[VOIPSEC] Session Border Controller use

Medhavi Bhatia mbhatia at 3clogic.com
Wed Jun 21 09:00:08 CDT 2006 

Hi Bruce,

These are excellent questions. You must be careful when designing your VoIP
Network. Things to think about are scalability and making the network future
proof and flexible.

On 6/21/06, Kaalund, Bruce <Bruce_Kaalund at cable.comcast.com> wrote:
>
> I have questions about the use and placement of Session Border
> Controllers.  I have a rather general understanding of their purpose and
> use, but I am being questioned about placement in the network.  My
> questions are as follows:
>
> 1.  When the end user and the Layer 2 Switch (CMS, Media gateway, etc.)
> reside on the same network, and the calls are passed to the PSTN, is
> there a need for the SBC?  If so, where should the SBC be placed?


In general you need something to handle the breakout and routing as the
network scales. You may have a need for some adaptive routing based on load,
QoS in your network. An SBC may be required. However for doing anything
adaptively, my suggestion would be to run probes in the network and have
them feed information as events into the SBC. Scalability and performance
under load for the SBC would be important.

2.  When the end user resides on one network, and the Layer 2 Switch
> resides in a hosting facility on a different network, is there a need
> for the SBC?  If so, where should the SBC be placed?


On the network edge. Again  you need to determine how smart you want your
"middle of network" to be. In the end it is typically a tradeoff between how
smart your endpoints and gateways can be and what value the SBC can bring
in. In any case, an SBC which can be tuned to become transparent should be
considered. O/w you would introduce a blind man as the chief gateway in the
network ;). In my view, the middle of the network should only have policy
which is less application aware but can execute on patterns it sees in
packets and can constitute flows out of these patterns.

3.  I see a lot of value in the SBC for the protection of signaling
> traffic.  However, I have not been convinced of the value of using the
> SBC for bearer traffic.  I believe an attack on a particular call is
> dependent upon either obtaining and replicating, or corrupting the
> signaling traffic, in order to affect the bearer traffic of a particular
> call.  Why would I want to run the bearer traffic through the SBC?


I'd agree. Running the bearer through the SBC should be the last option. If
you have severe QoS issues which cannot be resolved or keep popping up or
you really dont have a way of determining QoS the endpoints are getting for
the calls and your biz depends on it, I suggest you look into this last
option. Again, the flexibility of the SBC to selectively do this is
criticial.

-Medhavi.

Any and all opinions would be greatly appreciated.  Thanx.
>
> Bruce A. Kaalund
> Director, Product Security Architecture
> National Engineering & Technical Operations
> Comcast Cable
> 1500 Market Street
> Philadelphia, PA 19102
> Telephone -- 215-851-3303
> e-mail -- bruce_kaalund at cable.comcast.com
> Doveryai No Proveryai - Trust but Verify
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list