PacketCable 2.0

Acme Packet has defined the role of session border controllers (SBCs) within the next-generation PacketCable 2.0 architecture as defined by CableLabs. Within this architecture, SBCs provide cable operators with support for real-time interactive IP-based voice, video and multimedia sessions in five critical areas—security, service reach maximization, SLA assurance, cost and revenue management, and regulatory compliance.

Role of SBCs within PacketCable 2.0 architecture

PacketCable 2.0 is an architecture defined by CableLabs for the delivery of real-time voice, video and multimedia services using SIP and other standards-based protocols to initiate and control service delivery over packet-switched networks for cable access networks. This architecture has been extended to include components of the IMS core architecture to enable MSOs to leverage a common service delivery infrastructure for both cable and mobile access networks. This enables cable operators to accelerate support for the service delivery requirements of converged fixed-mobile services.

Within the PacketCable 2.0 architecture, the two different types of SBCs—the Access SBC and the Interconnect SBC—play very important roles by integrating signaling and media control. The functional responsibilities of these products are illustrated and further described below.

Access Session Border Controller

The Access SBC satisfies the requirements at the border where subscribers access the IMS core. It integrates four functional elements from the PacketCable 2.0 architecture:

Proxy-Call Session Control Function (P-CSCF) is the SIP signaling contact point, the outbound/inbound “proxy,” for subscribers within PacketCable 2.0 as defined by CableLabs. However, the term “proxy” is deceiving since to fulfill its complete set of responsibilities it must be able to proactively initiate SIP requests. This requires implementation as a SIP Back-to-Back User Agent (SIP B2BUA), not a simple SIP proxy. The P-CSCF is responsible for forwarding SIP registration messages from the subscriber’s endpoint, the User Equipment (UE), in a visited network to the Interrogating-CSCF (I-CSCF) and subsequent call set-up requests and responses to the Serving-CSCF (S-CSCF). The P-CSCF maintains the mapping between logical subscriber SIP URI address and physical UE IP address and a security association, for both authentication and confidentiality, with the UE using TLS for example. It supports emergency call (E911) local routing within the visited network, accounting, session timers and admission control. Admission control requires an interface to an external PacketCable Multimedia Policy Server (PCMM PS) via the PacketCable Application Manager (PAM).
STUN Server provides hosted traversal assistance for UE SIP signaling. It dynamically discovers the public IP address and port number for each UE behind a NAT device. It communicates this knowledge to the UE so the UE can use the appropriate address in its session establishment requests.
STUN Relay Server performs media/RTP relay function when other NAT traversal techniques are insufficient.
PacketCable Application Manager (PAM) processes QoS and bandwidth requests between application function (P-CSCF) and PCMM PS to provide a policy-based session admission control decision.

Interconnect Session Border Controller (Interconnect SBC)

The Interconnect SBC addresses the requirements at the boundary where different service provider networks interconnect or “peer.” It integrates two functional elements from the PacketCable 2.0 architecture:

Interconnect Border Control Function (I-BCF) provides overall control of the boundary between different service provider networks. It provides security for the PacketCable 2.0 core in terms of signaling information by maintaining a security association with the peer and performing a signaling-based topology hiding function. The IBCF also performs IPv4-IPv6 interworking and session screening based upon source and destination signaling addresses. The IBCF performs protocol interworking and SIP profile enforcement via translation or normalization. Lastly, the IBCF interacts with the TrGW for control of the boundary at the transport layers including pinhole firewall, Network Address and Port Translations (NAPT) and numerous other features.
Transition Gateway (TrGW) controls the transport boundary at layers 3 and 4 between service provider networks. This function acts as a pinhole firewall and NAT device protecting the PacketCable core. It controls access by packet filtering on IP address/port and opening/closing gates (pinholes) into the network. It uses NAPT to hide the IP addresses/ports of the service elements in the IMS core. QoS packet marking, bandwidth policing, usage metering and QoS measurements for the media flows are additional features supported by the TrGW.

