical interface between session controllers and
BGs is not yet matured. Further study is needed to
define an interface protocol between session con-
trollers and BGs. This paper discussed the role of
SBC functions in IMS networks and a functional
comparison of SBCs and IMS functions.
Reference
[1] Sohel Khan et al.,”SPEERMINT Peering Architecture,”
draft-khan-ip-serv-peer-arch-03, February 2007, IETF,
Internet Society.
[2] 3GPP–ETSI TISPAN workshop, March 2005.
[3] 3GPP TS 23.228 “IP Multi-media System: Stage 2,”
Release 7.