VocalTec ArchitectureA Standards-based Platform for IP Telephony
__________________________________________________________________________________
VocalTec VOIP Virtual Private
Network
White PaperRelease 1.4
January 2001
VocalTec Communications
VocalTec - VPN White Paper Page 1 03/14/01
Information in this document is subject to change without notice. This document may not bereproduced or transmitted in any form or by any means without the express written permissionof VocalTec Communications Ltd.
© 2001 VocalTec Communications Ltd. All rights reserved.
VocalTec®, VocalTec Gatekeeper, VocalTec Telephony Gateway and VocalTec NetworkManager are trademarks or registered trademarks of VocalTec Communications Ltd.All other trademarks are the property of their respective owners.
VPN White Paper, 3rd edition – January 2001
HeadquartersIsrael2 Maskit streetHerzeliya 46733IsraelTel: 972-9-970-7800Fax: 972-9-956-1867
Europe, Middle East and AfricaItalyVia Cassia 108100148 RomeItalyTel: 39-06-302-60311Fax: 39-06-302-60312
Asia and Pacific RimHong Kong (HQ)Suite 2001, 20/F, Tower 1Lippo Centre, 89 QueenswayAdmiralty, Hong KongTel: 852-2530-0452Fax: 852-2801-4555
AmericasUSAOne Executive Drive, Suite 320Fort Lee, NJ 07024-3393USATel: 1-201-228-7000Fax: 1-201-363-8986
France91 rue du Faubourg Saint-Honoré75008 ParisFranceTel: 33-1-4471-3666Fax: 33-1-4471-3696
AustraliaLevel 21, Suite 34, Tower 2201 Sussex StreetSydney 2000, NSWAustraliaTel: 61-2-9006-1310Fax: 61-2-9006-1010
GermanyAugust-Bebel-Allee 6D-53175 BonnGermanyTel: 49-228-30887-20Fax: 49-228-30887-11
ChinaSuite 815, Beijing Silver TowerNo. 2 San Huan North RdChaoyang District, Beijing 100027,ChinaTel: 86-10-641-07140Fax: 86-10-641-07143
SpainBendicion de Campos, 828036 MadridSpainTel: 34-91-350-6633Fax: 34-91-350-7014
JapanTakanawadai Green Bldg 7F4-6-6 Higashi GotandaShinagawa-ku, Tokyo 141-0022JapanTel: 81-35-791-1405Fax: 81-35-791-1406
UKTel: 44-1372-723622Fax: 44-870-1315771
Singapore180B Bencoolen Street# 07-04 The BencoolenSingapore 189648Tel: 65-238-2415Fax: 65-238-8230
email: [email protected]://www.vocaltec.com
Publication number: VTWP- VPN -01-2001-V3-R1-E
VocalTec Communications
VocalTec - VPN White Paper Page 2 03/14/01
ContentsContentsContents ..........................................................................................................2
Introduction.....................................................................................................3
Target Market......................................................................................................................... 3
VPN System Solution ......................................................................................4
VPN Features...................................................................................................5
Private Numbering Plan ......................................................................................................... 5
Routing Services .................................................................................................................... 5
Routing Options ..................................................................................................................... 5
Security .................................................................................................................................. 6
Centralized Management ....................................................................................................... 6
Accounting and Customer Care............................................................................................. 6
VPN Network Topology ...................................................................................7
VPN Call Modes ...............................................................................................8
On-net to On-net .................................................................................................................... 8
On-net to Off-net .................................................................................................................... 9
Off-net to On-net .................................................................................................................. 11
Off-net to Off-net .................................................................................................................. 12
Glossary.........................................................................................................13
VocalTec Communications
VocalTec - VPN White Paper Page 3 03/14/01
IntroductionIntroductionVoice Over IP (VOIP) Virtual Private Network (VPN) is a service that provides itssubscribers with a "virtual" private VOIP network that runs on top of a shared IP network,typically managed by the service provider. All subscribers who share the same VPN cancall each other seamlessly (either while on the private network or from off the network) asthough they were talking on a totally private network.
Please note that the term VPN may be used in other contexts, such as IP-VPN for basicdata-over-IP services, and Voice VPN for PSTN based private networks. In this documentthe term VPN will refer solely to the concept of Voice Over IP (VOIP) VPN. VPN enablesdecreased costs on international calls, convenience in LDCs and international calls andconvergence with other applications and services, and provides a cost effective andfeature rich alternative to traditional PSN circuit switched based voice VPNs.
The VOIP-VPN solution can also serve as a platform for additional business-orientedservices, including Web-based 1-800, Web-enabled Call Centers and support for PCendpoints.
