VPN ( Virtual Public Network ) over SIP

People working at differing locations need a fast, secure and reliable way to share information across computer networks. This is where a way to connect private networks over and top of the public network becomes necessary and Virtual Private Network comes into the picture.



SIP ( Session Initiation Protocol ) for VPN

VOIP across an SSL-based VPN is achieved in good quality by encapsulating the UDP VOIP packets ( SIP and RTP ) in TCP/IP. Data used for defining a VPN like its Groups, its Members and the associated profiles are organized hierarchically. It includes information like who is the operator, subscriber of VPN, group ID and member ID.

vpn+ service broker
VPN and Service Borker

Grouping for VPN Users

Groups created to implement policies and restrictions common to a set of users.These include:

  • Apply permissions to call between the Groups and to the outside world
  • Apply pricing between distinct types of of PNP (Mobile, Fixed, Privileged list)
  • Some numbers assigned a preferential tariff plan. These numbers are not part of the VPN ( Virtual On-Net) .
  • privileged list within a VPN across multiple groups

Service Overview

Lets see how would a SIP based VPN services over telecom application server with Service Broker works. Leveraging the Service Broker to offer voice VPN service to existing Subscribers is an arduous task. The Subscriber shall benefit from reduced charging rates for VPN calls (ON-Net), improved employee connectivity (within the VPN scope) and a consistent user experience across fixed and mobile phones.

VPN services shall be integrated with the R-IM-SSF( reverse IMS gateway to IN) component of the service broker. R-IM-SSF shall provide mediation as well as session and state management capabilities that shall make VPN service available over multiple networks including SS7 and IMS networks.

The subscriber base can be interfaces via a SMP that might also be used to add groups and assign right and privilege to member

Features of VPN application

1.Private numbering plan for both mobile and fixed subscribers (Short number dialing).

2.Distribution of subscriber under a hierarchical Data Model :

  • Subscriber VPN( Enterprise Level)
  • Group of Users ( Group level. Can be either of type Mobile or PABX )
  • State (End user of service)

3.Grouping of a short number on the basis of following types:

  • Member of mobile VPN
  • Privileged user
  • PABX user

4. Forced On-Net call handling, which shall allow user to dial the public number of another On-Net user with On-Net call Features.

5. Virtual On-Net Call Handling which allocates On-Net extension to non VPN users( Privileged list)

6. Off-Net call Handling via exhaust code which shall allow vpn users to access non-vpn public numbers

7.  Prohibit the call based on a set of rules like ( all off-net calls barred).

8. Allow calls based on destination numbers. For example allow off-net calls for numbers provisioned in the white list(allowed list)

9. Outgoing call screening on the basis of time( Time based barring)

VPN voice application on SIP

This solution  describes the service logic design for the new VPN voice application providing the feature set and service data for the Global VPN service. The new application will replace the Ericsson VPN application running on the legacy IN platform with the new SIP based  VPN services being hosted on the Rhino TAS.

Virtual Public Network - voice Application over SIP RA on SLEE
Virtual Public Network – voice Application over SIP RA on SLEE

Service Logic Structure

This section gives the complete flow in the Service from the instance the INVITE is generated in the network till a Session Connected or Session Disconnected is being sent back to the network.

1INVITE is sent from rim-ssf to SIP Resource Adaptor
2Message is processed by the SIP Resource Adaptor.

RA is configured with a Rate Limiter to enable Overload protection for the TQAS Node.Rate Limiter checks if the Overflow threshold has been reached.If the threshold is reached, RA will not send the message to the service.

3SLEE will check the Service Selector of the VPN service if the message can be processed by it. VPN Service has an initial event selector which checks the service key in the SIP Request.
4Service is configured with a rate limiter to protect the platform from overload protection, for even distribution of calls from different networks etc.

