Why a new network element could make OTT comms better for all

Frustrated by poor quality, blocked or interrupted VoIP sessions? Kris Hopkins explains the Tunneled Services Control Function, and why should you care about it.

The popularity of over-the-top (OTT) remains strong without question. Affordability, ongoing innovation and additional feature functionality continue to drive OTT success. On February 15 2013, Skype declared that “280 million people choose Skype to connect with their loved ones and colleagues every month” and later that month, Viber, first launched in 2010, claimed to have reached 160 million users with 750,000 uses per day.

Despite the success, OTT telecommunications still fall short in a number of measures. On a daily basis, users face challenges associated with security and traversal across strict firewalls. Also, call quality and call continuity under adverse network conditions remain problematic when running live communications over untrusted, “best effort” networks.

For example, when making an OTT call from a local coffee shop hotspot, hotel lobby, or conference center, firewalls will often suppress or kill voice, text, and video sessions. Some well-known mobile and Wi-Fi service providers will restrict UDP connections that carry media and SIP. Others interrupt longstanding TCP connections essential to voice and video over IP (ex. conference calls). In these instances, calls may appear to connect, but audio and video will never follow.

When using municipal Wi-Fi access or guest Internet access from another business location, security may be suspect. OTT services can expose users to man-in-the-middle attacks or packet sniffing as they flow through these networks. Recently, T-Mobile came under scrutiny by researchers at UC Berkeley for a Wi-Fi voice vulnerability. To date, SIP, Transport Layer Security (TLS), and secure RTP, or the use of proprietary signaling and media technology have combated privacy concerns and data integrity issues. However, for a VoIP administrator trying to diagnose call problems for encrypted calls, encryption likely leaves such issues unresolvable. In turn, the next step for the IT administrator is often to remove encryption for troubleshooting, thereby exposing users to the risks IT was trying to protect against.

When walking away from Wi-Fi and moving into a 4G or 3G network, live calls from a mobile OTT app will fail when using most OTT services. For adoption beyond the consumer and into reliable hosted PBX services running over-the-top, OTT services need to move beyond best efforts and into to a world of service guarantees and reliability.

Standard Virtual Private Networking (VPN) or tunneling technologies provide some relief to these problems that pervade OTT deployments. Encrypting VoIP and video packets over IPsec tunnels has been a part of session border controllers for some time, and the Third Generation Partnership Project (3GPP) leverages dual IPsec channels for IP Multimedia Subsystem (IMS) AKA protected voice over long term evolution (VoLTE) traffic. IPsec provides security at the IP network layer and is most often incorporated into network elements, servers, clients, and operating systems (ex. session border controller, dedicated VPN concentrator, or firewall).

IPSec is not well suited for an OTT app running on a mobile device or laptop…Now a new network element has been proposed for standardisation in the 3GPP to handle strict firewall traversal based on SSL/TLS VPNs.

However, IPSec is not well suited for an OTT app running on a mobile device or laptop. IPsec VPNs restrict the whole device to the VPN and many firewalls will not allow IPsec tunnels by default. Now, with web and e-commerce, TLS and its predecessor, Secure Sockets Layer (SSL), provide a session oriented security for tunneling and is far more transparent to a firewall. In turn, a TLS tunnel or better yet a Datagram Transport Layer Security (DTLS) tunnel for OTT applications may do just the trick. Vendors such as Acme Packet, Voxeo Labs’ Horizon, and 3CX VoIP Tunnel have been experimenting with VoIP over SSL/TLS VPN or proprietary deviations for some time.

Now a new network element has been proposed for standardisation in the 3GPP to handle strict firewall traversal based on SSL/TLS VPNs. The Tunneled Services Control Function (TSCF) will relay both SIP and IMS messages to an endpoint using managed VPN tunnels. The tunnel is shared between multiple protocols (such as SIP, RTP, MSRP, HTTP, DNS, and TFTP), but is unique and specific to the VoIP application on the handset. Again, TLS and DTLS tunnels are application specific, and do not take over the whole device when integrated into a mobile OTT application.

Acme Packet recently introduced the TSCF as part of its session border controller (SBC), leveraging the SBC’s hardware acceleration capabilities to ensure fast connectivity, line rate encryption and decryption, and quality of service control.

Early TSCF deployments are yielding impressive results for OTT services:
Every session is secure with all signaling and media being encapsulated in an encrypted tunnel
VoIP over wireless and Wi-Fi are not suppressed or terminated by oppressive firewalls
Easy diagnosis of signaling and media issues as the VoIP packets are unencrypted within the tunnel
VoIP calls can switch without dropping when going from Wi-Fi to 4G/3G data and back again
One of the great benefits of the proposed standard, TSCF, is that strict firewall traversal becomes trivial. Voice and video appear as a secure HTTPS or OpenSSL VPN session on port 443 to firewalls. Therefore, when you want to place a call and a firewall is in the way, the mobile VoIP app will establish a tunnel through any firewall in its path and connect directly to a TSCF-enabled VoIP server or SBC.

To the VoIP server on the other side of the TSCF, the client appears as local IP address inside the tunnel. This simplifies SIP signaling, architectures, diagnosis, and troubleshooting as well. If network connectivity fails with the tunnel established, the tunnel is re-established quickly on a secondary network (ex. Wi-Fi to 4G). Regardless of network, the IP address of VoIP app stays the same to the SIP server. If audio is flowing, the call can resume as fast as the VPN is re-established and there is no need to re-register the SIP endpoint or VoIP app.

Well known VoIP softphone companies, such as CounterPath and Cicero Networks, are leveraging the TSCF capabilities. VoIP calls can transfer seamlessly between 4G and Wi-Fi, firewalls are easily traversed and as a result, IP-based voice and video calls can offer higher levels of quality, reliability, and security – making OTT communications better for all.

About Kris Hopkins
Kris Hopkins is currently VP of strategic product management at Acme Packet. In 2011, Kris sold Newfound Communications to Acme Packet. As the CEO of Newfound Communications, Kris was responsible for the overall vision, leadership, and direction of the company.