HUAWEI SE2900 Session Border Controller …enterprise.huawei.com/topic/huawei-sap/mpog/SE2900 I-SBC...HUAWEI SE2900 Session Border Controller V300R002C10 SE2900 I-SBC Interconnection

HUAWEI SE2900 Session Border Controller V300R002C10

SE2900 I-SBC Interconnection Technical White Paper

Issue 01

Date 2016-01-15

HUAWEI TECHNOLOGIES CO., LTD.

Issue 01 (2016-01-15) Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co., Ltd.

i

Copyright © Huawei Technologies Co., Ltd. 2016. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior

written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective

holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and

the customer. All or part of the products, services and features described in this document may not be

within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,

information, and recommendations in this document are provided "AS IS" without warranties, guarantees or

representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

http://www.huawei.com/

mailto:[email protected]

HUAWEI SE2900 Session Border Controller

SE2900 I-SBC Interconnection Technical White Paper About This Document



ii

About This Document

Purpose

This document briefly describes the I-SBC interconnection functions and networking

solutions provided by Huawei SessionEngine2900 (SE2900) SBC, involving I-SBC

interconnection features, networking, and networking reliability.

This document helps you understand the I-SBC interconnection features and the deployment

of the SE2900 on the carrier network.

Intended Audience

This document is intended for:

Management personnel and planning and design personnel of carriers

Huawei marketing engineers

Technical support engineers

Maintenance engineers

Symbol Conventions

The symbols that may be found in this document are defined as follows.

Symbol Description

Indicates a hazard with a high level or medium level of risk

which, if not avoided, could result in death or serious injury.

Indicates a hazard with a low level of risk which, if not

avoided, could result in minor or moderate injury.

Indicates a potentially hazardous situation that, if not avoided,

could result in equipment damage, data loss, performance

deterioration, or unanticipated results.

Provides a tip that may help you solve a problem or save time.

Provides additional information to emphasize or supplement

important points in the main text.


SE2900 I-SBC Interconnection Technical White Paper About This Document



iii

Standards Compliance

Category Name Purpose

IETF RFC 3261 SIP: Session

Initiation Protocol

Defines SIP standards.

RFC4568 SDP Security

Descriptions for Media

Streams

Defines Secure Real-time Transport Protocol

(SRTP) media negotiation in SIP calls.

3GPP 3GPP TS 24.229 Describes SIP and SDP on the IMS network.

3GPP TS 29.162 Defines IP network interworking.

3GPP TS 29.165 Defines IMS network interworking.

3GPP TS 29.238 Defines the IBCF.

Change History

Changes between document issues are cumulative. The latest document issue contains all the

changes made in earlier issues.

Issue 01 (2014-12-09)

This issue is the first official release


SE2900 I-SBC Interconnection Technical White Paper Contents



iv

Contents

About This Document .................................................................................................................... ii

1 Overview ......................................................................................................................................... 1

2 Typical Application Scenarios.................................................................................................... 5

2.1 Convergent Gateway ..................................................................................................................................................... 5

2.1.1 Security ...................................................................................................................................................................... 5

2.1.2 Protocol Conversion .................................................................................................................................................. 5

2.1.3 Charging .................................................................................................................................................................... 6

2.2 IGW .............................................................................................................................................................................. 6

2.2.2 Security ...................................................................................................................................................................... 7


2.2.4 Charging .................................................................................................................................................................... 7

2.2.5 Flexible Routing ........................................................................................................................................................ 7

2.3 LDI ............................................................................................................................................................................... 7


2.3.2 Audio Transcoding ..................................................................................................................................................... 9

2.3.3 Signaling Flexible Adaptation ................................................................................................................................... 9

2.4 IPX ................................................................................................................................................................................ 9

2.4.2 Security .................................................................................................................................................................... 10

2.4.3 Protocol Conversion ................................................................................................................................................ 10

2.4.4 Charging .................................................................................................................................................................. 10

2.4.5 Flexible Routing ...................................................................................................................................................... 10

2.4.6 Audio Transcoding ................................................................................................................................................... 11

2.4.7 Signaling Flexible Adaptation ................................................................................................................................. 11

2.5 National Tandem Office .............................................................................................................................................. 11

2.6 Enterprise Network ..................................................................................................................................................... 11

3 Interworking Capability ............................................................................................................ 13

3.1 Flexible Routing ......................................................................................................................................................... 13

3.1.1 Application Scenario ................................................................................................................................................ 13

3.1.2 Function Description ............................................................................................................................................... 13

3.2 IPv4/IPv6 Translation ................................................................................................................................................. 17







v

3.3 SIP/SIP-I/SIP-T Interworking ..................................................................................................................................... 17



3.4 SIP-H.323 Interworking.............................................................................................................................................. 20



3.5 Conversion Between SIP over UDP/TCP/SCTP/TLS ................................................................................................ 23



3.6 Audio Transcoding ...................................................................................................................................................... 23



3.7 Media Bypass ............................................................................................................................................................. 24



4 Interworking Network Redundancy ....................................................................................... 26

4.1 Core Network Redundancy ......................................................................................................................................... 26



4.2 SBC Redundancy ........................................................................................................................................................ 27

5 Security Management ................................................................................................................. 29

5.1 Security Overview ...................................................................................................................................................... 29

5.1.1 Major Security Challenges ....................................................................................................................................... 29

5.1.2 Major Attack Means ................................................................................................................................................ 30

5.2 Security Implementation ............................................................................................................................................. 31

5.2.1 Security Features ..................................................................................................................................................... 31

5.2.2 Major Security Strategies ......................................................................................................................................... 32

5.3 Security Architecture .................................................................................................................................................. 32

5.3.1 Security Layers ........................................................................................................................................................ 34

5.3.2 Service/Management Planes .................................................................................................................................... 36

5.3.3 Security Dimensions ................................................................................................................................................ 37

6 Charging........................................................................................................................................ 38

6.1 Local CCF Charging ................................................................................................................................................... 38



7 Flexible Adaptation .................................................................................................................... 40

7.1 DSCP Remarking ........................................................................................................................................................ 40



7.2 Media Policy ............................................................................................................................................................... 41





vi



7.3 SIP Header Manipulation ............................................................................................................................................ 42



8 QoS Assurance ............................................................................................................................. 43

8.1 IP One-Way Audio Detection...................................................................................................................................... 43



8.2 Voice Quality Reporting ............................................................................................................................................. 44



A Acronyms and Abbreviations .................................................................................................. 46


SE2900 I-SBC Interconnection Technical White Paper 1 Overview



1

1 Overview

The traditional telecommunication network (TCN) uses time division multiplexing (TDM) to

provide voice services. This transmission mode features high reliability but is high-cost,

low-bandwidth, and time-consuming for deployment. The sharp increase of global data traffic,

communication media diversity, and global IP development require efficient and low-cost IP

interconnection between the subnets of a carrier, between carriers and enterprises, and

between different carriers.

With network evolution, heterogeneous network interconnection encounters the following

problems:

The emergence of more intelligent UEs and the growing integration of services, present

serious security issues and challenges to the network. Ensuring network and user

information security is the top concern for network deployment.

How to ensure protocol adaptation (such as SIP/SIP-I/SIP-T) and device interoperability.

How to ensure efficient multimedia traffic transmission because not only voice and short

message traffic but also multimedia traffic is transmitted on the network.

To address these problems, the I-SBC is deployed to implement network interworking. The

I-SBC consists of the interconnection session border controller (IBCF) and interconnection

border gateway function (IBGF). The IBCF supports routing and forwarding, border control,

and topology hiding, and instructs the IBGF to implement media interworking.

The I-SBC supports interworking between the IMS network and IMS network/NGN/H.323

network/another type of IP network. See Figure 1-1.





