By Sun Hongwei
The SBC is a strategic network element (NE) for VoLTE. It is essential to network security, reliability, and multimedia interconnection as well as future network evolution.
Voice over LTE (VoLTE) is gradually replacing the traditional 2G/3G networks and the voice over broadband (VoBB) network. The all-IP VoLTE network can provide voice, fax, video, and multimedia services at lower prices. Compared to the traditional network, the VoLTE network is greatly enhanced in terms of security, capacity, QoS, and ICT convergence.
As the border gateway of the VoLTE network, the session border controller (SBC) is located on the signaling and the media planes of VoIP networks. It is usually deployed at the network edge as an independent device. The SBC supports VoIP communication between end users as well as between carrier networks. It is also a security shield protecting networks against a range of potential security threats.
According to a cost structure analysis conducted by T-Mobile, investment in SBCs accounts for almost 30% of the total VoIP network investment by telcos. In the coming era, SBCs must adapt to the following changes to meet service requirements.
Multi-level joint network protection
The VoLTE network is based on all-IP architecture and supports various access types, including LTE wireless broadband, fixed broadband, Web/Wi-Fi, and enterprise network access. The openness of the all-IP network, the scalability of session initiation protocol (SIP), and the flattening of the LTE access network bring three security challenges to VoLTE networks as compared to traditional broadband networks.
More attack sources: With the proliferation of smart devices and mobile apps, if users install cracked applications with malicious plug-ins, their smart terminals can be infected with viruses that attack the VoLTE network or enable attacks against it. Consequently, attack sources increase exponentially.
More attack types: In addition to traditional TCP/IP packet attacks, traffic attacks, malformed packet attacks, and service logic attacks, the VoLTE network will face more types of potential security attacks as the network architecture and services evolve. In the early stage of 4G network deployment, there are many coverage holes. Users have to constantly switch between 2G/3G and 4G networks, resulting in registration storms. Rich media services such as instant messaging and telepresence are burst services that transmit very little information, but cause frequent SIP signaling interaction, resulting in network signaling storms. Hackers may even steal user information to initiate short-time and incomplete calls, filter out short messages, or use third-party applications (such as spam interception apps that provide white-list or black-list functions) to interfere with users' calling activity.
More frequent attacks: Attack traffic is surging. According to Huawei Cloud Security Center, since 2013, peak attack traffic has exceeded 100G and is increasing at a rate of 50% every year.
The new security risks require the next-generation SBC, the guard dog of VoLTE networks, to be more innovative and powerful. Traditional SBCs protect only when an attack is underway. The VoLTE SBC must have independent security analysis modules and multi-level joint protection capability. It should be able to conduct in-depth analysis based on user behavior and characteristics, and combine with different services to conduct independent security analysis and processing if necessary. For example, the SBC must identify malicious ultra-short and incomplete calls based on user behavior and develop different security policies. It can then deliver the security policies to the IP/transmission layers to prevent attacks from the IP source, realizing joint protection across the IP layer, the signaling layer, and the media layer.
The SBC also must support ACL, CAC, and DoS/DDoS attack prevention, have intrusion detection and prevention systems, and support sophisticated encryption/decryption such as IPSec AKA, and SIP over TLS, so that legitimate users can safely use VoLTE services. In addition, the SBC must also support intelligent traffic control to defend against increasingly frequent registration storms.
Enhancing QoS, connectivity and service continuity
In the LTE era, users are no longer content with simple voice and messaging services. They demand high definition voice and video experiences, instant messaging, picture and video sharing, and richer service experience, with all these things available anytime and anywhere. As the "VoLTE user access board," a next-generation SBC must guarantee QoS, service continuity, and global connectivity.
To enable high-quality multimedia communication, SBCs should have built-in proxy-call session control functionality (P-CSCF) to interact with the policy and charging rules function (PCRF) in order to ensure E2E QoS. In addition, in the case of limited resources, VIP service experience must be prioritized, so an SBC must support differentiated bandwidth management to prevent low-value services from consuming excessive resources.
In terms of service continuity, since full LTE coverage cannot be achieved from the start, there may be handovers between 2G/3G and LTE networks; if not handled properly, long handover time or call drop will occur. To minimize handover time and prevent call drop, the SBC must be equipped with built-in ATCF/ATGW to ensure that only media information is updated on the local side when a handover occurs, this minimizes handover time, ensuring uninterrupted VoLTE service.
