IP Multimedia Subsystem (IMS) – detailed part2

This is a folow up on my previous post on IMS which described what is IMS and why it came into existing. Also how IMA can benifits with its rich feature set and huge OPEX savings. To read the previous post click here .

This post described IMS architecture and core concepts in detail.

ims

IMS Home Network

SIP call between 2 SIP  User agents or from SIP UA to PSTN endpoint.

ims2
  • HSS ( Home subcriber subsystem ) contains all of the subscriber information.
  • AS ( Application Servers ) conatin applications for example, be originating services or terminating services.
  • Filtering for applications for users is loaded into the S-CSCF and activated when the subscriber registers with the network.
  • DNS is used to identify elements use in the session set up.
  • The CSCFs manage the session control: registration, set up, tear down, feature activation.
    • The P-CSCF is first point of interaction with the User Agent. It also manages Quality of Service and other conditions specific to a UA.
    • The I-CSCF is used in network to network signaling. The I-CSCF hides the network topology from an external network.
    • The S-CSCF is the primary signal processing engine in IMS. It manages registration, checks for triggers for services and performs routing .
  • Media Resources may be conference services, IVRs or other network services.
  • If a call must egress to the PSTN the BGCF selects the appropriate Media Gateway that can be used.
  • Media Gateways control the conversion from IP to PSTN TDM signaling. Media Gateway Control Functions control the signaling between IMS and the PSTN (e.g. IP to SS7).

IMS Vistited Network <–> Home Network

Home Network to visited Network connectivity

ims3
  • If call orignates from Visited network the P-CSCF and S-CSCF in visited network itself , process the origination of the call and select the destination network.
  • Since call receiver of the call is in Home network the I-CSCF receives the call signaling from the Visited network, chooses the appropriate S-CSCF to process the call and the call is completed with RTP flow, depicted with blue line in diagram.

UE Registration

IMS registration is where the subscriber requests authorization to use the IMS services in the IMS network. The CSCF and HSS in core IMS network authenticates and authorizes the user .

ims4
  • The UA/UE initiates the registration process .
  • The SIP registration is passed to the S-CSCF.
    • For a user in Home network , the registration request is passed via P-CSCF to S-CSCF.
    • If the user is roaming in visiting network then the P-CSCF in the Visited network would pass the registration to the S-CSCF in the Home network through a I-CSCF.
    • Users are always registered in the Home network.
  • The S-CSCF forwards the request to the HSS via the Multimedia Auth Request (MAR) message to 1) download authentication data via the Multimedia Auth Answer (MAA) message and 2) inform the HSS that this S-CSCF is in control and any other queries to the HSS should be returned to this S-CSCF.
  • The S-CSCF creates a SIP 401 Unauthorized response that includes a challenge that the IMS terminal should answer.
  • The IMS terminal sends a new Register that contains the response to the challenge.
  • The S-CSCF validates the user and sends a Session Auth Request (SAR) message to the HSS informing it that the user is now registered and requesting the user profile, including services, that come in a Session Auth Answer message (SAA).

Subcription Changes

A registered user requires to be notified of his state changes. For example,

  • registration may be valid for a fixed period of time and then the network requires the user to register.
  • user or network element may go out of service and need to inform the other of some state change.

UA/UE subscribes to the registration state also P-CSCF serving the UA/UE subscribes so it can be informed.

ims5
  1. When the IMS terminal has completed registration the P-CSCF sends a Subscribe request for the registration event. The request is directed at the S-CSCF (which is in the Home network).
  2. The S-CSCF receives the request and installs that subscription, i.e. the S-CSCF takes the role of a notifier. The S-CSCF sends a Notify request to the P-CSCF. This request includes Public User Identities and the registration state.
  3. When the IMS terminal has completed registration it sends a Subscribe request for the registration event. The request is directed at the S-CSCF (which is in the Home network).
  4. The S-CSCF receives the request and installs that subscription, i.e. the S-CSCF takes the role of a notifier. The S-CSCF sends a Notify request to the user. This request includes Public User Identities and the registration state.

In case the S-CSCF has to shutdown or there is some other stimulus the S-CSCF will inform the user (and the P-CSCF) of the event.