2

Figure 1-1 SE2900 in network interworking

IBCF + IBGF

IMS

(VoBB/RCS/VoLTE/conference)

Signaling

Media

Softswitch

Remote IBCF/IBGF

Another type of network

NGN

GK

H.323 network

H.323 UE

MGW

DNS server

PresenceRMC

RCS AS VoBB AS

HSS

I/S-CSCF

SCC AS

SE2900

MGCFIM-MGW

Enterprise network

IP-PBX

Aggregated routing

Routing decision

device

The I-SBC, which is deployed at the edge of networks, ensures network security and

implements network interworking, meeting the need for IP-based gateways and Long

Distance and International (LDI)/IP Packet eXchange (IPX).

The I-SBC supports flexible routing so that the services between different networks are

flexibly and accurately routed to the destination.

The I-SBC supports interworking between the networks of different capabilities and

provides interworking security in addition to meeting basic service requirements of the

networks.

The I-SBC provides the flexible adaptation mechanism and quickly resolves the network

interworking issues.

The I-SBC supports core network redundancy and SBC redundancy, ensuring network

reliability.

The I-SBC supports basic and supplementary services, as shown in Table 1-1.

Table 1-1 Basic and supplementary services

Service Name Overview

SIP emergency

call

The SIP emergency call feature enables the IMS network to identify

and give special treatment to emergency calls. When a subscriber dials

an emergency call number (such as 911) or an SOS URN, the IMS

network identifies this call as an emergency call and forwards the call

request to the nearest EC for special treatment. In the I-SBC scenario,

the SE2900 is deployed between two IMS networks or between one

IMS network and another network and identifies a call as an

emergency call and then forwards the call to a device on another

network for subsequent operations.





3

Service Name Overview

SIP subscription SIP subscription enables the core network to send NOTIFY messages

about status changes to subscribers who, after successful registration,

initiate SUBSCRIBE requests to the core network to subscribe to their

own status or other subscribers' status. Common subscription statuses

include registration status and presence status, respectively identified

by the reg or presence event package carried in the Event header of a

SUBSCRIBE request.

SIP call The SIP call feature enables the SE2900 to create, modify, or terminate

multi-media sessions and use SDP to dynamically modify session

attributes, such as required session bandwidths, media types (voice,

video, or data), and media codec formats. In the SIP call procedure, the

SE2900 also supports such supplementary services as call hold,

forking, call transfer, call redirection, conference calls, and three-party

services in addition to the basic call procedure. In the I-SBC scenario,

the SE2900 is deployed between two IMS networks or between one

IMS network and another type of network and forwards call messages

between the networks.

SIP fax SIP fax is a telecommunications service in which data is transmitted

between two fax machines. It provides a complete set of service

functions, including fax data bearer and fax service management, for

fax machines on both sides of the network. In the I-SBC scenario, the

SE2900 is deployed between two IMS networks or between one IMS

network and another type of network and forwards fax data between

the networks.

The I-SBC supports the following functions for network interworking:

Flexible routing

When the SE2900 connects to multiple IP networks, flexible routing is used to meet

different routing requirements to ensure network reliability and routing flexibility.

IPv4/IPv6 translation

The I-SBC is used to implement interworking between the IPv4 and IPv6 networks.

SIP/SIP-I/SIP-T interworking

When the SE2900 acts as an IP interworking gateway between the NGN, IMS network,

and CS network, SIP/SIP-I/SIP-T interworking is needed because the IMS network

supports SIP but the NGN and CS network support SIP/SIP-I/SIP-T.

SIP-H.323 interworking

In the I-SBC scenario, the UEs homed to different core networks support different

protocols, such as SIP and H.323. The SIP-H.323 interworking feature helps implement

interworking between the IMS network/NGN and the H.323 network. As the

convergence center for multiple solutions, the SE2900 is dedicated to establishing a

seamless intelligent edge for heterogeneous networks under continuous evolution. In the

all-IP era, H.323 conferences still play an important role in enterprises, and this requires

the access to the SIP-based IMS network.

IP-PBX access

The private branch exchange (PBX), also called the private automatic branch exchange

(PABX), is a dedicated exchange that provides call center functions or hotline functions





4

for corporate users, such as enterprises, companies, and banks, and provides special

service console functions for such services as fire and police emergency calls. The PBX,

which incorporates telephones, fax machines, modems, and other devices, makes

connections among the internal telephones of an enterprise and also connects them to the

public switched telephone network (PSTN). The IP-PBX without the registration

capability must access the IMS network through the I-SBC.

Conversion between SIP over UDP/TCP/SCTP/TLS

SIP is an application layer protocol that can run over different transport layer protocols.

Generally, SIP messages are transmitted over UDP. In the I-SBC scenario, the SE2900

supports interworking between transport layer protocols.

Audio transcoding

Audio transcoding enables the SE2900 to convert media packets from one media format

to another. With this feature, the SE2900 allows UEs using different media formats to

communicate with each other.

The SE2900 provides the flexible adaptation mechanism by supporting SIP header

manipulation.

The interconnection compatibility issue between different types of network devices is very

common. To address such an issue, the SE2900 provides a mechanism that allows carriers to

flexibly control SIP messages. This mechanism helps carriers quickly solve interconnection

issues related to protocol use and enables a carrier network to have enhanced SIP

application-layer attack defense capability.


SE2900 I-SBC Interconnection Technical White Paper 2 Typical Application Scenarios



5

2 Typical Application Scenarios

2.1 Convergent Gateway

A convergent gateway is a traffic ingress/egress between one domestic carrier and other

domestic carriers. The carriers interconnect with each other through their own convergent

gateways.

Fixed-mobile convergence (FMC) carriers can deploy a convergent gateway to collect traffic

between different types of networks that are run by the same carrier, as well as traffic between

domestic carriers.

IP-based convergent gateways have become an irreversible trend because of increasing costs

and service diversity.

Figure 2-1 Convergent gateway networking

Domestic convergent gateway

ENUM

serverO&M/billing

VoIP

carriers

Carrier 1

PSTN

Carrier 2

PLMN

Carrier 3

PBX

Domestic

CP/SP

PSTN

PLMN

IMS

Carrier's own network

UGC

MGW SBC MGW

Other local carriers

2.1.1 Security

The emergence of more intelligent UEs and the growing integration of services, present

serious security issues and challenges to the network. The I-SBC is needed to ensure network

and user information security.

2.1.2 Protocol Conversion

The I-SBC is needed to implement interworking between different models/types of networks.





6

SIP/SIP-I/SIP-T interworking

SIP with encapsulated ISUP (SIP-I)/SIP for Telephones (SIP-T) is currently the preferred

means for implementing interworking between the IMS network and CS network/NGN

(interworking between SIP-based service platforms or IP-PBXs and PLMN/PSTN users).

The reasons why SIP-I/SIP-T is preferred for the interworking are as follows:

− Only SIP-I/SIP-T is able to provide certain services.

− Although certain services can also be implemented using standard SIP on CS

networks, SIP-I/SIP-T facilitates service implementation if the SIP peer supports

SIP-I/SIP-T.

The SIP/SIP-I/SIP-T interworking feature allows the SE2900 to serve as an IP

interworking gateway for the IMS network, NGN, CS network, and IP-PBXs, and to

provide basic voice services and supplementary services for various networks. The

enhanced SIP access capability minimizes interconnection risks and helps network

interworking.

SIP-H.323 interworking

In the all-IP era, H.323 conferences still play an important role in enterprises, and this

requires the access to the SIP-based IMS network.

The SE2900, as the convergence center of multiple solutions, is dedicated to building a

seamless and intelligent border for the evolving heterogeneous network.

This feature implements interworking between the IMS network/NGN and the H.323

network and enables an H.323 UE to join the IMS conference, which improves the

H.323 UE's service experience.

2.1.3 Charging

The I-SBC supports charging and generates charging data records (CDRs), achieving

interconnect settlement.

