IP7 Secure Gateway Overview

2 IP7 Secure Gateway Overview

Chapter 2, IP7 Secure Gateway Overview, describes the basics of the IP7 Secure Gateway functionality.

2.1 Introduction

The IP⁷ Secure Gateway functionality in the EAGLE provides connectivity between SS7 and IP networks, enabling messages to pass between the SS7 network domain and the IP network domain, as follows:

When an EAGLE receives an SS7 formatted message over an SS7 link, the IP⁷ Secure Gateway functionality dynamically converts this message into IP format and routes the re-formatted message over an associated IP link to a destination residing within an IP network.

The IP⁷ Secure Gateway functionality use associations to access the IP domain. Associations identify IP sessions.
Conversely, when the EAGLE receives an IP formatted message over an IP link, the IP⁷ Secure Gateway functionality dynamically converts this message into SS7 format and routes the re-formatted message over an associated SS7 link to a destination residing within the SS7 signaling network.

Address resolution is not performed in the IP to SS7 direction. It is the responsibility of the sending application to ensure that the appropriate SS7 point code information resides in the IP message to allow a valid SS7 message to be constructed for routing to the SS7 network.

2.2 Hardware, Applications, and Functions

The IP7 Secure Gateway functionality is provided by applications that run on IP cards or E5-ENET cards. IP cards provide interfaces between the IMT bus and two 10/100 Base-T IEEE 802.3/DIX Ethernet interfaces. The IP cards, similar to any other Link Interface Module (LIM), use the Interprocessor Message Transport (IMT) bus to communicate with the other cards in the EAGLE. Like other LIMs, the primary job of an IP card is to send and receive SS7 data on a network (in this case, an IP network), and to route that data to other cards in the EAGLE as appropriate.

The IP card can run on the following applications:

iplim or iplimi - Both applications support STP connectivity via MTP-over-IP functionality point-to-point connectivity (for more information, see Point-to-Point Connectivity (IPLIM or IPLIMI Application)).
The iplim and iplimi applications support these types of connections:
- M2PA/SCTP/IP (A, B, C, D, and E links)
- SCP
- SEP
- SCP/SEP
  This type of connection is essentially the same as that of a traditional SS7 point-to-point link, except that the traditional MTP2 and 56Kb/s technology is replaced by IP and Ethernet technology.
  
  The iplim application supports point-to-point connectivity for ANSI networks. The iplimi application supports point-to-point connectivity for ITU networks. With the optional ANSI/ITU MTP Gateway feature and proper configuration, the EAGLE could convert between any of the ANSI, ITU-N, and ITU-I networks, switch traffic between these networks, and perform network management for each of these networks (for more information, see Mixed Networks Using the ANSI/ITUMTP Gateway Feature).
  
  The EAGLE can support up to 100 cards running the iplim and iplimi applications.
ss7ipgw and ipgwi - These applications support the following types of point-to-multipoint connectivity for networks:
- SCP connectivity via SCCP/TCAP-over-IP functionality (for more information, see Connecting to SCPs with SCCP/TCAP Messages Sent Over the IP Network)
- SEP connectivity via ISUP, Q.BICC, and TUP-over-IP functionality (for more information, see Connecting SEPs Using ISUP, Q.BICC, and TUP Messages Over the IP Network)
- SCP/SEP connectivity via non-ISUP, non-SCCP, non-Q.BICC, and non-TUP-over-IP functionality (for more information, see Connecting SCPs and SEPs Using Non-ISUP, Non-SCCP, Non-Q.BICC, and Non-TUP Messages Over the IP Network)
  The ss7ipgw application supports point-to-multipoint connectivity for ANSI networks. The ipgwi application supports point-to-multipoint connectivity for ITU networks.
  
  The EAGLE can support a maximum of 125 cards running the ss7ipgw and ipgwi applications.

In addition to running an iplim, iplimi, ss7ipgw, or ipgwi application, each IP card supports the following functions:

A Simple Network Management Protocol (SNMP) agent. For more information, see SNMP Agent Implementation.
Message Transfer Part (MTP) status. This function is available only on IP cards that support the ss7ipgw or ipgwi application. For more information, see Support for MTP Status Functions.

