Transcript sbc
Session Border Controllers: Copyright 2005 – 2008 © by Elliot Eichen. All rights reserved. SBC: What is it? tunnel VoIP Signaling Proxy (B:B UA) SIP public network UA UA SIP 18.4.3.2 private network 10.4.3.2 + tunnel Media (RTP) Proxy public network RTP 18.4.3.3 RTP private network 10.4.3.3 Signaling & Media functions can be physically separate or together Sometimes used to provide transcoding (both signaling and/or media) across the private/pubic boundary Sometimes called an Application Layer Gateway (translates address and ports) Copyright 2005 – 2008 © by Elliot Eichen. All rights reserved. SBC: As a VoIP Firewall or Service Element policy SIP SIP ? public network 18.4.3.2 private network 10.4.3.2 Stateful inspection of packets before they are allowed to cross the border element, not just mapping addresses &ports. Prevents attacks such as denial of service (DoS), distributed denial of service (DDoS), RTP packet insertion, etc. Provides Call Admission Control (bandwidth or call policing, etc), or Registration Policing. Other stuff – CALEA (wiretapping by forking media & signaling), emergency call handling, registration buffer, etc. Copyright 2005 – 2008 © by Elliot Eichen. All rights reserved. SBC: Carrier Carriers Peering • Pins down the media/signaling entrance points – routing & QoS reasons. – Discussion of hot potato IP routing • VoIP Firewall – defensive perimeter including network topology hiding. – note: this also supports blind re-file. • Other: – CALEA (wiretap), – CDRs, – Alternate routing – QoS monitoring Copyright 2005 – 2008 © by Elliot Eichen. All rights reserved. SBC: Carrier Carriers Peering From: John Harding, Data Connection LTD Copyright 2005 – 2008 © by Elliot Eichen. All rights reserved. Carrier Carrier Routing: Blind Refile Copyright 2005 – 2008 © by Elliot Eichen. All rights reserved. SBC: retail customers carrier peering • Server side application layer gateway (no need for STUN, ICE, etc. by customers). • VoIP Firewall/defensive perimeter (for the carrier). • Registration proxy/buffer for location server. – Location server (IP-Centrex) wants low registration rate (e.g., every 30-60 min). – High registration rate (e.g., every 30-60 sec) useful for • Maintaining pinholes in customer firewalls • Emergency services (e.g., 911) so that nonregistered phones do not provide dial tone. • All the other stuff: CALEA, CDRs, QoS monitoring, etc. Copyright 2005 – 2008 © by Elliot Eichen. All rights reserved. SBC: enterprise customers carrier peering • Large customers with legacy or IP-PBXs using SIP Trunks (or other signaling protocols trunks) • VoIP Firewall/defensive perimeter: – SBCs often deployed on the enterprise as well as carrier side. • Admission Control: – By bandwidth, number of calls, etc. • All the other reasons: CALEA, CDRs, QoS monitoring, alternate routing, etc. Copyright 2005 – 2008 © by Elliot Eichen. All rights reserved. SBC: retail customers carrier peering From: John Harding, Data Connection LTD DMZ SBC Edge Router/Switch Edge Router/Switch FWall Copyright 2005 – 2008 © by Elliot Eichen. All rights reserved. SBC: Interconnecting VPNs -SBC belongs to all VPNs, looks like a difference logical device to each VPN - Gateway between VPNs for calls that might otherwise have to flow through the PSTN - Can own dialing plan between enterprises Copyright 2005 – 2008 © by Elliot Eichen. All rights reserved. A Real Life Story – Use of the SBC at MIT TLS, SRTP SBC transcoding UDP, RTP Copyright 2005 – 2008 © by Elliot Eichen. All rights reserved.