2.2 IGW

An IGW routes calls from a domestic carrier to other carriers in foreign countries. A domestic

carrier uses its own IGW or other carriers' IGWs in the home country, depending on domestic

regulations and whether the domestic carrier has an operation license.

Figure 2-2 IGW networking

International gateway

ENUM server/

LCRO&M/billing

Country 1

VoIP

Country 2

PSTN

Country 3

PLMN

Country 4

PSTN

Country 5

PLMN

FNO

MNO

SP

Local network

MGW SBC MGW

Other countries

UGC





7

The problems encountered by the convergent gateway also arise on the IGW. The I-SBC can

resolve the problems by supporting IP interworking (which reduces call costs and facilitates

rich communication services), IP network attack defense, and network protocol conversion.

2.2.2 Security

The networks involving the IGW are more complex and pose serious challenges to IP network

security. The I-SBC is needed to protect networks and users.


The IGW uses different communication protocols for each type of network. Network

interworking requires the I-SBC to perform protocol conversion, including SIP/SIP-I/SIP-T

interworking and SIP-H.323 interworking.

2.2.4 Charging

The IGW involves the settlement with the international carrier. The I-SBC generates CDR and

facilitates settlement.

2.2.5 Flexible Routing

International traffic is often routed across multiple international carrier networks to reach the

destination. This allows flexible choice of routes.

The SE2900's flexible routing function meets the routing requirements of the IGW, which

ensures better network connectivity and optimized routing efficiency. Routing policies

include:

Calling/called number-based routing policy

CIC or RN-based routing policy

User type-based routing policy

Media type-based routing policy

Call type-based routing policy

ENUM query-based policy

QoS-based routing policy

Codec-based routing policy

Date and time-based routing policy

Rerouting upon forwarding failures

2.3 LDI

Many multinational carriers deploy their subnets in different countries and face the following

challenges in interconnecting and managing subnets in a centralized manner:

A multinational carrier leases or builds an IGW for each subnet. This increases the

investment and costs of international calls. In addition, a lack of centralized subnet

planning and management leads to high maintenance costs and reduces the negotiation

power of carriers when they try to reach a deal with companies that lease IGWs.





8

Traffic between subnets of the same carrier may be transferred by an international traffic

network of another carrier. This increases the costs of international calls, increases the

time required for call setup, and degrades voice quality.

The Long Distance and International (LDI) solution implements interworking between

domestic networks of the same carrier, between international carriers, and between subnets of

the same multinational carrier.

By using the LDI solution, carriers can accelerate convergence of the core network to provide

new services, such as multimedia services and convergent applications. This will ultimately

help carriers to simplify network structures and reduce operating expenses (OPEXs).

Carriers gain the following benefits from the LDI solution:

Reduce costs of international calls, including calls between subnets of the same carrier

and calls between subnets and other foreign networks.

Improve brand reputation and advantageous position in pricing negotiation.

Increase revenue from low-cost international wholesale services.

Improve brand attraction due to the delivery of new services, including international

roaming, enterprise communication, and conferencing services.

Some carriers lease their LDI networks as IPX networks so that many small carriers can

implement national and international communication services.

Figure 2-3 Architecture of the LDI network

LDI network

ENUM server/

LCR

O&M/billing Service center

UGC

The IMS core network is

optional.MGW SBC

Subnet 1 Subnet 2 Subnet 3 Subnet 4 Subnet 5 Subnet n

Region 1 Region 2 Region m

In the LDI solution, the I-SBC can be deployed to ensure network security and perform

inter-subnet traffic settlement.


The IGW uses different communication protocols for each type of network. Considering cost

reduction, service expansion, and network maintenance convenience, LDI uses IP-based SIP

protocol to converge signaling, which involves interworking between integrated services

digital network user part (ISUP) signaling and SIP signaling. The I-SBC is deployed to

support SIP/SIP-I/SIP-T interworking, achieving ISUP signaling lossless transmission.





9

2.3.2 Audio Transcoding

The diversity of network types and UE types results in the situation where UEs use different

media formats. For example, the UEs on the fixed network use G.711 and UEs on the mobile

network use AMR. Transcoding is required when the UEs on the fixed network and mobile

network communicate with each other. Such problems also arise in interworking between

other types of networks or UEs.

Audio transcoding enables the SE2900 to convert media packets from one media format to

another. With this feature, the SE2900 allows UEs using different media formats to


2.3.3 Signaling Flexible Adaptation

The networks supporting SIP have different understanding of SIP and different parsing

capabilities of signaling packets, which is an important factor to affect the network tandem

capability.

SIP header manipulation provides a mechanism to flexibly control SIP messages.

Enables a carrier network to have better SIP application-layer attack defense capability.

Helps carriers quickly solve interworking problems related to protocol use.

2.4 IPX

In addition to building their own LDI networks, multinational carriers can use the third-party

IPX network to converge subnets and communicate with other carriers. Small-scale carriers

can lease the IPX network to achieve international communication services.

In IPX interworking, the IPX network can be used as a voice hub to provide converged

mobile/fixed interworking calls or a Diameter agent to provide centralized Diameter signaling

convergence and forwarding.





10

Figure 2-4 IPX networking

Service center

HSS

Centrex

AS

Telephony

AS Conference

AS

Routing enhancement

ENUM

server

LCR

server

Other carrier networks

IP carrier

TDM carrier

Subnet

Subnet

1

Subnet

2

Subnet

3

Subnet

4

Bearer channel

Signaling channel

Heartbeat link

The IPX network is similar to the LDI network. The IPX network converges different carrier

networks and imposes higher requirements for security, charging, and tandem capabilities.

The I-SBC supports the following functions to resolve different problems.

2.4.2 Security

Network security must be considered so that the IPX network converges carrier networks.


The IPX network converging different carrier networks must be able to support protocol

interworking, such as SIP/SIP-I/SIP-T interworking and SIP-H.323 interworking.

2.4.4 Charging

The IPX provider needs to perform traffic settlement with different carriers. Therefore, the

IPX network must support charging.

2.4.5 Flexible Routing

The IPX network connects to the networks of different carriers and international call transfer

need to be considered. The IPX network preferentially selects low-cost paths to ensure

reliability. Many routes are involved in routing and routing policies are flexible.





11

2.4.6 Audio Transcoding

The diversity of UE types must be considered for the convergence between the networks of

different carriers. The I-SBC needs to be deployed to achieve transcoding so that the UEs

using different media formats communicate with each other.

2.4.7 Signaling Flexible Adaptation

The inconsistency of protocol understanding and packet parsing capabilities must be

considered to ensure the IPX network's tandem capability. The I-SBC's SIP header

manipulation function can improve the IPX network's tandem capability.

2.5 National Tandem Office

The national tandem office is similar to the LDI in terms of network architecture and

functions. It is used to converge signaling and traffic between domestic carriers' endpoints.

A carrier may operate various types of networks. For example, a comprehensive carrier

operates fixed and mobile networks at the same time. It is recommended to build a single

tandem network, simplifying network architecture and reducing alternative channels (if

management is not taken into account).

For details, see the LDI description. The I-SBC is deployed to enhance tandem network

security and tandem capability.

2.6 Enterprise Network

IP-PBX Access

The IP-PBX provides call center functions or hotline functions for corporate users, such as

enterprises, companies, and banks, and provides special service console functions for such

services as fire and police emergency calls. The IP-PBX that does not have the registration

capability accesses the IMS network through the I-SBC so that the I-SBC supports core

network redundancy to ensure access reliability and core network security. The I-SBC also

supports media bypass so that the media packets in the call between the caller and callee

attached to the same IP-PBX are transmitted only within an enterprise, reducing the

consumption of core network resources.