Call

IMS multimedia calls sample –

  1. voice call originates from user A and enters the IMS network X at the P-CSCF
  2. P-CSCF passes the call to the S-CSCF
  3. S-CSCF interrogates the Application Server for originating services
  4. S-CSCF forwards the call to the I-CSCF of network Y.
  5. I-CSCF interrogates the HSS to determine the S-CSCF and passes the call to it.
  6. S-CSCF interrogates the Application Server for terminating services.
  7. S-CSCF passes the call to the P-CSCF assigned for the user and the voice call is completed.
  8. A video call is set up from User B to User A and the signaling path is reversed.

Finally, User A sets up a data call to User B using the same signaling path.

ims6

VPN ( Virtual Public Network ) over SIP


People working at differing locations need a fast, secure and reliable way to share information across computer networks. This is where a way to connect private networks over and top of the public network becomes necessary and Virtual Private Network comes into the picture.

vpn

 

SIP ( Session Initiation Protocol ) for VPN

VOIP across an SSL-based VPN is achieved in good quality by encapsulating the UDP VOIP packets ( SIP and RTP ) in TCP/IP. Data used for defining a VPN like its Groups, its Members and the associated profiles are organized hierarchically. It includes information like who is the operator, subscriber of VPN, group ID and member ID.

vpn+ service broker
VPN and Service Borker

Grouping for VPN Users

Groups created to implement policies and restrictions common to a set of users.These include:

  • Apply permissions to call between the Groups and to the outside world
  • Apply pricing between distinct types of of PNP (Mobile, Fixed, Privileged list)
  • Some numbers assigned a preferential tariff plan. These numbers are not part of the VPN ( Virtual On-Net) .
  • privileged list within a VPN across multiple groups

Service Overview

Lets see how would a SIP based VPN services over telecom application server with Service Broker works. Leveraging the Service Broker to offer voice VPN service to existing Subscribers is an arduous task. The Subscriber shall benefit from reduced charging rates for VPN calls (ON-Net), improved employee connectivity (within the VPN scope) and a consistent user experience across fixed and mobile phones.

VPN services shall be integrated with the R-IM-SSF( reverse IMS gateway to IN) component of the service broker. R-IM-SSF shall provide mediation as well as session and state management capabilities that shall make VPN service available over multiple networks including SS7 and IMS networks.

The subscriber base can be interfaces via a SMP that might also be used to add groups and assign right and privilege to member

Features of VPN application

1.Private numbering plan for both mobile and fixed subscribers (Short number dialing).

2.Distribution of subscriber under a hierarchical Data Model :

  • Subscriber VPN( Enterprise Level)
  • Group of Users ( Group level. Can be either of type Mobile or PABX )
  • State (End user of service)

3.Grouping of a short number on the basis of following types:

  • Member of mobile VPN
  • Privileged user
  • PABX user

4. Forced On-Net call handling, which shall allow user to dial the public number of another On-Net user with On-Net call Features.

5. Virtual On-Net Call Handling which allocates On-Net extension to non VPN users( Privileged list)

6. Off-Net call Handling via exhaust code which shall allow vpn users to access non-vpn public numbers

7.  Prohibit the call based on a set of rules like ( all off-net calls barred).

8. Allow calls based on destination numbers. For example allow off-net calls for numbers provisioned in the white list(allowed list)

9. Outgoing call screening on the basis of time( Time based barring)

VPN voice application on SIP

This solution  describes the service logic design for the new VPN voice application providing the feature set and service data for the Global VPN service. The new application will replace the Ericsson VPN application running on the legacy IN platform with the new SIP based  VPN services being hosted on the Rhino TAS.

Virtual Public Network - voice Application over SIP RA on SLEE
Virtual Public Network – voice Application over SIP RA on SLEE

Service Logic Structure

This section gives the complete flow in the Service from the instance the INVITE is generated in the network till a Session Connected or Session Disconnected is being sent back to the network.

S.NoDescription
1INVITE is sent from rim-ssf to SIP Resource Adaptor
2Message is processed by the SIP Resource Adaptor.

RA is configured with a Rate Limiter to enable Overload protection for the TQAS Node.Rate Limiter checks if the Overflow threshold has been reached.If the threshold is reached, RA will not send the message to the service.