Target MarketPotential customers who may benefit from this service include:
• Internet Service Providers (ISPs)
• Internet Telephony Service Providers (ITSPs)
• Telecommunications Companies (Telcos)
• Clearing Houses (“ITXCs”)
Business-oriented ISPs and Telcos who already provide IP VPN services can easilyextend their service offerings to include VOIP-VPN.
VocalTec Communications
VocalTec - VPN White Paper Page 4 03/14/01
VPN System SolutionVPN System Solution The Voice Over IP (VOIP) VPN system solution is based on the VocalTec architecture.The VocalTec architecture combines all the software and hardware elements required tobuild the infrastructure for global IP telephony networks. It provides a scaleable, ITU-TH.323 standards-based multi-service platform.
The VOIP VPN solution enables a single service provider to offer private Voice over IPVPN services to multiple corporate customers on top of the same IP and VOIPinfrastructure. See Figure 1 below.
Company 2 Branch
Carrier NOC
Company 1 Branch B
Company 1 Branch A Company 3 Branch B
Company 3 Branch A
CPE VoIP GatewayIP WAN
Carrier VoIPGateway
Carrier POP Carrier POP
LAN
Figure 1. Distributed VPN Configuration
Figure 1 illustrates three separate company VPNs, connected to the carrier’s VOIP VPNNetwork. The solution supports multiple VPN dialing plan configurations. Systemcomponents include:
• VocalTec gatekeeper (VGK) - intelligent IP telephony control server, providingaddressing, routing, and system security
• VocalTec Network Manager (VNM) - network management workstation, used tocentrally manage and monitor all the VocalTec architecture components.
• VocalTec Telephony Gateway Series 120 (VGW 120)
• VocalTec Telephony Gateway Series 2000 (VGW 2000)
The VOIP VPN solution based on the VocalTec architecture is currently interoperable withthe following gateways: Cisco 3600, Cisco 2600, Cisco AS5300, Cisco AS5800, CiscoAccessPath
VocalTec Communications
VocalTec - VPN White Paper Page 5 03/14/01
VPN FeaturesVPN Features The basic features for a VPN service based on the VocalTec architecture are as following:
Private Numbering Plan
Short Numbers
VPN is implemented through the use of dialing plans, associated to PBX extensionnumbers in an organization. This enables calling between different corporate branches(intra-organizational), using PBX extensions (e.g., xxxx).
In configurations where a single gatekeeper manages several VPN dialing plans withextension numbers in the same ranges, the extension numbers may be preceded by aprefix (single digit or other short branch prefix) in order to distinguish between the phonenumbers. (“Virtual Prefix”).
Multiple VPN Support
A single gatekeeper supports multiple VPN dialing plans. This is required in configurationsused by service providers supporting multiple VPNs and inter-organization VPN support.All dialing plans are configured within the gatekeeper’s dialing plan.
Routing Services
Phone to Phone
Phone to Phone is the first VocalTec architecture service for VOIP VPN. Pure VPN callsare calls targeted from one office to a remote office using a short numbering plan basedon extension (and possibly branch, organization) numbers.
The same underlying VOIP infrastructure is used for switching calls that may be originatedor terminated at a PSTN phone number (not involving PBX at one or both ends).
Routing Options
PBX Call Recognition
VPN calls that are originated behind a PBX are identified by the PBX as VPN calls. VPNcalls are routed, by the carrier’s gatekeeper that is providing the organization’s VPNservice, to the gateway that terminates the call.
Prefix permissions & restrictions
Dialing plan numbers allow E164 prefix permissions and restrictions in the same manneras ordinary telephony prefixes.
Desktop to Phone
VocalTec Internet Phone Lite, a PC application, can be used to place VOIP VPN callsfrom a PC to a PBX extension belonging to you organization. This is achieved byassociation of the subscriber to the specific VOIP VPN.
VocalTec Communications
VocalTec - VPN White Paper Page 6 03/14/01
Security
Authentication
Access to network resources is authenticated by the gatekeeper.
Calls that are originated off-site need authentication. The gatekeeper recognizes thesubscriber’s organization and links to the correct dialing plan. In cases where the gatewayis owned by the organization, it is possible to link the originating gateway to the properdialing plan, without having to individually associate each user to his/her organization.
Authorization
The gatekeeper controls the different services and routing options used by differentsubscribers and subscriber groups.
Only users associated with a VPN have access to the VPN.
Centralized Management VPN-specific remote management, using VocalTec Network Manager, includes:
• Remote VPN dialing plan management.
• Configuration management
• Authorization profiles configuration
Accounting and Customer Care Integrated billing systems are supported via VocalTec’s AAA API.
The following features are supported:
• CDR tracking (the call’s CDR contains an indication of the call’s VPN identification).