12

Figure 2-5 Business trunking access in IBCF mode

Core

network

UEUE

PBX

A

UEUE

PBX

B

I-SBC


SE2900 I-SBC Interconnection Technical White Paper 3 Interworking Capability



13

3 Interworking Capability

3.1 Flexible Routing

3.1.1 Application Scenario

Flexible routing enables the SE2900 to flexibly route initial INVITE messages based on a

series of user-defined routing policies. Flexible routing improves the flexibility of route

planning and ensures better network connectivity and optimized routing efficiency. Routing

policies include:

Calling/called number-based routing policy

CIC or RN-based routing policy

User type-based routing policy

Media type-based routing policy

Call type-based routing policy

ENUM query-based policy

QoS-based routing policy

Codec-based routing policy

Date and time-based routing policy

Rerouting upon forwarding failures

3.1.2 Function Description

Calling/Called Number-based Routing Policy

The SE2900 selects a route based on the calling/called number in an initial INVITE request.

The calling number refers to the user part of the URI in the P-Asserted-Identity header of the initial

INVITE request. If multiple P-Asserted-Identity headers exist, the user part of the URI in the first

P-Asserted-Identity header is regarded as the calling number. If no P-Asserted-Identity headers exist, the

user part of the URI in the From header is regarded as the calling number.

The called number refers to the user part of the URI in the Request-URI of the initial INVITE request.





14

CIC or RN-based Routing Policy

The SE2900 selects a route based on the cic and cic-context parameters or the rn and

rn-context parameters in the Request-URI of the initial INVITE request.

User Type-based Routing Policy

The SE2900 selects a route based on the type of the caller.

Calling party category (CPC) refers to the CPC parameter in the P-Asserted-Identity header. Possible

values of this parameter are ordinary, test, operator, payphone, priority, data, and unknown. Call

messages with the cpc parameter set to other values are processed as those with the cpc parameter set to

unknown. The following is a sample value of the cpc parameter in a P-Asserted-Identity header:

P-Asserted-Identity:<tel:+8613807550001;cpc=ordinary>.

Media Type-based Routing Policy

The SE2900 selects a route based on the media type carried in SDP information of the initial

INVITE request.

The following table lists possible media types.

Media Type Description Remarks

Audio The SDP 'm=' line is audio. If the SDP 'm=' line

contains both video

and audio and the port

number in the 'v=' line

is set to 0, the media

type is audio.

Video The SDP 'm=' line is video and the port

number in the 'v=' line is not 0.

If the SDP 'm=' line

contains both video

and audio and the port

number in the 'v=' line

is not set to 0, the

media type is video.

Fax The SE2900 supports only codecs G.711a,

G.711u, Clearmode, ClearmodeRED, T.38,

and T.38 over RTP.

-

File transfer If either of the following conditions is met,

the media type is file transfer.

The Accept-Contact header contains

+g.oma.sip-im and the 'a=' line contains

file-selector.


+g.3gpp.icsi-ref="urn%3Aurn-7%3A

3gpp-service.ims.icsi.oma.cpm.filetran

sfer".

-





15

Media Type Description Remarks

Instant messaging

(IM) message

If any of the following conditions is met, the

media type is IM message.


+g.oma.sip-im and the 'a=' line does not

contain file-selector.



3gpp-service.ims.icsi.oma.cpm.msg".



3gpp-service.ims.icsi.oma.cpm.session

".



3gpp-service.ims.icsi.oma.cpm.largemsg".

-

Picture sharing The Accept-Contact header contains

+g.3gpp.iari-ref="urn%3Aurn-7%3A3gp

p-application.ims.iari.gsma-is".

-

All media types The media type is not specified. The option ALL(All

media types) has the

lowest priority. If

none of the preceding

media types is

matched, the SE2900

uses this option.

Call Type-based Routing Policy

The SE2900 selects a route based on the call type.

The tgrp and trunk-context parameters in the Contact header of an initial INVITE request together

identify a call type.

ENUM Query-based Policy

ENUM query-based routing enables the SE2900 to map E.164 numbers into IMPUs in the

URI format by querying the E.164 numbers against the ENUM server and select routes based

on the IMPUs returned by the ENUM server. In this case, all routing data is aggregated on the

ENUM server. Figure 3-1 shows the typical networking.





16

Figure 3-1 Typical networking for ENUM query-based policy

Rerouting upon Forwarding Failures

After receiving an OXX response, the SE2900 determines whether to forward packets using

another trunk group in the current route based on configured policies.

Figure 3-2 Procedure for rerouting upon forwarding failures

1. The SE2900 selects a route based on the configured routing policy after receiving an

initial INVITE request. Then the SE2900 selects a trunk group through which the

INVITE request is forwarded to SIP AN A.

2. SIP AN A returns an OXX response to the SE2900.

3. Based on the IBCF route reselection policy, the SE2900 determines to route the initial

INVITE request to SIP AN B using another trunk group in the same route.





17

3.2 IPv4/IPv6 Translation


The rapid development of the IP network and sharp increase of communication devices

(including but not limited to computers) that use IP addresses to access the Internet result in

scarcity of IPv4 resources and hinder Internet development. IPv6 is introduced to resolve the

IPv4 address-space depletion problem.

IPv6 has a significantly larger address space than IPv4. This larger address space results from

the use of a 128-bit (16-byte) address, whereas IPv4 uses only 32 bits (4 bytes). The new

address space supports about 3.4 x 1038 addresses. Larger address space meets hierarchical

address allocation requirements and public address and private address allocation

requirements.

Carriers do not need to deploy address saving technologies, such as network address

translation (NAT), to alleviate IPv4 address exhaustion, which simplifies network architecture

and reduces networking costs.

IPv4 and IPv6 networks coexist for a long time. The I-SBC supports IPv4-IPv6 interworking

and enables carriers to provide services with the same user experience as before.


Figure 3-3 IPv4-IPv6 interworking

Core

network B

SE2900Signaling

Core

network AIPv6 IPv4

Media

The SE2900 supports IPv4/IPv6 dual-stack and is able to translate between signaling and

media addresses of different types, implementing IPv4-IPv6 interworking and enabling

carriers to provide services with the same user experience as before.

3.3 SIP/SIP-I/SIP-T Interworking


SIP with encapsulated ISUP (SIP-I)/SIP for Telephones (SIP-T) is currently the preferred

means for implementing interworking between the IMS network and CS network/NGN

(interworking between SIP-based service platforms or IP-PBXs and PLMN/PSTN users). The

reasons why SIP-I/SIP-T is preferred for the interworking are as follows:

Only SIP-I/SIP-T is able to provide certain services.

Although certain services can also be implemented using standard SIP on CS networks, SIP-I/SIP-T facilitates service implementation if the SIP peer supports SIP-I/SIP-T.





18

The SIP/SIP-I/SIP-T interworking feature allows the SE2900 to serve as an IP interworking

gateway for the IMS network, NGN, CS network, and IP-PBXs, and to provide basic voice

services and supplementary services for various networks.


Figure 3-4 shows the networking scheme in which the SE2900 serves as an IP interworking

gateway for the NGN, IMS network, and CS network. The IMS network supports SIP. The

NGN and CS network support SIP/SIP-I/SIP-T.

Figure 3-4 Typical networking scheme with the SE2900 serving as an IP interworking gateway

Table 3-1 describes SIP, SIP-I, and SIP-T.

Integrated Services Digital Network User Part (ISUP) is part of the Signaling System No. 7 (SS7) and

provides signals for basic bearer services and supplementary services on the ISDN network.





19

Table 3-1 SIP/SIP-I/SIP-T

SIP Type SIP SIP-I/SIP-T

Defined by IETF ITU-T, IETF

Protocol ID RFC 2976, RFC 3261, RFC

3262, RFC 3264, RFC 3311,

and so on

Q.1912.5, RFC 3204, RFC 3372,

and RFC 3398

Definition SIP is a text-based and

application-layer control

protocol that can establish,

modify, and terminate

multimedia sessions or calls. It

is based on an HTTP-like

request/response transaction

model, which can be used to

implement various multimedia

services, including voice, video,

and instant messaging services.