2.3 IP Connections

IP connections involve the following assignments:

Transport protocol – The SCTP transport protocol is specified by the ent-assoc and chg-assoc commands.
Adapter protocol – The M3UA, M2PA, or SUA adapter protocol is specified by the adapter parameter of the ent-assoc and chg-assoc commands.
One or two near-end (local) hosts – The local host is specified by the lhost parameter of the ent-assoc and chg-assoc commands. A second local host can be specified for an association using the alhost parameter of the ent-assoc and chg-assoc commands, allowing the near-end host of the association to be multi-homed. Specifying only one local host for an association allows the association to be uni-homed.
Far-end (remote) host – The remote host is specified by the rhost parameter of the ent-assoc and chg-assoc commands.
Near-end (local) transport protocol port – The local transport protocol port is specified by the lport parameter of the ent-assoc and chg-assoc commands.
Far-end (remote) transport protocol port – The remote transport protocol port is specified by the rport parameter of the ent-assoc and chg-assoc commands.
SS7 signaling link – specified by the loc and link parameters of the ent-slk command.

The local host is mapped to a particular Ethernet interface on the IP card by linking the local host name of the IP connection to an IP address with the ent-ip-host command. The IP address is also assigned to an IP card and to an Ethernet interface on that IP card using the chg-ip-lnk command. A signaling link on that card is assigned to the IP connection using the link parameter of the ent-assoc and chg-assoc commands and referencing the signaling link on the IP card.

An SCTP association can establish a connection between one local host and one remote host (a uni-homed association) or between multiple local hosts and a remote host (a multi-homed association). It is possible that the remote host may be multi-homed, but the EAGLE allows only one remote host to be specified for a multi-homed association. If an IP node has multiple IP address associated with it, then an SCTP association originating from this node may take advantage of this added connectivity by establishing an SCTP multi-homed association.

For more information on multi-homed associations, see the Multi-Homed SCTP Associations section and the Routing section.

Figure 2-1 shows the components of an SCTP association and how these components interact with each other.

Figure 2-1 SCTP Association Database Relationships

There is no direct correlation between signaling link ports and Ethernet interfaces. A card can be using Ethernet interface A and signaling link B to transmit data to the remote host. Another scenario could have the card using Ethernet interface B and signaling link A to transmit data to the remote host.

The numbers of signaling link ports and Ethernet interfaces on IP cards varies depending on the card type and application running on the card, as shown in Table 2-1. The sections that follow Table 2-1 describe the IP connections supported by each IP card type. The IP connections described in these sections are uni-homed SCTP associations.

Table 2-1 Ethernet Interface and Signaling Link Combinations

Card	Application	Ethernet Interface	Signaling Link
E5-ENET	IPLIMx	A and B	A - A7, B - B7
E5-ENET	IPGWx	A and B	A

IP Connection on an E5-ENET Card Running the IPGWx Application

Figure 2-2 IP Connections using an E5-ENET Card running the IPGWx Applications

The assignment of the transport protocol port number is made through the local host port (lport) and remote host port (rport) parameters of the ent-assoc or chg-assoc commands (for an SCTP association).

Figure 2-3 shows typical IP connection data for a uni-homed SCTP association and how these components interact with each other.

Figure 2-3 Typical SCTP Association Configuration

The IP connection defined by the SCTP association is from local host ipnode-1204 (190.50.1.139), SCTP port 2048, to remote host remote-node-2 (190.50.1.144), SCTP port 3529, using Ethernet interface B on IP card 1204, and signaling link A on IP card 1204.