Acme Packet SBCs support critical missing requirements

Our SBCs provide essential capabilities that have yet to be defined within the PacketCable 2.0 specification. These capabilities are required to provide a secure, reliable and manageable network architecture:

Comprehensive security—Our SBCs provide critical security functions and features that are currently outside the scope of PacketCable 2.0, but are required for the successful and secure delivery of services. These critical security features include DoS/DDoS self-protection for the SBC and DoS/DDoS prevention for core CSCF functional elements.
Signaling overload control—Acme Packet SBCs provide critical signaling overload protection via the P-CSCF and IBCF to protect the core CSCF elements, a function that is currently outside the scope of PacketCable 2.0. These capabilities include call rate limiting, code gapping and detection of automated dialing platforms. Acme Packet SBCs can perform selective destination/source admission control to prevent signaling overload from flash mass calling events such as American Idol voting.
Enterprise access requirements—PacketCable 2.0 is currently specified for residential services where a single UE is connecting to the network. Acme Packet SBCs provide critical functional capabilities that allow the PacketCable 2.0 architecture to be leveraged by enterprise customers. This includes the ability to bridge overlapping MPLS VPN and IP addresses and perform surrogate registrations for endpoints aggregated behind an IP PBX or access gateway. To ensure the seamless connectivity of legacy equipment, our SBCs provide access protocol interworking for H.323 PBX to SIP trunk connectivity and DTMF translation between SIP signaling-based to RTP media-based (RFC 2833) DTMF.
Transcoding (fixed–mobile, fixed–fixed)—Acme Packet SBCs extend the PacketCable 2.0 architecture to provide transcoding capabilities that enable disparate codecs from fixed or mobile networks to seamlessly interoperate. Acme Packet SBCs can transcode (translate) and transrate (change frames sizes) for the fixed codecs G.711 a-law & mu-law, G.723.1, G.726, G.728, G.729 A/B, G.729 E, and iLBC, as well as the mobile codecs AMR, AMR-WB, GSM EFR, GSM FR, EVRC and SMV. They also support fax interworking between G.711 and T.38.

SBC product selection and physical deployment considerations

Our SBCs can be implemented using an integrated architecture with signaling and media control in the same physical platform or a decomposed architecture that offers separate physical signaling and media control products for the functional elements described above. In the decomposed architecture, our products fulfill the access and interconnect SBC roles. In the access role, Acme Packet products perform the functions of the STUN Relay server (media control) under the supervision of the P-CSCF (signaling control). In the interconnect SBC role, Acme Packet products perform the functions of the TrGW (media control) under the supervision of the IBCF (signaling control). In both cases, the elements use H.248 as the control protocol between products.

The key considerations when selecting a product and defining the physical deployment architecture are:

Security—SBCs prevent DoS and DDoS attacks on core PacketCable elements by dynamically discovering and blocking malicious signaling and media attacks or non-malicious overloads (e.g. endpoint re-registering very frequently). Our SBCs use hardware-based features to protect themselves against attack without loss of service and they create a security perimeter that protects upstream elements (I/S-CSCF) from DoS/DDoS attacks and signaling overloads.
Scalability—SBCs provide a distributed edge processing function for signaling control (P-CSCF/IBCF), offloading connection and encryption management (e.g. TCP, TLS, IPsec), NAT traversal processing and other processor-intensive tasks from core PacketCable elements (I/S-CSCF). The SBC also performs local policy decision functions in order to off-load the PS. These decisions include enforcing the maximum bandwidth per subscriber, access network, core network or interconnect link. From a SIP signaling perspective, our SBCs can also control the number of sessions or rate of session establishment per subscriber, access network, interconnect link or session agent/group.
Resiliency (geographic location)—SBCs increase network resiliency by deploying signaling control functions (P-CSCF/IBCF) at the access and interconnect network borders. These devices provide a logical breakout point for emergency calls, prevent DoS/DDoS attacks from reaching the core network and minimize the impact of a single P-CSCF failure or a centralized I/S-CSCF site disaster by providing simplified subscriber re-routing capabilities.
Cost—SBCs incorporate multiple PacketCable 2.0 functions, resulting in fewer network elements, fewer networking protocols and more robust fault and performance management (e.g. media QoS monitoring incorporated with session layer accounting), resulting in lower operational costs. Our SBCs also leverage hardware-based acceleration for processor-intensive functions (DoS protection, encryption, QoS monitoring/reporting) to reduce capital expenditures by scaling more efficiently.

Net-Net PacketCable 2.0 solutions

Our SBCs perform the critical functions of the access and interconnect SBCs as defined in the PacketCable 2.0 architecture. In these roles, the Acme Packet SBCs enable cable MSOs to create a border architecture that delivers increased security, scalability and resiliency—while reducing operating and capital expenditure costs.

Acme Packet SBCs also provide critical functions that are outside the scope of the PacketCable 2.0 specification, including security, signaling overload control, enterprise access requirements and transcoding. These valuable capabilities enable MSOs to extend the reach of their NGN investment while better protecting their networks and users.

Finally, Acme Packet SBCs allow cable operators to select the preferred deployment model—integrated or decomposed—that satisfies their unique requirements for creating a secure and scalable border. These deployment options enable cable operators to design an architecture that optimizes operational and capital expenditures, while enhancing their abilities to deliver real-time voice, video and multimedia services.