3GPP IMS release 8

Acme Packet has defined the role of session border control within the next-generation, 3GPP Release 8 architecture with IP Multimedia Subsystem (IMS), Long Term Evolution (LTE), Service Architecture Evolution (SAE) and Home NodeB. Within this architecture, session border control provide service providers with support for delivering real-time interactive IP-based voice, video and multimedia sessions in five critical areas—security, service reach maximization, SLA assurance, revenue and cost optimization and regulatory compliance.

Role of session border control within 3GPP IMS Release 8 architecture

IMS is an architecture defined by 3GPP for the delivery of real-time voice, video and multimedia services using SIP over packet-switched networks with a focus on mobile wireless access networks. This architecture includes FMC and WLAN access scenarios that accelerate the convergence of common services delivered across an array of wireless and wireline access technologies.

The 3GPP IMS Release 8 architecture extends the service delivery reach from traditional 2G/3G GSM cellular networks to the LTE IP RAN and Wi-Fi access points and femtocells. This enables service providers to extend the reach of a common set of services into homes, hospitality and enterprise markets via the broadband network. The FMC component of this architecture ensures non-interrupted service delivery even as the user transitions from fixed to mobile access networks or vice versa.

The 3GPP Release 8 architecture incorporates both the previously defined IMS functional elements and the new Service Architecture Evolution, which includes the evolved universal terrestrial RAN (E-UTRAN) and Evolved Packet Core (EPC). Acme Packet’s products deliver key functions within the IMS-served SAE architecture.

Session border control in 3GPP Release 8 includes:

Session border controllers (SBCs) connect fixed and mobile devices to IMS SIP-based services and applications, including voice, messaging, interactive video, gaming, video and IPTV. In SAE, access SBCs connect all access networks to the IMS network. This includes the LTE RAN, the 3G RAN, trusted non-3GPP IP access networks such as DSL, FTTx and WiMAX, and untrusted non-3GPP IP access network such as the Internet and WiFi networks. Interconnect SBCs connect all of these networks to the networks of other service providers.

Multiservice security gateways (MSGs) securely deliver service provider’s voice and data services over untrusted Internet and WiFi access networks to femtocells and dual mode handsets.

Session routing proxies (SRPs) provide core session routing and select the destination for incoming and outgoing SIP sessions, including traffic to or from media gateways and interconnect session border controllers.

Access Session Border Controller (A-SBC)

Session border controllers satisfy the requirements at the border where subscribers access the IMS services and applications. It is located at the border point of SAE and IMS networks. Session border controllers integrate two functional elements from the IMS Release 8 architecture.

Proxy-Call Session Control Function (P-CSCF) is the initial SIP signaling contact point for subscribers. Serving as a Back-to-Back User Agent (SIP B2BUA), the P-CSCF is responsible for forwarding SIP registration messages from the subscriber’s endpoint, the User Element (UE), to the Interrogating-CSCF (I-CSCF) and subsequent call set-up requests and responses to the Serving-CSCF (S-CSCF). The P-CSCF maintains the mapping between logical subscriber SIP URI address and physical UE IP address and a security association, for both authentication and confidentiality. It supports emergency call (E911) local routing within the visited network, accounting, session timers and admission control. Session admission control uses the DIAMETER protocol (Rx interface) to query an external Policy Charging and Rating Function (PCRF) element for bandwidth-based admission control and resource reservation. Acme Packet’s implementation of the P-CSCF also supports an advanced signaling firewall to protect itself and the IMS infrastructure from attacks and overloads. The P-CSCF interacts with AGW (described below) for control of the boundary at the signaling and media layers including pinhole firewall, Network Address and Port Translations (NAPT) lawful intercept and numerous other features.

Access Gateway Function (AGW) controls the transport boundary at layers 3 and 4 between subscribers and the service provider’s network. This function acts as a pinhole firewall and NAT device protecting the service provider’s IMS network. It controls access by packet filtering on IP address/port and opening/closing gates (pinholes) into the network. It uses NAPT to hide the IP addresses/ports of the service elements in the IMS network. Other features include QoS packet marking, bandwidth and signaling rate policing, usage metering and QoS measurements for the media flows.