IP Connection on an E5-ENET Card Running the IPLIMx Application

E5-ENET cards running the IPLIMx applications can have 16 signaling links (A, B, A1, B1, A2, B2, A3, B3, A4, B4, A5, B5, A6, B6, A7 or B7) and 2 Ethernet interfaces (A or B) resulting in a maximum of 16 IP connections, one for each signaling link. Each link can use either Ethernet interface A or B. The local host and alternate host assigned to a signaling link must use different Ethernet interfaces; they cannot be assigned to the same Ethernet interface. Figure 2-4 shows some ways the 16 signaling links and the 2 Ethernet interfaces can be used to establish IP connections.

Figure 2-4 IP Connections using E5-ENET Cards running the IPLIMx Applications

Multi-Homed SCTP Associations

If the IP cards are EDCMs or E5-ENET cards, SCTP associations can have two local hosts, and are referred to as multi-homed associations. A multi-homed association uses both Ethernet interfaces on the IP card. Each Ethernet interface is assigned to a local host. Each local host is assigned to a different local network. One of the local hosts is configured with the lhost parameter of the ent-assoc or chg-assoc commands. The second local host, or alternate local host, is configured with the alhost parameter of the ent-assoc or chg-assoc commands. One of the local hosts references one of the Ethernet interfaces on the IP card and the other local host references the other Ethernet interface on the IP card. The multi-homed SCTP association allows the E5-ENET card to communicate with another node over two networks. Traffic is passed to and from the remote node on either local interface on the card.

An SCTP association can be uni-homed also. A uni-homed association uses only one Ethernet interface (A or B), which is assigned to only one local host. This local host is configured with the lhost parameter of the ent-assoc or chg-assoc commands. For a uni-homed association, the alhost parameter is not be specified with the ent-assoc or chg-assoc commands. A uni-homed association allows the IP card to communicate to another node on one network only. Traffic is passed to and from the remote node on the local interface on the card defined by the lhost parameter.

The remote node can be either uni-homed or multi-homed, and is not dependent on whether or not the local node (containing the local hosts) is uni-homed or multi-homed. For example, Node A can be uni-homed and can be connected to a multi-homed Node B, or a multi-homed Node A can be connected to a uni-homed Node B. Table 2-2 illustrates the possible combinations.

Table 2-2 Uni-Homed and Multi-Homed Node Combinations

Node A	Node B
Uni-homed	Uni-homed
Uni-homed	Multi-homed
Multi-homed	Uni-homed
Multi-homed	Multi-homed

Multi-Homed Associations on EDCMs or E5-ENET Cards Running the IPLIMx Application

A multi-homed association on an IPLIMx card uses both Ethernet interfaces to reach the remote host, but only one signaling link. An association, either uni-homed or multi-homed, can be assigned to only one signaling link. That signaling link can be either signaling link A or B. The local and alternate local hosts are assigned to each Ethernet interface on the IP card. The IPLIMx cards are limited to one IP connection per signaling link. Since the IPLIMx cards can have eight signaling links on the card, eight multi-homed associations can be assigned to an IPLIMx card.

Figure 2-5 shows the ways a multi-homed IP connection can be established on an IPLIMx card. The remote hosts can be multi-homed, but only one remote host can be specified for each multi-homed association in the EAGLE, so only one remote host is shown in Figure 2-5.

Figure 2-5 Multi-Homed Associations on E5-ENET Cards running the IPLIMx Applications

img/multi-homed_iplimx_ethernet_interface_331.jpg

Multi-Homed Associations on E5-ENET Cards Running the IPGWx Applications

A multi-homed association on an IPGWx card uses both Ethernet interfaces to reach the remote host, but only one signaling link, signaling link A on the IPGWx card. The local and alternate local hosts are assigned to each Ethernet interface on the IP card. The IPGWx cards can have up to 50 connections for each IPGWx card. The IPGWx card can contain both uni-homed and multi-homed IP connections, as long as the total number of connections does not exceed 50.

Figure 2-6 shows the way a multi-homed IP connection can be established on an IPGWx card. The remote hosts can be multi-homed, but only one remote host can be specified for each multi-homed association in the EAGLE, so only one remote host is shown in Figure 2-6.