Rate Limiter checks if the Overflow threshold has been reached.If the threshold is reached, Service will close the dialog with a prearranged end.This will not send any message back to the network. This will allow a SIPmessage timeout at rim-ssf. If the threshold is not reached the call is further processed by the Service Ingress

layer of the service
5Service Ingress:  This layer of the Service will do call pre-processing based on the Service key.  This layer identifies the originating network of the call and applies any processing to be done, like number formatting, on the data received from the network before it is used by the core application.
6Service Core: This is the layer where Service processing is carried out.  Service identifies the routing plan associated with Application configured for Service key and executes the routing plan. Routing plan contains features to be executed which will further enable the execution of Subscribed feature set.
7Service Deliver: This layer is where the features corresponding to delivery of the call, like destination number formatting are performed.
8Service Egress: This layer is concerned with all network related functions that need to be performed to setup the call, like manipulating the network message parameters.
9Connect Session or  Discontinue session message is sent back to the network

Overflow Protection

Overflow protection aims at allowing the platform to take only the load that is capable of. This can be achieved by defining the Rhino Rate Limiters at the Resource Adaptor and Service Layers. Rate Limiters at Resource Adaptor are generic in that it counts all the SIP messages that are passing through the Resource Adaptor and can respond with only 4xx response in case the call is not allowed. Limiters at Service level have got greater flexibility in that they can count the messages, dialogs etc and can respond with any message to the network like 403 Forbidden or 406 Not Acceptable etc.

Rate Limiters

Limiters can optionally be linked to a single parent limiter and/or multiple child limiters. A limiter only allows a piece of work if all of its ancestors (its parent, and its parent’s parent, and so on) also allow the work. VPN service has got Rate Limiters defined at both Resource Adaptor and Service layers.

  1. RA Limiter

RA Limiter will help protecting the Rhino node from being throttled with too many messages. Threshold should be captured considering the peak load of all the SIP messages for all the services running in the platform.

2. Service Limiter

Service Limiter will be used to allow the configured number of calls for a particular service. Once the threshold is reached Calls are rejected as dialog close with pre-arranged end. This will close the dialog and release the SLEE resources but will not send any message back to the network. This will allow the dialog to time out at rim-SSF. This prevents the callers from too many re-tries/re-dials on the platform.

Call Barring

According to the business needs of the Bouygues Telecom TCS proposes call barring application which can offer the possibility of limiting the calls for each group of a Company depending on the day and time.

When a subscriber VPN is subjected to a barring 1994/96 him certain destinations are always allowed for the subscriber:

  • Off-net: rights that are identical to the rights of calls to “no destination outside the VPN”, as defined in Error! reference Source not found.
  • On-net: no right to call

The same application can be deployed along with the VPN logic at the Service Core block of the VPN service to barr the call of the subscriber as per the Time, Location , Preveliges of the user of VPN group.

VPN performance issues

VPN has less influence on latency, jitter and packet loss. However VPN overhead is high with enabling authentication, encryption, HMAC, anti-replay attack, and initialization vector, and use small RTP size for Codec, the

Counter Metrics for VPN Quality Assurance

For developing a VPN application counters are employed, some of which could be as follows

  • Number of calls On-Net and Off-Net
  • Numbers of Calls VPN
  • Number of calls with Forced On-Net

Calls between endpoints

  • MS to MS Normal (mobile)
  • MS to MS Privilege
  • MS toward PABX

Success Fail rate

  • Number of calls successful without rerouting
  • Number of calls with successful rerouting
  • Number of calls with Failure (Failed = No answer, Busy, Not reachable, Congestion)
  • Number of calls on non-response (No Answer)
  • Number of calls on Not Reachable
  • Number of calls Route Select Failure
  • Number of calls on busy
  • Number of calls barred by VPN service.

other parameters

  • Total number of queries
  • Number of States created/modified
  • Number of change in the rights of calls
  • Number of issuance of observation Reports

terminology :

R-IM-SSF = reverse IMS gateway to IN

SMP is the Provisioning interface for VPN service subscriber