Interconnect Session Border Controller

This session border controller addresses the requirements at the boundary where service provider networks interconnect or “peer” for the exchange of inbound and outbound SIP sessions. It integrates three IMS functional elements of 3GPP Release 8:

• Interconnect Border Control Function (IBCF) provides overall control of the boundary between different service provider networks. It provides security for the IMS network in terms of signaling information by implementing a Topology-Hiding Inter-network Gateway (THIG) sub-function. This sub-function performs signaling–based topology hiding, IPv4-IPv6 inter-working and session screening based upon source and destination signaling addresses. The IBCF also invokes the Inter-Working Function (described below) when connecting non-SIP or non-IPv6 networks, and performs admission control and bandwidth allocation using local policies or via interface to PCRF elements. Lastly, the IBCF interacts with TrGW (described below) for control of the boundary at the transport layers including pinhole firewall, NAPT and numerous other features.
• Inter-Working Function (IWF) provides signaling protocol inter-working between the SIP-based IMS network and other service provider networks using H.323 or different SIP profiles.
• Transition Gateway (TrGW) controls the transport boundary at layers 3 and 4 between service provider networks with similar media functions as the AGW.

Multiservice Security Gateway

In SAE, the Evolved Packet Data Gateway (ePDG) is the functional element that delivers voice and data services over the untrusted Internet and WiFi networks to femtocells and dual-mode handsets. Multiservice security gateways (MSGs) fulfill the role of the ePDG. It authenticates subscribers and uses IPsec to securely tunnel voice and data to devices over the Internet and WiFi. For preceding 3GPP architectures, MSGs also support the functional elements of I-WLAN Tunnel Terminating Gateway (TTG) for 3GPP Release 7, UMA/GAN Security Gateway (SeGW) for Release 6 and the Femtocell Security Gateway (SeGW) for Release 8.

Session Routing Proxy

The session routing proxy routes SIP-based, interactive communication sessions between SIP network border points, including SBCs, mobile switching centers (MSC), IMS subscriber call control elements, CLASS 5 softswitches and softswitches controlling media gateways. From an IMS SIP signaling perspective, the SRPs serve as the Breakout Gateway Control Function (BGCF). This function is responsible for selecting the optimum session border controller or softswitch/media gateway for sessions leaving a provider’s network, and the Serving Call Session Control Function (S-CSCF) for incoming sessions.

Acme Packet SBCs support critical missing requirements

Acme Packet SBCs provide essential capabilities that have yet to be defined within the 3GPP IMS Release 8 specification. These capabilities are required to provide a secure, reliable and manageable network architecture.

• Comprehensive security – Acme Packet SBCs provide critical security functions and features that are currently outside the scope of IMS, but are required for the successful and secure delivery of services. These critical security features include DoS/DDoS self-protection for the border functional elements. Acme Packet border elements also provide DoS/DDoS prevention for core CSCF functional elements and topology hiding interworking gateway (THIG) function at the access edge as part of the P-CSCF and IMS-AGW.
• Signaling overload control – Acme Packet SBCs provide critical signaling overload protection as the P-CSCF and I-BCF to protect the core CSCF elements. These capabilities include call rate limiting, code gapping and detection of automated dialing platforms. Acme Packet SBCs can perform selective destination/source admission control to prevent signaling overload from mass calling events such as American Idol voting.
• Enterprise access requirements – IMS is currently specified for mobile wireless services where a single User Equipment (UE) is connecting to the network. Acme Packet SBCs provide critical functional capabilities that allow the extended IMS architecture to be leveraged by enterprise customers. These include the ability to bridge overlapping MPLS VPN and IP addresses and perform surrogate registrations for endpoints aggregated behind an IP PBX or access gateway. To ensure the seamless connectivity of legacy equipment Acme Packet SBCs provide access protocol interworking for H.323 PBX to SIP trunk connectivity and DTMF translation between SIP signaling-based to RTP media-based (RFC 2833) DTMF.
• Transcoding (wireline–wireless, wireline–wireline) – Acme Packet SBCs extend the IMS architecture to provide transcoding capabilities that enable disparate codecs from wireline or wireless networks to interoperate seamlessly. Acme Packet SBCs can transcode (translate) and transrate (change frames sizes) for wireline codecs G711 a-law & mu-law, G.722, G.729 A/B, G.729 E, G.723.1, G.726, G.728, iLBC, as well as the wireless codecs AMR, AMR-WB (G.722.2), GSM EFR, GSM FR, EVRC, EVRC-B and SMV. They also support fax interworking between G.711 and T.38.
• Comprehensive routing – BGCF are defined to route only to the next egress SIP signaling hop in IMS. Expanding on that functionality, SRPs may route between all elements in an IMS architecture for both ingress and egress sessions, providing comprehensive route selection. SRP can also provide SIP protocol normalization between IMS elements assuring interoperability between elements in the core network.
  