Figure 2-6 Multi-Homed Associations on E5-ENET Cards running the IPGWx Applications

img/multi-homed_ipgwx_ethernet_interface_331.jpg

Figure 2-7 shows the components of the multi-homed SCTP association and how these components interact with each other.

Figure 2-7 Multi-Homed Association Database Relationships

Using the data shown in Figure 2-7, the IP connection is defined as a multi-homed association, connecting to a remote host using local hosts 190.1.5.56 and 189.20.30.137 over SCTP port 3425, using signaling link B on card 1201.

Routing

The IP7 Secure Gateway functionality in the EAGLE support two transport protocols –TCP and SCTP. Although both transport protocols are connection oriented, they differ greatly with respect to operation in a multi-homed host environment. The TCP protocol provides for a point-to-point transport connection. The SCTP protocol implements connections with either point to point, point to multi-point, or multi-point to multi-point connectivity capabilities.

An SCTP IETF connection ( association) is defined as a four-tuple as follows:

local host list – one or more of the local host’s IP interface addresses
local SCTP port
remote host list – one or more of the remote host’s IP interface addresses
remote SCTP port

Based on this definition for an SCTP IETF connection, and the fact that the IPGWx and IPLIMx applications may utilize both Ethernet interfaces (a multi-homed host), an SCTP IETF association can take advantage of multi-homing and be a multi-homed SCTP endpoint. As a multi-homed endpoint, an SCTP IETF connection remains active and usable as long as at least one of the Ethernet interfaces can be reached by the remote host. Multiple paths through multiple interfaces to the remote host provides a more reliable connection. The SCTP IETF protocol is designed to make such a network outage transparent to the application.

In previous releases, an SCTP IETF endpoint could only operate as a uni-homed host using only the Ethernet A interface. In this mode, any SCTP transmission received on or transmitted out of the Ethernet B interface are silently discarded. By using the Ethernet B interface, the SCTP protocol running on the IP card can provide SCTP multi-homing endpoint support – that is, when an SCTP IETF association is formed, it may list both the Ethernet A and B IP addresses for the respective interfaces. As a multi-homed association endpoint, SCTP data would be allowed to flow on either of the Ethernet interfaces and thus provide more robust network connectivity.

In order to provide more flexible network connectivity, an association can be configured as follows with respect to the Ethernet interfaces:

Ethernet A interface only (uni-homed)
Ethernet B interface only (uni-homed)
Ethernet A and B interface (multi-homed)

The interface mode is specified by the lhost and alhost parameters of the ent-assoc or chg-assoc commands.

In previous releases, the lhost parameter of the ent-assoc or chg-assoc commands is used to define the local IP address of the SCTP IETF association endpoint. The IP address would have to be an IP address associated with an Ethernet A interface. With this release, the IP address may be associated with either the Ethernet A or B interfaces. If it is an Ethernet A interface IP address, and the alhost parameter is not specified, then the association operates as a uni-homed SCTP endpoint on Ethernet interface A. If it is an Ethernet B interface IP address, and the alhost parameter is not specified, then the association operates as a uni-homed SCTP endpoint on Ethernet interface B. An association is configured as an SCTP multi-homed endpoint by specifying both the lhost and alhost parameter values with values corresponding to the Ethernet interface IP address for the IP card. The lhost and alhost parameter values represent the IP addresses specified by the chg-ip-lnk command for the specific IP card. Traffic cannot be passed between the Ethernet interfaces on the IP card containing a multi-homed SCTP association. The IP card cannot act as an IP router between the networks defined by the local host and alternate local hosts of a multi-homed association.

A host that is not on the local network, the network identified by the local host’s IP address, can be reached only through a gateway router. A gateway router is a device with more than one physical network connection, and can be connected to multiple networks. Unlike a multi-homed host, a gateway router is permitted to route IP messages between the physical Ethernet interfaces on the IP card. The network portion of the gateway router’s IP address must be the same as the network portion of the IP address of one of the IP addresses of the Ethernet interfaces on the IP card. The gateway router is configured using the defrouter of the chg-ip-card command, or using the ent-ip-rte command.