SIP is also called standard SIP.

SIP-I and SIP-T, extensions to SIP,

carry ISUP bodies in SIP messages

to implement lossless transmission.

SIP-ISUP Interworking

Certain information, including

service attributes, ISDN channel

information, and announcement

indication, is missing during

conversion from ISUP to SIP.

ISUP bodies can be included in

SIP-I/SIP-T messages and can

contain interworking information

about basic calls and ISUP

supplementary services.

ISUP-SIP Mapping

- The mappings between ISUP

bodies of SIP-I messages and SIP

messages are as follows:

IAM = INVITE

ACM = 180 Ringing

CPG = 183

ANM = 200 OK (INVITE)

CON = 200 OK (INVITE)

SUS = Re-INVITE

RES = INFO

REL = BYE

RLC = 200 OK (BYE)

Difference ISUP bodies are not included in

SIP messages.

The ISUP body processing

procedures in SIP-I and SIP-T are

similar.





20

3.4 SIP-H.323 Interworking


In the I-SBC scenario, the UEs homed to different core networks support different protocols,

such as SIP and H.323. The SIP-H.323 interworking feature helps implement interworking

between the IMS network/NGN and the H.323 network.

The SE2900, as the convergence center of multiple solutions, is dedicated to building a

seamless and intelligent border for the evolving heterogeneous network. In the all-IP era,

H.323 conferences still play an important role in enterprises, and this requires the access to

the SIP-based IMS network.


This feature implements interworking between the IMS network/NGN and the H.323 network

and enables an H.323 UE to join the IMS conference, which improves the H.323 UE's service

experience.

Figure 3-5 shows a typical networking for interworking between the IMS network/NGN and

the H.323 network.

Figure 3-5 Networking for interworking between the IMS network/NGN and the H.323 network

Figure 3-6 shows the typical networking for joining H.323 UEs to an IMS conference.





21

Figure 3-6 Networking for joining H.323 UEs to an IMS conference

SIP-H.323 Interworking Procedure

Table 3-2 describes the SIP-H.323 interworking procedure.

Table 3-2 SIP-H.323 interworking procedure

Service Type Service Name

Basic services Fast-start call service procedure

SIP-to-H.323 fast-start call service

H.323-to-SIP fast-start call service

Supported audio codecs are G.711A, G.711μ, G.722, G.728,

G.723, G.729A, and G.729.

Supported video codecs are H.261, H.263, and H.264.

Slow-start call service procedure

SIP-to-H.323 slow-start call service

H.323-to-SIP slow-start call service

Slow start procedure

In a slow start procedure, a fast-start call on the SIP network can be

changed to a slow-start call on the H.323 network, but a fast start call

on the H.323 network cannot be changed to a slow-start call on the

SIP network.

H.245 tunneling procedure

H.245 tunneling procedure for a SIP-to-H.323 call

H.245 tunneling procedure for an H.323-to-SIP call

Procedure for switching from H.245 tunneling to an

independent H.245 connection

T.38 fax service procedure





22

Service Type Service Name

The H.323 network supports only T.38 fax services. The SE2900

supports conversion between T.38 fax services on the H.323

network and G.711 fax services on the SIP network.

Dual tone multiple frequency (DTMF) service procedure

The SE2900 supports the conversion of inband and outband

DTMF signals between SIP and H.323 networks.

Supplementary

services

Video auxiliary service procedure

The H.323 network uses the H.239 protocol, and the SIP network

uses the Binary Floor Control Protocol (BFCP). The SE2900

supports negotiation and uses video auxiliary stream channels to

complete token application for conferences.

Far-end camera control procedure

The SE2900 supports H.224-based camera control.

Flexible routing procedure

Call forwarding procedure

When a call is being forwarded on the H.323 network, the

gatekeeper (GK) replies with a Facility message that carries the

forwarding information, notifying the caller that the call is being

forwarded. When a call is being forwarded on the SIP network,

the SE2900 converts a 181 message to a Facility message,

notifying the caller that the call is being forwarded.

No media stream detection procedure

If the SE2900 fails to receive media streams within a period

because the UE is disconnected from the network or a UE

abnormality occurs, the SE2900 terminates ongoing calls. The

SE2900 can detect RTP packets.

I-frame update

The SE2900 supports the conversion between H.323-based and

SIP-based I-frame requests.

Payload type (PT) value conversion procedure

The SE2900 supports conversion between PT values on the SIP

and H.323 networks.

Conference

services

The SE2900 allows H.323 UEs to be invited to join an IMS

conference.

Procedure for inviting an H.323 UE to an IMS conference (from

fast start to slow start)

Procedure for inviting an H.323 UE to an IMS conference (slow

start)

Procedure in which an H.323 UE joins a conference

Procedure for inviting an H.323 UE to an IMS conference with

BFCP as video auxiliary stream control





23

3.5 Conversion Between SIP over UDP/TCP/SCTP/TLS


As an application layer protocol, SIP runs over different transport layer protocols, including

UDP, TCP, and SCTP. To guarantee that data is transmitted securely on the transport layer, the

SE2900 supports TLS. Each transport mode has its own advantages and disadvantages, and

each network uses a different transport mode. The SE2900 supports bearer conversion to

make the networks interworking. In the I-SBC scenario, the SE2900 supports conversion

between SIP over UDP/TCP/SCTP/TLS.


Figure 3-7 Conversion between SIP over UDP/TCP/SCTP/TLS

Core

network B

SE2900Signaling

Core

network A

SIP over

UDP/TCP/

SCTP/TLS

SIP over

UDP/TCP/

SCTP/TLS

The SE2900 allows using static or dynamic TCP links to transmit SIP messages. The SE2900

supports dynamic conversion between SIP over TCP and SIP over UDP. If the SIP message

length is greater than or equal to the MTU (1300 bytes by default), the SE2900 sets up a TCP

link and switches SIP messages to the TCP link for transmission. If the SIP message length is

less than the MTU, the SE2900 sends SIP messages using the transport protocol specified in

the initial INVITE request.

If higher transmission security is required, TLS is used between the SE2900 and peer network

to encrypt SIP messages, implementing secure transmission of SIP messages.

3.6 Audio Transcoding


The diversity of network types and UE types results in the situation where UEs use different

media formats. For example, the UEs on the fixed network use G.711 and UEs on the mobile

network use AMR. Transcoding is required when the UEs on the fixed network and mobile

network communicate with each other.

Audio transcoding enables the SE2900 to convert media packets from one media format to

another. With this feature, the SE2900 allows UEs using different media formats to



This feature supports the following types of media format conversion:





24

Audio transcoding

− Conversion between G.711 (including G.711A and G.711U), G.729 (including G.729A

and G.729AB), G.723.1, G.722, iLBC, AMR, and AMR-WB

− Conversion between the same ARM/AMR-WB codec with different parameters, such

as different mode-set parameter values, different packetization modes, and different

mode control parameter values

− Conversion between same G.711, G.729, iLBC, AMR, or AMR-WB codec format that

have different ptime values

Fax conversion

− Conversion between fax over T.38 and fax over G.711

− Conversion between fax over G.711A and fax over G.711U

DTMF conversion

− Conversion between G.711 DTMF signals and RFC2833 DTMF signals

− Conversion between G.711 DTMF signals (on the bearer plane) and SIP INFO DTMF

signals (on the signaling plane)

− Conversion between RFC2833 DTMF signals (on the bearer plane) and SIP INFO

DTMF signals (on the signaling plane)

Figure 3-8 shows the scheme for communication between UEs using different codecs through

the SE2900.

Figure 3-8 Media transcoding scheme

3.7 Media Bypass


Media bypass enables media streams in the SIP call service to be transmitted between UEs

without passing through the SE2900, saving bearer resources on the core network and

reducing the media delay.


