Over-the-top or through the network?

Standards can be a burden. Proprietary over-the-top services have shown that public Internet can be a viable transport for secure, high-quality communications. However, for telco service providers, globally accessibility and the lack of regulation create challenges to launch new real-time communications services via the Internet.

Strict firewalls deployed by most enterprises are configured to block and/or suppress Internet access to hosted unified communications and other interactive services. Also, privacy and confidentiality are a basic requirement for Internet-based communications, with encryption adding communication overhead and complexity to endpoints.

Firewalls can be configured to block IMS protocols when carried natively over IP on different transport protocols (e.g. SIP over UDP/TCP/TLS, RTP over UDP, MSRP over TCP/TLS…) and although 3GPP standards exist for tunneling IMS protocols over IPsec (e.g. TS 43.318, TS 33.234 and TS 33.402), these solutions still do not work over firewalls which block IPsec.

Faced with these issues, there has been several approaches and proposals from vendors but now Acme Packet is working on an emerging standard known as Tunneled Service Control Function (TSCF), which delivers an infrastructure-based alternative for real-time, over-the-top (OTT) communications. This new network element has been proposed for standardization to the Third Generation Partnership Project (3GPP) which already approved initial specifications to be included in TR SA3#68 (TSCF Control Message Header & Control Message TLV’s for TSCF).

TSCF High-level architecture

Diagram courtesy of The Packet blog

Tunneled Service Control Function makes use of TLS tunneling (very similar to HTTP/HTTPS) and HTTP_CONNECT mechanism for allowing IMS traffic to flow seamlessly through all types non-IMS firewalls. Endpoints, upon registering to the network, initiate a tunnel, which persists as long as the application is active and which is capable of transporting all the signaling and media flows that comprise real-time communications sessions. Unencrypted SIP and RTP flow securely within the tunnel, minimizing the overhead caused by separately encrypting (SIP/TLS and SRTP) the individual flows.