Static entries are added to the IP Routing table using the ent-ip-rte command. Static routes are usually assigned to give control over which routers are used, allowing different routers to be selected based upon the destination IP address. There are two types of static routes:

host static IP routes
network or subnetwork static IP routes

The default route entry is a special static route. If there is not a specific host or network address in the IP Routing table that matches the destination IP address of an outbound datagram, then the datagram is sent to the default router (gateway) specified by the default route.

An IP route is configured using the ent-ip-rte command with the location of the IP card, the IP address of the gateway router (the gtwy parameter), and the IP address and subnet mask of the destination (that is, host or network). The IP address of the gateway router must be a locally attached IP address (that is, the gateway IP address must share the network portion of one of the two Ethernet interfaces).

When an IP packet is to be transmitted the IP routing table must be interrogated to determine where to send the IP datagram. If the destination IP address is local to the node (that is, directly reachable by an Ethernet interface), then the IP datagram is transmitted directly to the node with that associated IP address. If the destination IP address is determined to not be local to the node, then it must be routed (that is, sent to a gateway to reach its destination).

IP routing requires accessing the IP routing table to select a route. The destination IP address of the outbound datagram is used to search the IP routing table for the most specific route match. The order for selection is:

Host route
Subnetwork route
Network route
Aggregated route
Default route

Based on this selection order if an IP route is found then the outbound IP datagram will be transmitted to the gateway specified by the route. If no IP route is found (where no default route is specified), then the transmission of the datagram fails due to destination unreachable.

The capability to enter static IP routes provides for flexibility and control with respect to controlling network traffic. An IP card can contain up to 64 IP routes. The EAGLE can contain up to 1024 IP routes.

2.4 Point-to-Point Connectivity (IPLIM or IPLIMI Application)

The following sections describe the types of point-to-point connectivity provided, and how routing is accomplished, by the iplim or iplimi application:

Connecting STPs Over the IP Network

This functionality allows the use of an IP network in place of point-to-point SS7 links to carry SS7MSUs. Figure 2-8 shows a diagram of this type of network. For example, the C links between the mated pair of STPs or A/B/D links between STPs can be replaced by an IP network. The IP⁷ Secure Gateway functionality is deployed on both ends of the link (point-to-point connection). The EAGLE converts the SS7MSUs to IP packets on one end of the link, and IP packets to SS7MSUs on the other end of the link. The IPLIMx applications support M2PA/SCTP/IP associations over A, B, C, D, and E links.

Figure 2-8 EAGLE Network (STP Connectivity via MTP-over-IP)

img/c_point_point_connectivity_iplim_iplimi_overview_dbadmin_ip7_fig1.jpg

2.5 Point-to-Multipoint Connectivity (SS7IPGW and IPGWI)

The following sections describe the types of point-to-multipoint connectivity, how routing is accomplished, and the MTP status functions provided by the ss7ipgw and ipgwi applications:

Connecting to SCPs with SCCP/TCAP Messages Sent Over the IP Network

This functionality allows SS7 nodes to exchange SCCP/TCAP queries and responses with an SCP residing on an IP network. Figure 2-9 shows a diagram of this type of network.

Figure 2-9 IP Network (SCP Connectivity via TCAP-over-IP)

img/c_point_point_connectivity_ss7ipgw_ipgwi_overview_dbadmin_ip7_fig1.jpg

The EAGLE manages the virtual point codes and subsystem numbers for the IP-SCP. From the SS7 network perspective, the TCAP queries are routed using these virtual point codes/SSNs. The EAGLE maps the virtual point code/SSN to one or more TCP sessions (point-to-multipoint connection), converts the SS7MSUs to IP packets by embedding the SCCP/TCAP data inside IP packets, and routes them over an IP network. The EAGLE also manages application subsystem status from an IP network's perspective and an SS7 network's perspective.