3SLEE will check the Service Selector of the VPN service if the message can be processed by it. VPN Service has an initial event selector which checks the service key in the SIP Request.
4Service is configured with a rate limiter to protect the platform from overload protection, for even distribution of calls from different networks etc.

Rate Limiter checks if the Overflow threshold has been reached.If the threshold is reached, Service will close the dialog with a prearranged end.This will not send any message back to the network. This will allow a SIPmessage timeout at rim-ssf. If the threshold is not reached the call is further processed by the Service Ingress

layer of the service
5Service Ingress:  This layer of the Service will do call pre-processing based on the Service key.  This layer identifies the originating network of the call and applies any processing to be done, like number formatting, on the data received from the network before it is used by the core application.
6Service Core: This is the layer where Service processing is carried out.  Service identifies the routing plan associated with Application configured for Service key and executes the routing plan. Routing plan contains features to be executed which will further enable the execution of Subscribed feature set.
7Service Deliver: This layer is where the features corresponding to delivery of the call, like destination number formatting are performed.
8Service Egress: This layer is concerned with all network related functions that need to be performed to setup the call, like manipulating the network message parameters.
9Connect Session or  Discontinue session message is sent back to the network

Overflow Protection

Overflow protection aims at allowing the platform to take only the load that is capable of. This can be achieved by defining the Rhino Rate Limiters at the Resource Adaptor and Service Layers. Rate Limiters at Resource Adaptor are generic in that it counts all the SIP messages that are passing through the Resource Adaptor and can respond with only 4xx response in case the call is not allowed. Limiters at Service level have got greater flexibility in that they can count the messages, dialogs etc and can respond with any message to the network like 403 Forbidden or 406 Not Acceptable etc.

Rate Limiters

Limiters can optionally be linked to a single parent limiter and/or multiple child limiters. A limiter only allows a piece of work if all of its ancestors (its parent, and its parent’s parent, and so on) also allow the work. VPN service has got Rate Limiters defined at both Resource Adaptor and Service layers.

  1. RA Limiter

RA Limiter will help protecting the Rhino node from being throttled with too many messages. Threshold should be captured considering the peak load of all the SIP messages for all the services running in the platform.

2. Service Limiter

Service Limiter will be used to allow the configured number of calls for a particular service. Once the threshold is reached Calls are rejected as dialog close with pre-arranged end. This will close the dialog and release the SLEE resources but will not send any message back to the network. This will allow the dialog to time out at rim-SSF. This prevents the callers from too many re-tries/re-dials on the platform.

Call Barring

According to the business needs of the Bouygues Telecom TCS proposes call barring application which can offer the possibility of limiting the calls for each group of a Company depending on the day and time.

When a subscriber VPN is subjected to a barring 1994/96 him certain destinations are always allowed for the subscriber:

  • Off-net: rights that are identical to the rights of calls to “no destination outside the VPN”, as defined in Error! reference Source not found.
  • On-net: no right to call

The same application can be deployed along with the VPN logic at the Service Core block of the VPN service to barr the call of the subscriber as per the Time, Location , Preveliges of the user of VPN group.

VPN performance issues

VPN has less influence on latency, jitter and packet loss. However VPN overhead is high with enabling authentication, encryption, HMAC, anti-replay attack, and initialization vector, and use small RTP size for Codec, the

Counter Metrics for VPN Quality Assurance

For developing a VPN application counters are employed, some of which could be as follows

  • Number of calls On-Net and Off-Net
  • Numbers of Calls VPN
  • Number of calls with Forced On-Net

Calls between endpoints

  • MS to MS Normal (mobile)
  • MS to MS Privilege
  • MS toward PABX

Success Fail rate

  • Number of calls successful without rerouting
  • Number of calls with successful rerouting
  • Number of calls with Failure (Failed = No answer, Busy, Not reachable, Congestion)
  • Number of calls on non-response (No Answer)
  • Number of calls on Not Reachable
  • Number of calls Route Select Failure
  • Number of calls on busy
  • Number of calls barred by VPN service.

other parameters

  • Total number of queries
  • Number of States created/modified
  • Number of change in the rights of calls
  • Number of issuance of observation Reports

terminology :

R-IM-SSF = reverse IMS gateway to IN

SMP is the Provisioning interface for VPN service subscriber