In the I-SBC scenario, media bypass has two modes:

Intra-trunk-group automatic media bypass

When the caller and callee belong to the same trunk group, media streams are

transmitted between the caller and callee without passing through the SE2900.

Forced media bypass





25

The SE2900 does not modify SDP so that media streams do not pass through the

SE2900.

Figure 3-9 shows media bypass networking in the I-SBC scenario.

Figure 3-9 Media bypass networking in the I-SBC scenario


SE2900 I-SBC Interconnection Technical White Paper 4 Interworking Network Redundancy



26

4 Interworking Network Redundancy

4.1 Core Network Redundancy


The redundancy of core network feature is a geographical redundancy solution that allows the

SE2900 to interconnect with core servers in physically disparate sites, thereby ensuring

service continuity even if a core server is unavailable unexpectedly.

This feature is used when the SE2900 interconnects with core servers that are located in

physically disparate sites to implement geographical disaster tolerance.


With this feature, the SE2900 sends SIP OPTIONS messages to the core servers periodically

and switches service traffic from the failed core server to other core servers.

The SE2900 supports two networking modes for core network redundancy: dual-homing and

P-CSCF pool. Table 4-1 describes the two modes.

Table 4-1 Networking modes for implementing the redundancy of core network feature

Networking Mode

Description Networking Diagram

Dual-homing The SE2900 is homed to two

core servers that work in

master/slave mode. Normally,

the SE2900 is controlled and

managed by the master core

server. The SE2900 periodically

sends SIP OPTIONS messages to

detect the link status between the

SE2900 and core servers. If the

master core server fails, the slave

core server takes over.





27

Networking Mode

Description Networking Diagram

Pool The SE2900 is homed to a pool

of core servers that work in

load-balancing mode. In normal

cases, the SE2900 balances the

load among the core servers in

the same pool. The SE2900

periodically sends SIP OPTIONS

messages to detect the link status

between the SE2900 and the core

servers in the pool. Once a core

server becomes faulty, the

SE2900 balances the load among

the rest core servers.

4.2 SBC Redundancy

Multiple I-SBCs are deployed in the same equipment room or different equipment rooms and

work in load-balancing mode to provide non-stop services, implementing geographic

redundancy (GR) and enhancing interworking reliability. Generally, each I-SBC can process

services and supports redundancy. If one I-SBC becomes faulty, other I-SBCs can take over

services to ensure service continuity.

Two modes are available:

Master/backup mode: Under normal circumstances, the master SE2900 processes

services, and the backup SE2900 does not process services. The backup SE2900 takes

over services only when both the devices on the core network and another type of

network detect that the master SE2900 becomes faulty.

Load-balancing mode: Each SE2900 shares 50% of the total services. When both the

devices on the core network and another type of network detect that the master SE2900

becomes faulty, all services are switched to the other SE2900 for processing.





28

Figure 4-1 Load-balancing networking

……

….

Dynamic routing area

Dynamic routing area

Core network

Another type of network

SE2900 SE2900

SBC BSBC A


SE2900 I-SBC Interconnection Technical White Paper 5 Security Management



29

5 Security Management

5.1 Security Overview

The SE2900 security solution ensures that hardware, software, and data stored on the SE2900

are protected against network congestion, disconnection, failure or unauthorized control

caused by rogue processes, and that data on the live network is not discarded, disclosed, or

tampered with.

The core network to which the SE2900 is homed might adopt the all-IP network structure and

use SIP as its session control mechanism. The combination of factors, such as the

development of the information communication technology (ICT), the emergence of

intelligent UEs, and the growing service integration presents serious security challenges to the

core network. Because of the openness of the IP network and scalability of SIP, the core

network is vulnerable to attacks from unauthorized users and hackers. If carrier networks

become unavailable due to security issues, services are interrupted and user experiences are

adversely affected, causing revenue deterioration, customer attrition, and negative brand

awareness.

The SE2900, being deployed at the entry of the core network, provides security functions at

various levels and ensures the security of itself and core servers.

5.1.1 Major Security Challenges

Major security challenges that the SE2900 and the core network face are as follows:

Network openness

The SE2900 is deployed at the edge of the core network and allows only authorized and

secure UEs from the untrusted access network to access the core network.

All-IP architecture of the core network

Using the all-IP network architecture, the core network is exposed directly to attacks

from the Internet. Hackers may attack the core network any way they can. Therefore, the

SE2900, as the first entrance to the core network, must be capable of defending against

IP layer attacks.

SIP flexibility

The increasing popularity and strong scalability of SIP makes it susceptible to various

forged and malformed packets on live networks. Therefore, the SE2900 must be capable

of identifying and filtering out abnormal signaling packets.

Signaling and media attacks





30

The SE2900 functions as a signaling and media proxy. Therefore, the SE2900 must be

capable of defending against both signaling and media attacks.

Traffic storm

In peak hours, the traffic volume surges, and overloaded network devices suffer from

DoS attacks. To resolve this issue, the SE2900 restricts the volume of the signaling and

media traffic and the rate of registration and call packets.

5.1.2 Major Attack Means

Figure 5-1 shows the major means used to attack core networks.

Figure 5-1 Major attack means

Sabotage

An attacker launches DoS/DDoS and malformed SIP packet attacks against key

resources, such as bandwidth, links, and device processing capability, on the core

network. As a result, core servers are deprived of their service processing capabilities,

and resources become unavailable to legitimate users. Major attach means are as follows:

− DoS/DDoS attack: An attacker sends a huge number of messages in a short period of

time or sends SIP requests that may result in local loopbacks to the core network. As

a result, core servers cannot process services because resources are exhausted.

− Malformed SIP packet attack: An attacker sends malformed SIP packets that do not

conform with Internet Engineering Task Force (IETF) and 3rd Generation Partnership

Project (3GPP) protocols and standards, to the core network. As a result, core servers

malfunction and cannot process services.

Fraudulent use of network resources





31

An attacker tampers with the information carried in messages exchanged between users

and the core network, such as user information and codec types in call signaling

messages. In this way, the attacker can use network resources free of charge. Common

cases are toll fraud and bandwidth theft.

− Toll fraud: An attacker intercepts the signaling packets of a legitimate user. The

attacker then tampers with the signaling packets and uses this user's account to

initiate a call.

− Bandwidth theft: After a call has been established, an attacker uses fraudulent means

(for example, using a different codec from the codec that is negotiated during the call

setup) to use more bandwidth than allowed.

Information disclosure

An attacker uses illegal means to obtain core network information, such as network

topology and user accounts and passwords. The common attacks are information

scanning and eavesdropping.

− Information scanning: An attacker uses scanning tools to probe for the IP addresses,

ports, and service software types of core servers in order to exploit security

vulnerabilities. For example, an attacker uses scanning software to initiate a series of

TCP connection requests sent to the ports of a core network device. By analyzing the

response packets, the attacker identifies the ports that the core network device uses to

provide services. Then the attacker attacks the core network device by using these

ports. Attackers may also use scanning tools to probe for the routing information

carried in call signaling messages in order to collect core network architecture

information and launch attacks.

− Information eavesdropping: An attacker uses illegal software to listen to the SIP

signaling information of the core network to obtain key information, such as the

network topology, user identity information, user traffic information, and instant

messages. Attackers may also capture TCP/IP packets during transmission and

intercept and tamper with the packets. After stealing key user information, such as

passwords and user rights, attackers tamper with user information to be able to

control core network devices.

Information deletion

Network information or resources are maliciously intercepted and deleted, causing the

loss of system information, such as operation logs and system files. In common cases,

attackers may intercept or delete system files by embedding viruses and Trojan horses.

Information deletion: An attacker obtains the super administrator account and password

by embedding malicious software into the operating system (OS) or database, and then

intercepts or deletes files or data, or uses malicious software to directly delete system

files, causing the loss of operation logs or key data.