The following sequence of events illustrates this functionality:

Traditional SS7 devices route MSUs (such as TCAP Queries) to the EAGLE.
The EAGLE performs a global title translation and forwards the translated MSU to the correct IP device based on Point Code and SCCP Subsystem information in the MSU.
The TCAP query is processed at the IP-SCP, and the IP-SCP sends a TCAP reply back to the EAGLE.
The EAGLE forwards the TCAP reply back to the sender of the original query.

Connecting SEPs Using ISUP, Q.BICC, and TUP Messages Over the IP Network

This point-to-multipoint functionality allows SS7 nodes to exchange ISUP, Q.BICC, and TUP protocol messages with one or more signaling end points (class 4 switches, class 5 switches, VoIP gateways, Media Gateway Controllers, or Remote Access Servers) residing on an IP network. Figure 2-10 shows an example of this type of network.

Figure 2-10 IP Network (SEP connectivity via ISUP, Q.BICC, and TUP-over-IP)

img/c_point_point_connectivity_ss7ipgw_ipgwi_overview_dbadmin_ip7_fig2.jpg

The EAGLE maps the originating point code, destination point code, and circuit identification code to an IP connection. The SEP is provided the originating and destination point codes in the MTP level 3 routing label as part of the passed protocol.

Connecting SCPs and SEPs Using Non-ISUP, Non-SCCP, Non-Q.BICC, and Non-TUP Messages Over the IP Network

This point-to-multipoint functionality allows SS7 nodes to exchange non-ISUP, non-SCCP, non-Q.BICC, and non-TUP protocol messages with one or more IP-based devices residing on an IP network. The network example is similar to the SCP connectivity via SCCP/TCAP-over-IP functionality example shown in Figure 2-9. The EAGLE maps the destination point code, and service indicator (non-ISUP, non-SCCP, non-Q.BICC, non-TUP) to an IP connection.

Understanding Routing for SS7IPGW and IPGWI Applications

The ss7ipgw and ipgwi applications can use a single point code, called a virtual point code. This code is assigned to a set of IP devices that it connects to. The EAGLE distinguishes between the devices within the set by using application routing keys and application servers.

Application routing associates SS7 routing keys with application servers. SS7 routing keys define a filter based on SS7 message data. Application servers define the connection between the IP local host/local transport protocol port and IP remote host/remote transport protocol port.

An application server is a logical entity serving a specific routing key. The application server contains a set of one or more unique application server processes, of which one or more is normally actively processing traffic. An application server process is a process instance of an application server and contains an SCTP association. For more information on application servers, application server processes, and SCTP associations, see the IETF Adapter Layer Support section.

If the routing key filter matches the SS7 message presented for routing to the IP network, the SS7 message is sent to the associated application server.

Only one application server can be associated with each SS7 routing key. One application server can have up to 16 associations. SS7 messages delivered to the IP network using a routing key are distributed over the available application server based on the SLS (signaling link selector) value in the SS7 message.

Routing keys can be fully or partially specified, or specified by default.

Full Routing Keys

For this routing application, all applicable fields in the Message Signaling Unit (MSU) must match the contents of the full routing key. Table 2-3 defines which SS7 message parameters are used to search for a match for full routing keys for each of the functions supported by the ss7ipgw and ipgwi applications (IPGWx functionality).

Table 2-3 SS7 Full Routing Keys per IPGWx Functionality

IPGWx Functionality (ANSI and ITU)	SS7 Routing Keys
SCP connectivity via TCAP-over-IP	Destination Point Code Service Indicator (=3) Subsystem Number
SEP connectivity via ISUP-over-IP	Destination Point Code Service Indicator (=5) Originating Point Code CIC Range Start CIC Range End
SEP connectivity via Q.BICC-over-IP	Destination Point Code Service Indicator (=13) Originating Point Code CIC Range Start CIC Range End
SEP connectivity via TUP-over-IP (ITU only)	Destination Point Code Service Indicator (=4) Originating Point Code CIC Range Start CIC Range End
SCP/SEP connectivity via non-ISUP, non-SCCP, non-Q.BICC, non-TUP-over-IP	Destination Point Code Service Indicator (any value other than 3, 4*, 5, and 13)
* The service indicator value of 4 can be used in this instance if the DPC is an ANSI point code.