After VoLTE commercialization, the network has to interconnect with associated 2G/3G networks as well as those of other telcos and must also interconnect with fixed and IMS-based networks. The next-generation SBC should have rich audio and video codecs (including G.711, G.729, GSM codecs, AMR, WB-AMR, and H.264) and codec translation capabilities to realize codec translation for interconnection between different networks. According to IR.88 and IR.65 technical specifications formulated by GSMA and 3GPP, for international roaming, the SBC must also support IBCF/TrGW evolution, OMR and TRF functions of the RAVEL architecture, and optimize the roundabout path, and provide diversified billing methods such as time- and traffic-based billing and billing based on the number of messages for voice, video, and RCS VoLTE services.
High performance and flexible resource management
In the VoLTE era, the number of users is growing faster than ever before, and communication is increasingly expanding from people-to-people, people-to-machine, and machine-to-machine. Infonetics forecasts that from 2012 to 2017, VoLTE subscriptions will increase 145% year-on-year, every year. This breathtaking user increase requires large-capacity SBCs. The next-generation SBC should be capable of flexibly expanding its capacity by adding boards or other hardware. It should evolve smoothly to support millions of users and support IPSec and AKA authentication of all users.
China Mobile provides a good example; the telco planned two stages for its SBC deployment. Getting started in 2014, they focus SBC deployment in the provincial capitals. Each SBC supports hundreds of thousands of users. Next, SBCs will be deployed in smaller cities. The capacity of each SBC will be similar to that of a traditional media gateway (MGW), supporting about one million users.
The surge of users and the popularization of multimedia services will boost traffic. For example, SD video call of VGA format generates more than 1MB of data every second, 40 times higher than an HD voice call. According to Infonetics, in the next couple of years, data generated by all services will grow ten fold. The VoLTE core network will be inundated by torrents of data that will make today's traffic look like a trickle. The SBC must have a throughput of as much as 100G and support intelligent traffic control to ensure VoLTE network reliability.
Different services have different resource demands. For example, IM and telepresence services are burst services. They consume huge signaling resources yet generate little traffic. Video calls consume more media resources. Therefore, the next-generation SBC should be capable of flexibly managing signaling and media resources based on different service models.
Evolving to a WebRTC GW
Web real time communication (WebRTC) allows users to directly communicate with one another through video calls on browsers without installing any software or apps. The emergence of WebRTC transforms the vast number of web users into new telecom users.
By late 2014 or 2015, Internet Explorer and Safari will support WebRTC. After that, the number of WebRTC terminals will exceed one billion. WebRTC's browser-based communication allows web users and mobile users to interact, and this "click to talk" web functionality can be embedded in enterprise applications as well, transforming how businesses interact.
When web users communicate with mobile users or access telco VASs such as agent or conferencing services, they will have certain impacts on the telco network.
First, WebRTC causes security problems. WebRTC users are everywhere, using different types of terminals to access mobile networks through different access modes. As a result, user privacy data is vulnerable to sniffing tools. Second, WebRTC is bandwidth-intensive, as users can engage in browser-based audio and video calls on any platform, leading to congested networks. Third, WebRTC requires interwork between web protocols and other protocols such as SIP.
To satisfy web users' communication needs, and to reduce security risks during communication, a new device responsible for web users' seamless and secure network access, as well as signaling, media conversion between web browsers and telco networks, must be deployed at the network edge. 3GPP R12 developed an enhanced P-CSCF-based architecture suited to this purpose. The next-generation SBC must be capable of evolving to a WebRTC gateway (GW) to convert web signaling (HTTP, JSON over WebSocket, etc.) to SIP, SRTP/DTLS to RTP, and web codec OPUS/VP8 to mobile codec G.7XX/H.264. The SBC will also function as a firewall for signaling and media streams to ensure access security.
Huawei SE2900 is oriented toward 4G core networks and, based on the telco cloud platform, adopting a distributed architecture. It provides differentiation advantages, such as optimal audio/video, professional-grade security, intelligent interoperability, and powerful performance, thereby helping carriers construct highly secure Voice and Video over IP (V2oIP) networks with exceptional QoS, simplify SIP interworking, and reduce total cost of ownership (TCO).