5.2 Security Implementation

The SE2900 security solution provides rich protection schemes to ensure the security of core

servers and services as well as the SE2900 itself.

5.2.1 Security Features

The SE2900 security solution provides the following security features:

Confidentiality: prevents exposure of core network information to unauthorized users

and entities.





32

Integrity: prevents data tampering by unauthorized users.

Availability: allows access by authorized entities and prevents DoS attacks.

Traceability: provides historical event records, which can be used to investigate attacks

on the network.

Data security: protects against hacker intrusion and password attacks to achieve secure

data transmission.

These features provide security for the SE2900 and core network in the following aspects:

Software security: protects the SE2900 system software from being hacked, duplicated,

tampered with, or infected by viruses.

Data security: prevents data on the SE2900 and core network from being accessed by

unauthorized users to ensure data confidentiality, integrity, and availability.

Management security: provides measures to achieve secure network management,

including regulations, security auditing, and risk analysis.

5.2.2 Major Security Strategies

The SE2900 adopts the following security strategies:

Software platform security

The OMU provides the basic security capabilities, ensuring the basic architecture for the

security of the OS, database, and security logs.

Border attack defense

Serving as an ingress node to the core network, the SE2900 uses a series of measures to

shield the core network from outside attacks. The measures include packet filtering, IP

layer attack defense, and signaling/media attack defense.

Network isolation

The SE2900 separates the control plane, user plane, and management plane from each

other through security measures, such as physical isolation, plane isolation, VPN, and

VLAN, ensuring information security.

Media security

The SE2900 uses media pinholing firewall and RTP packet checks to filter media

streams that pass through the SE2900. These measures defend against media attacks and

improve service quality.

In addition, the SE2900 uses SRTP media encryption to encrypt the RTP packets

transmitted between UEs and the SE2900, ensuring the security of call content.

Principle of least privilege

Both end users and network maintenance personnel are granted only the least privilege,

bandwidth, and system resources that are needed to complete their operations. By default,

the SE2900 disables unnecessary network services and operation rights to minimize

network security risks.

5.3 Security Architecture

The SE2900 security architecture is composed of three layers and three planes. Each layer or

plane has a security mechanism to defend against specific security threats. Figure 5-2 shows

the SE2900 security architecture.





33

Figure 5-2 SE2900 security architecture

Figure 5-2 lists the most typical security threats and basic security measures the SE2900 takes

to tackle the threats. For the principles and definitions applied to the security layers and

planes, see Security Layers and Service/Management Planes. For the security threats on

security layers and planes and corresponding measures the SE2900 takes to tackle the threats,

see the basic architecture layer, network layer, and application layer.

The security architecture enables the SE2900 to start the attack defense from the large traffic

attacks that are easy to defend against. The following figure shows the detail.





34

The SE2900 hardware implements the defense against network layer attacks because

such attacks have relatively fixed patterns. The SE2900 software implements the defense

against the following attacks:

− Unicast reverse path forwarding (URFP)

− ICMP flood attacks

− Large ICMP packet attacks

− IP fragment attacks

− Teardrop attacks

− SYN flood attacks

− WinNuke attacks

− UDP flood attacks

− UDP short header attacks

− Fraggle attacks

The HRU module provides the signaling DoS/DDoS attack defense function and

implements the defense against signaling DoS/DDoS attacks below the signaling plane.

The HRU module also provides the media pinholing firewall function and implements

the defense against attacks on the media plane because such attacks incur large traffic

volume.

The security analysis center (SEM) collects fault information from the TCP protocol

stack, flow control module, and SIP processing module, identifies the attacks that incur

low traffic volume, generates dynamic blacklist entries accordingly, and delivers the

generated blacklist entries to the HRU or SIP processing module for further processing.

The SIP processing module also supports call admission control (CAC), which is

independent of the SEM, controlling user behavior at the application layer.

5.3.1 Security Layers

The three layers in the SE2900 architecture are the basic architecture layer, network layer, and

application layer. Table 5-1 describes these layers and the items under their protection.





35

Table 5-1 Security layers

Security Layer

Description Protected Objects

Device Model OSI Model

Basic

architecture

layer

Based on software and hardware

architectures of the CGP platform,

the SE2900 secures the OS,

database, system software, and

system patches.

Database layer

OS layer

Hardware

layer

Data link

layer

Physical

layer

Network

layer

Using network isolation, access

control, and network layer attack

defense, the SE2900 secures the

access to network resources and

services.

- Transport

layer

Network

layer

Application

layer

Using application layer attack

defense, signaling/media packet

check, signaling/media packet

encryption, and LMT security

hardening, the SE2900 provides

upper layer security for access

control, service application, system

maintenance accounts, and system

logs.

Application layer Application

layer

Presentation

layer

Session layer

Table 5-1 lists the mapping between security layers and device models. Figure 5-3 shows the

mapping.





36

Figure 5-3 Mapping between security layers and device models

5.3.2 Service/Management Planes

The three planes of the SE2900 architecture are the control plane, user plane, and

management plane. Table 5-2 describes these planes and protected objects.

Table 5-2 Service/management planes

Service/Management Plane


Control plane The SE2900 provides security for the signaling

streams of service applications on the control

plane by implementing security policies, such as

DoS/DDoS signaling attack defense, intrusion

prevention, flow control, CAC, blacklist and

whitelist, topology hiding, and signaling

encryption.

Data related

to signaling

control

User plane The SE2900 provides security for RTP sessions

and the bandwidth allocated to these sessions by

implementing security policies, such as the

media pinholing firewall, RTP packet attack

defense, bandwidth control, and media

Data related

to media





37

Service/Management Plane


encryption.

Management plane The SE2900 provides security for the operation,

administration, and maintenance (OAM)

management by implementing security policies,

such as account security, data transmission

security, authentication and authorization,

security alarm, and web security.

Data related

to

centralized

managemen

t and

maintenance

The control plane, user plane, and management plane are isolated from each other. Each plane at the

basic architecture layer and network layer faces the same security issues and challenges. Therefore, the

security mechanisms at the basic architecture layer and network layer apply to each plane.

5.3.3 Security Dimensions

Table 5-3 describes the mapping between the SE2900 security measures and ITU X.805

security dimensions.

Table 5-3 Security dimensions

ITU X.805 Security Dimension

SE2900 Security Measure

Access control Network isolation, ACL, CAC, SIP header manipulation, media

pinholing firewall, and bandwidth control

Authentication and

authorization

Brute force cracking attack defense, authentication through

digital certificates, and principle of least privilege

Non-repudiation Logs and alarms

Data confidentiality Signaling encryption, media encryption, OAM transmission

encryption, and password encryption

Communication

security

Network isolation, signaling encryption, media encryption, and

remote maintenance security

Data integrity Signaling encryption, media encryption, transmission security,

integrity protection in SNMP and similar protocols, and system

software integrity protection

Availability OS security hardening, database security hardening, security

patches, network layer attack defense, signaling attack defense,

and media attack defense

Privacy Topology hiding and privacy protection


SE2900 I-SBC Interconnection Technical White Paper 6 Charging



38

6 Charging

6.1 Local CCF Charging


The SE2900 serves as the IBCF to provide offline charging. Two charging networking modes

are available: embedded CCF and external CCF.


External CCF

When charging conditions are met, the SE2900 collects charging information from signaling

messages and sends Diameter Accounting Request (ACR) messages to the CCF over the Rf

interface.

Embedded CCF

The CCF can be embedded on the SE2900. No CCF needs to be deployed on the network.

After the SE2900 reports charging information, the embedded CCF generates original CDRs,

processes the original CDRs and the CDRs generated by other NEs, generates final CDRs,

and sends the final CDRs to the BC.

Local CCF charging can be implemented in dual-system mutual backup or single-system

networking.