• User profile definition
• Credit / Debit billing
VocalTec Communications
VocalTec - VPN White Paper Page 7 03/14/01
VPN Network TopologyVPN Network Topology Figure 2 illustrates a VPN network set up for a company distributed across four mainbranches (Points of Presence at London, Bogota and Amsterdam and the carrier’sNetwork Operating Center at Tokyo). The solution is based on interoperability with CiscoGateways.
VocalTecGatekeeper
Billing System
London Branch Tokyo NOC
Bogota BranchAmsterdam Branch
VocalTec NetworkManager
Carrier POP
IP WAN
Figure 2. VPN Configuration and Call Procedure
The VPN configuration supports the following call modes:
• On net to On Net – intra-organizational calls between two callers on the same VPN
• On net to Off Net – calls from an organization that terminate outside the company’sVPN (in the PSTN).
• Off net to On Net – calls from outside the company’s VPN (from the PSTN) thatterminate within the VPN.
• Off net to Off Net – calls from outside the company’s VPN (from the PSTN) thatterminate off net (in the PSTN).
These call modes are explained in more detail below.
VocalTec Communications
VocalTec - VPN White Paper Page 8 03/14/01
VPN Call ModesVPN Call ModesOn-net to On-net
In a distributed corporate environment where each location has its own PBX and agateway connected to it, a caller from one location can call the PBX extension in a secondlocation seamlessly, despite the fact that they are geographically remote, using differentPBXs and connected only via IP.
(1) (2)
(3)
(5) (6) (7)
Company Branch A Company Branch BPSTN
PSTN
Carrier NOC
(4)
IP WAN
Figure 3. On-net to On-net
A caller from Branch A in the company’s VPN calls seamlessly to a number at Branch B.
1. The on-net caller dials the on-net extension number, including the necessary gatewayaccess code (e.g., 5212, where 5 is the gateway access code and 212 is therequested extension).
2. The PBX transfers the call to the gateway (e.g., 212).
3. The gateway sends a call setup request (H.225 ARQ) to the carrier’s gatekeeper atthe Network Operating Center (NOC).
4. The gatekeeper checks to see if the number is authorized. The gatekeeper authorizesthe call and returns an authorization token to the gateway, together with a list ofgateways that can terminate the call.
5. The originating gateway makes a call setup (H.225) with the first terminating gatewayon the list and transfers the call.
6. The gateway passes the call on to the switch.
7. The call is transferred by the switch to the requested extension number (e.g., 212).
VocalTec Communications
VocalTec - VPN White Paper Page 9 03/14/01
Remote On-net to On-net
A variant of on-net to on-net, this mode reduces the need for CPE gateways at each VPNbranch. This is a good starting point for a service provider, since it does not requirepurchasing gateways. At a later stage, the enterprise can upgrade their network, bypurchasing the necessary CPE gateway.
This mode is a hybrid between on-net to on-net and off-net to on-net. The carriergateways provide the VPN service to more than one VPN. Based on the VPNs associatedwith the carrier gateway, the gateway maps an abbreviated dialed number to an E.164number, and then dials this remote number via the PSTN.
(1) (2)
(3)
(5) (6) (7)
Company Branch A Company Branch BPSTN
PSTN
Carrier NOC
(4)
IP WAN
Figure 4. Remote On-net to On-net1. The remote on-net subscriber dials the necessary gateway access code and the remote
PBX extension number. (e.g., 5212, where 5 is the gateway access code and 212 is therequested extension).
2. The subscriber is connected to the carrier gateway over the PSTN, via the PBX andenters user credentials, if requested,
3. The gateway sends a call setup request (H.225 ARQ) to the carrier’s gatekeeper at theNetwork Operating Center (NOC).
4. The gatekeeper checks to see if the VPN number is authorized. The gatekeeperauthorizes the call and returns an authorization token to the gateway, together with a list ofgateways that can terminate the call.
5. The originating gateway makes a call setup (H.225) with the first terminating gateway onthe list and transfers the call.
6. The remote gateway dials to the PBX over the PSTN, using the full E.164 number (e.g., 1-201-2282-212).
7. The call is transferred by the PBX to the requested extension (e.g., 212).
VocalTec Communications
VocalTec - VPN White Paper Page 10 03/14/01
On-net to Off-netA caller from a corporate location can call to external, regular PSTN numbers, either byusing a gateway provided by the carrier or by using the company’s own corporategateway, which may be connected through the PBX to the PSTN. The caller cannot exit tothe public domain through the gateways of another VPN. For off-net termination, the localdomain may use inter-domain resources to extend the dialing plan; i.e., a carrier that hasinter-domain relationships with other carriers may offer termination to its local VPN locatedin remote domains – in the same manner it may provide general usage gateways.
The caller dials normally as when calling a regular PSTN number via the PBX.
