A Session Border Controller (SBC) is a network function which secures voice over IP (VoIP) infrastructures while providing interworking between incompatible signaling messages and media flows (sessions) from end devices or application servers. SBCs are employed in Enterprise infrastructures or any carrier network delivering commercial residential, business, fixed-line or mobile VoIP services. They are typically deployed at both the network edge and at carrier interconnects, the demarcation points (borders) between their users and other service providers.
While historically supporting the many signaling types employed in enterprise networks, such as H.323 and Skinny, SBC’s are now predominantly focused on securing SIP (Session Initiation Protocol) infrastructures. As SIP has been evolving over the last two decades, SBCs are invaluable in providing interworking between disparate protocol versions and optional headers.
An SBC secures a core SIP network and application servers and provides client/server interworking by performing the role of a back-to-back user agent (B2BUA). It is by effectively terminating each session then re-establishing it, acting as both a user agent server (UAS) and user agent client (UAC) for every signaling message on each call leg, that a SBC can granularly control a communications session.
SBCs implement comprehensive ingress Access Control Lists (ACLs) and rate limiting to prevent DDOS attacks while parsing each message to eliminate malformed packet exploits. By processing each SIP header and payload, such as the Session Description Protocol (SDP), complex rules can be applied to alter message elements and enable interworking. Prior to the ratification of recognized standards (STUN, TURN and ICE), SBCs were also used to enable SIP traffic to traverse devices performing IPv4 Network Address Translation (NAT).
Along with processing signaling messages, Session Border Controllers also handle all media traffic, typically in the form of RTP. This enables an SBC to not only secure the media flows but also apply transcoding where clients and servers are unable to negotiate common codec capabilities. The SBC is also the point where lawful intercept is performed.
In modern SBC implementations, the signaling and media components are decoupled and operate as individual network elements. This is enables each function to be located in its most ideal logical or physical network layer (access/edge for media and core for signaling), while allowing each function to scale-out independently.
An SBC with discrete signaling and media functions also aligns with the IP Multimedia System (IMS) reference architecture, a multi-layer, hierarchical, highly-decomposed model comprising multiple, distinct, functional components with standardized interfaces. The functional requirements of border controllers are broken down in the 3GPP IMS Technical Specification TS 23.228, depending on their location (access / interconnect) and if they are handing signaling or media.
3GPP IMS Reference Architecture: Functional Elements of an SBC
While Session Border Controllers were originally custom hardware appliances, contemporary vendors have now implemented them as pure software elements running on x86 commercial off the shelf (COTS) server platforms. More innovative software SBCs have also been proven in emerging NFV infrastructures, using both hardware (VM) and OS (Container) virtualization, where the combined cost, performance and scale benefits make them ideal for wide-scale Voice over LTE (VoLTE) deployments.