SE2900 I-SBC Interconnection Technical White Paper 6 Charging



39

Figure 6-1 Single-system networking

In dual-system mutual backup networking, the CCFs operate in master/backup mode. Once

the master CCF fails, the backup CCF takes over and sends charging data records (CDRs) to

the billing center (BC). See Figure 6-2.

Figure 6-2 Dual-system mutual backup networking


SE2900 I-SBC Interconnection Technical White Paper 7 Flexible Adaptation



40

7 Flexible Adaptation

7.1 DSCP Remarking


DSCP remarking enables the SE2900 to set different differentiated services code point (DSCP)

values for signaling and media packets. After receiving data packets, a router preferentially

forwards packets with higher DSCP priorities to ensure VoIP quality of service (QoS).


Figure 7-1 shows DSCP remarking.

Figure 7-1 DSCP remarking

This feature applies to the I-SBC scenario where the services of high-priority users or office

directions need to be ensured.

Related Concepts

In the Differentiated Services (DiffServ) system, users can use the DiffServ field, which

marks the service level of a packet, to apply for services at different levels. The first six bits

of the DiffServ field are DSCP. The set of packets with the same DSCP value is called a

behavior aggregate (BA). A router keeps the DSCP-to-PHB mapping. Per-hop behavior (PHB)

indicates the behavior meeting a forwarding requirement, such as traffic policing, traffic





41

shaping, and queue management. When a packet enters a router, this packet is classified into a

BA according to its DSCP and forwarded by a specific PHB.

Based on the QoS classification standards of DiffServ, the type of service (ToS) in the IP

header of each data packet is used to distinguish the DSCP priorities. That is, you can set

different values for six used bits and two unused bits of TOS for identification purpose. The

DSCP is a combination of the IP Precedence and TOS fields. As DSCP values are compatible

with the IP Precedence field, they are used so that the old routers that support only the IP

Precedence field can be employed. Each DSCP value maps to a defined PHB code. UEs

identify traffic based on the specified DSCP values.

7.2 Media Policy


The media policy feature enables the SE2900 to flexibly control media capabilities, such as

the early media, media types, media codecs, and bandwidth. This feature enables different

types of UEs to communicate using the same media type and codec.


Early media gating control

The SE2900 enables or disables the gating control based on the P-Early-Media header in

a message from the core network.

Media update in the forking scenario

The SE2900 performs bearer control over the early media packets transferred along the

forking paths and updates the media based on the carried P-Early-Media header.

Media type check

The SE2900 blocks media packets of specific types, such as video packets.

Media bandwidth check

The SE2900 restricts the bandwidth for each type of media packet, preventing UEs from

overusing media bandwidth.

Media codec check

The SE2900 restricts the audio and video codecs allowed across the network.

Media codec sorting

The SE2900 sorts the media codecs in the SDP offer by priority, ensuring that

high-priority media codecs are used in the communication between the caller and callee.

Handling media capability check failures

When the SE2900 fails to perform a media capability check, it determines whether to

return a response or continue to process and forward media packets according to the

configured media policy.

No media stream detection

When the signaling plane is normal but the media plane is abnormal, the SE2900 sends

BYE messages to the core servers if it fails to detect any media streams within the

specified period. Upon receipt of the BYE message, the associated core server tears

down the session, improving charging accuracy.





42

7.3 SIP Header Manipulation


SIP header manipulation provides a mechanism to flexibly control SIP messages. It has the

following advantages:

Enables a carrier network to have better SIP application-layer attack defense capability.

Helps carriers quickly solve interworking problems related to protocol use.


Figure 7-2 SIP header manipulation implementation

SIP header manipulation enables the SE2900 to manipulate the SIP messages meeting certain

conditions based on regular expression match rules.

Actions that the SE2900 performs on the matching first lines include

DISCARD(Discard), DENY(Deny), DELETE(Delete), REPLACE(Replace), and

SAVE(Save).

Actions that the SE2900 performs on the matching headers include DISCARD(Discard),

DENY(Deny), DELETE(Delete), REPLACE(Replace), INSERT(Insert), and

SAVE(Save).

Actions that the SE2900 performs on the matching message bodies include

DISCARD(Discard), DENY(Deny), DELETE(Delete), REPLACE(Replace), and

SAVE(Save).


SE2900 I-SBC Interconnection Technical White Paper 8 QoS Assurance



43

8 QoS Assurance

8.1 IP One-Way Audio Detection


IP one-way audio detection helps locate faults in voice services on the IP bearer network and

provides auxiliary fault location information. The faults include one-way audio, no audio,

short mute, and noises that are caused by internal packet drop on the SE2900. This feature

helps carriers better understand the network status and obtain auxiliary fault location

information.


The SE2900 implements this feature as follows:

One-way audio detection on IP terminations: The SE2900 detects incoming and outgoing

data packets on IP terminations.

One-way audio detection triggered by internal packet drop: When the packet drop rate on

the SE2900 exceeds a specified threshold, the SE2900 considers that one-way audio

occurs and logs a one-way audio event.

Figure 8-1 shows the IP one-way audio detection implementation.





44

Figure 8-1 IP one-way audio detection implementation

1. IP one-way audio detection is enabled on the LMT.

2. The SE2900 performs one-way audio detection on IP terminations or detects one-way

audio caused by internal packet drop. The SE2900 logs an event in the OMU hard disk

after detecting one-way audio.

3. You obtain one-way logs from the SE2900 and analyze them.

8.2 Voice Quality Reporting


Voice quality reporting enables carriers to monitor the network status on the media plane and

the operating status of the network, based on which the carriers can adjust and optimize

network and improve service quality. In addition, the reported QoS data also can be used in

network planning and troubleshooting.


Voice quality reporting enables the SE2900 to measure QoS in real time, including the packet

loss rate, jitter, round-trip delay, number of received/sent RTP packets, number of bytes of

received/sent RTP packets, and mean opinion score (MOS).

The SE2900 reports QoS statistics to the U2000 using user message tracing, consolidates the

QoS statistics into traffic measurement statistics and then reports the statistics to the U2000,

or reports the QoS data carried in ACR messages to the CCF over the Rf interface.

Table 8-1 Codecs supported by voice quality reporting

Codec Rate (kbit/s)

G.711 64

G.723.1 5.3 and 6.3





45

Codec Rate (kbit/s)

G.729A 8

G.729A + VAD 8

GSM HR: 5.6

EFR: 12.2

FR: 13

AMR-WB 6.6, 8.85, 12.65, 14.25, 15.85, 18.25, 19.85, 23.05 and 23.85

AMR-NB 4.75, 5.15, 5.9, 6.7, 7.4, 7.95, 10.2 and 12.2

EVRC -

QCELP 8 and 13


SE2900 I-SBC Interconnection Technical White Paper A Acronyms and Abbreviations



46

A Acronyms and Abbreviations

Numerics

3GPP The 3rd Generation Partnership Project

C

CAC Connection Admission Control

D

DSCP Differentiated Services Code Point

I

IP-PBX IP Private Branch exchange

IBCF Interconnection Border Control Function

IBGF Interconnection Border Gateway Function

LDI Long Distance and International

IMS IP multimedia Subsystem

I-SBC Interconnection Session Border Controller

ITU-T International Telecommunication Union-Telecommunication Standardization Sector

IPX IP Packet eXchange

N

NGN Next Generation Network

Q

QoS Quality of Service

R

RTP Real-Time Transport Protocol

S

SBC Session Border Controller

SDP Session Description Protocol


SE2900 I-SBC Interconnection Technical White Paper A Acronyms and Abbreviations



47

SIP Session Initiation Protocol

T

TCP Transmission Control Protocol

TLS Transport Layer Security

U

UDP User Datagram Protocol

V

VoIP Voice over Internet Protocol

Documents

HUAWEI SE2900 Session Border Controller …enterprise.huawei.com/topic/huawei-sap/mpog/SE2900 I-SBC...HUAWEI SE2900 Session Border Controller V300R002C10 SE2900 I-SBC Interconnection