SBC product selection and physical deployment considerations

Acme Packet SBCs may be implemented using an integrated architecture with signaling and media control in the same physical platform or a decomposed architecture that offers separate physical signaling and media control products for the access and interconnect functional elements described previously. Further, ePDG, TTG, or SeGW functionality can be integrated into an access SBC.

In the access role, Acme Packet SBCs perform the functions of the IMS-AGW (media control) under the supervision of the P-CSCF (signaling control). In the interconnect SBC role, Acme Packet SBCs perform the functions of the I-BGF (media control) under the supervision of the I-BCF (signaling control). In both cases the elements use H.248 as the control protocol between products.

When selecting products to fulfill IMS functions and defining the physical deployment architecture the key considerations are:

• Security – SBCs prevent DoS and DDoS attacks on core IMS elements by dynamically discovering and blocking malicious signaling and media attacks or non-malicious overloads (e.g. endpoint re-registering very frequently). Advanced SBCs using hardware-based features, like Acme Packet’s SBCs, can protect themselves against attack without loss of service and create a security perimeter that protects upstream elements (I/S-CSCF) from DoS/DDoS attacks and signaling overloads.
• Scalability –SBCs provide a distributed edge processing function for signaling control (P-CSCF/I-BCF), offloading connection and encryption management (e.g., TCP, TLS, IPsec), NAT traversal processing and other processor-intensive tasks from core IMS elements (I/S-CSCF). The SBC also performs local policy decision functions in order to off-load the core PCRF. These decisions include enforcing the maximum bandwidth per subscriber, access network, core network or interconnect link. From a SIP signaling perspective, Acme Packet SBCs can also control the number of sessions or rate of session establishment per subscriber, access network, interconnect link or session agent/group.
• Resiliency (geographic location) – SBCs increase network resiliency by deploying signaling control functions (P-CSCF/I-BCF) at the access and interconnect network borders. These devices provide a logical breakout point for emergency calls, prevent DoS/DDoS attacks from reaching the core network and minimize the impact of a single P-CSCF failure or a centralized I/S-CSCF site disaster by providing simplified subscriber re-routing capabilities.
• Cost – SBCs incorporate multiple 3GPP IMS functions resulting in fewer network elements, fewer networking protocols and more robust fault and performance management (e.g., media QoS monitoring incorporated with session layer accounting), resulting in lower operational costs. Acme Packet SBCs also leverage hardware-based acceleration for processor intensive functions (DoS/DDoS protection, encryption, QoS monitoring/reporting) to reduce capital expenditures by scaling more efficiently.

Net-Net

Acme Packet’s Net-Net family of session border control solutions perform many critical functions as defined in the 3GPP IMS Release 8 architecture. In these roles the Acme Packet session border control solutions enable service providers to create a border architecture that delivers increased security, scalability and resiliency, while reducing operating and capital expenditure costs.

Acme Packet SBCs also provide critical functions that are outside the scope of the IMS specification, including security, signaling overload control, enterprise access requirements and transcoding. These valuable capabilities enable service providers to extend the reach of their NGN investment while better protecting their network and users.

Finally, Acme Packet SBCs allow service providers to select the preferred deployment model —integrated or decomposed—that satisfies their unique requirements for creating a secure and scalable border. These deployment options enable the service provider to design an access architecture that optimizes operational and capital expenditures, while enhancing the service provider’s ability to deliver real-time voice, video and multimedia services.