On-net
Off-net
(1) (2)
(6)
(7)
(3)
(5)
Carrier NOC
(4)
PSTN
IP WAN
Figure 5. On-net to Off-net
Off-net calls can be made both via the company’s own gateways and PBXs or via thegateways deployed by the carrier itself at various points of presence on its network.
1. The on-net caller dials the off-net telephone number (e.g., 228-700).
2. The PBX transfers the call request to the gateway.
3. The gateway sends a call setup request (H.225 ARQ) to the carrier’s gatekeeper atthe network Operating Center (NOC).
4. The gatekeeper checks to see if the number is authorized. The gatekeeper authorizesthe call and returns an authorization token to the gateway.
5. The originating gateway transfers the call to the terminating gateway.
6. The terminating gateway transfers the call to the PSTN CO.
7. The call is transferred by the CO to the requested off-net number (e.g., 228-700).
VocalTec Communications
VocalTec - VPN White Paper Page 11 03/14/01
Off-net to On-netA caller from the regular PTSN can call a PBX extension that belongs to his/her own VPN(identified by the user’s VPN ID in their database record). The caller from PSTN dials thedirect PBX extension of the called number.
(1) (2)
On-netOff-net
PSTN
(6) (7)
(3)
(5)
Carrier NOC
(4)
IP WAN
Figure 6. Off-net to On-net
1. The off-net user dials the gateway access number and enters his/her user name andpassword in response to an IVR prompt. The gatekeeper verifies that the user isassociated with the VPN. The user then dials the on-net extension number (e.g., 212).
2. The CO transfers the call to the carrier’s gateway.
3. The gateway sends a call setup request (H.225 ARQ) to the gatekeeper. The gatekeeperchecks to see if the number is authorized.
4. The gatekeeper authorizes the call and returns an authorization token to the originatinggateway.
5. The originating gateway transfers the call to the terminating gateway.
6. The terminating gateway transfers the call to the PBX.
7. The call is transferred by the PBX to the requested on-net extension (e.g., 212).
VocalTec Communications
VocalTec - VPN White Paper Page 12 03/14/01
Off-net to Off-netA caller from an off-net location on the PSTN can call to a regular PSTN number, either byusing a gateway provided by the carrier or by using the company’s own corporategateway, which may be connected through the PBX to the PSTN. For off-net termination,the local domain may use inter-domain resources to extend the dialing plan; i.e., a carrierthat has inter-domain relationships with other carriers may offer termination to its localVPN located in remote domains – in the same manner it may provide general usagegateways.
Off-net
(6)
(7)
PSTN
(3)
(5)
Off-net
Carrier NOC
(4)
(1) (2)
PSTN
IP WAN
Figure 7. Off-net to Off-net
1. The off-net user dials the gateway access number and enters his/her user name andpassword in response to an IVR prompt. The gatekeeper verifies that the user isassociated with the VPN. He/she can then dial the off-net destination number (in this casean E.164 number e.g., 228-700).
2. The CO transfers the call to the carrier’s gateway.
3. The gateway sends a call setup request (H.225 ARQ) to the gatekeeper. The gatekeeperchecks to see if the number is authorized.
4. The gatekeeper authorizes the call and returns an authorization token to the originatinggateway.
5. The originating gateway transfers the call to the remote gateway, which transfers it to theremote CO.
NOTE The carrier or subscriber can choose to terminate some off-net numbers at thegateway and PBX of the VPN’s network, rather than at the carrier’s own gateways.
6. The call is transferred by the CO to the requested off-net number (e.g., 228-700).
VocalTec Communications
VocalTec - VPN White Paper Page 13 03/14/01
GlossaryGlossaryAAA Authorization, Authentication, Accounting
ARQ Admission Request. H.225 call setup request message sent by the gateway tothe gatekeeper for permission to make a call.
CarrierGateways
Gateways deployed by the service provider
CPE Gateway Customer Premises Equipment gateway, deployed at a company’s localbranch
CDR Call Detail Record
H.225 Call setup and termination between gateways
H.235 Security definition.
H.245 Control channel for H.323, capability exchange, commands and indications/
H.323 ITU-T standard for real-time voice and video over non-guaranteed networks.
LCR Least cost routing
LDC Long distance calls.
Off-Net Calls to public number outside a private dialing plan using VPN access.
On-Net Calls between two parties using the same private dialing plan.
RAS Registration, Admissions, Status of H.323 .
VOIP Voice over IP
VPN Virtual Private Network. In this document, VPN refers to a Voice over IP(VOIP) VPN.
VGW VocalTec Telephony Gateway, provides a bridge between packet networks(Internet/Intranet) and the Public Switched Telephone Network.
VGK VocalTec Gatekeeper, the intelligent IP telephony control server, providingaddressing, routing, and system security.
VNM VocalTec Network Manager, the network management workstation, used tocentrally manage and monitor all the VocalTec architecture components.