Partial Routing Keys

Partially specified routing keys are explicitly, but not completely defined. These routing keys ignore some of the contents of the MSU. The parts of the MSU that are ignored are specific. For example, for the ‘ignore cic’ partial-key type, the destination point code (dpc), service indicator (si), and originating point code (opc) must be configured, but the circuit identification code (cic) field does not have to be configured. The other types of SS7 partial routing keys are as follows:

dpc, si, and opc specified (ignore cic for CIC-based messages)
dpc and si specified (ignore ssn for sccp messages)
dpc and si specified (ignore opc and cic for CIC-based messages)
dpc specified (ignore all but the dpc field)
si specified (ignore all but the si field)

Default Routing Keys

Default routing keys do not need any part of the MSU specified. This routing key can be used to carry any SS7MSU, regardless of the type of MSU or the fields that make up the MSU.

Routing Key Tables

Each IP card has a Routing Key table that maps SS7 routing keys to IP connections, as illustrated by the example in Table 2-4. MSUs that match the parameters in a given row are sent over one of the IP connections shown for that row (up to 16 IP connections can be defined for a single routing key). Multiple IP connections for a given row allow load sharing. In addition, multiple routing keys can be used to send traffic to a single IP connection.

Each IP card’s Routing Key table can contain up to 2500 entries. Entries in the Routing Key table are defined by the ent-appl-rtkey command entered through the OAM, saved on disk, and reloaded to each IP card upon reset. The routing key entries can be full, partial, or default routing keys. The entries in one IP card’s Routing Key table are identical to the entries in the other IP card’s table. The entries can be changed by the chg-appl-rtkey command or removed by the dlt-appl-rtkey command.

Table 2-4 shows a sample Routing Key table that has one entry for an SSCP/TCAP-over-IP connection; one entry each for an ISUP, Q.BICC, and TUP-over-IP connection; and a non-SCCP/non-ISUP/ non-Q.BICC/non-TUP connection.

Table 2-4 Example SS7 Routing Key Table

SS7 DPC Routing Key Parameter	SS7 SI Routing Key Parameter	SS7 SSN Routing Key Parameter	SS7 OPC Routing Key Parameter	CIC START Routing Key Parameter	CIC END Routing Key Parameter	Name of IP Connections that carry traffic for that Routing Key
DPC-SI-SSN routing key for SSCP/TCAP-over-IP connectivity
5-5-5	03	6	-	-	-	kchlr11201 kchlr21201 kchlr11203 kchlr21203
ISUP-CIC routing key for ISUP-over-IP connectivity
5-5-6	05	-	4-4-4	1	100	dnmsc11201 dnmsc21201 dnmsc11203 dnmsc21203
Q.BICC-CIC routing key for Q.BICC-over-IP connectivity
4363	13	-	5834	48486	48486	lpmsg11204 lpmsg21204 lpmsg31204
TUP-CIC routing key for TUP-over-IP connectivity
1-44-2	04	-	2-5-1	3948	3948	lpmsg11205 lpmsg21205 lpmsg31205
DPC-SI routing key for non-SCCP/non-ISUP/non-Q.BICC/non-TUP connectivity
5-5-7	02					sfhlr11204

Routing Key Lookup Hierarchy

To facilitate the delivery of Message Signaling Units (MSUs) that do not match full routing key entries in the Routing Key table, each MSU is processed and delivered according to a specific routing key lookup hierarchy. The hierarchy guarantees that the MSU is delivered to the best possible location based on the MSU’s closest match in the Routing Key table, and also prevents MSUs without full routing key matches from being discarded. Table 2-5 defines the routing key lookup hierarchy.

Table 2-5 Routing Key Lookup Hierarchy

Type of MSU	Lookup Order per MSU Type	Segment of MSU that Must Match Routing Key	Routing Key Type
CIC	1	`dpc` + `si`+ `opc`+`cic`	Full
	2	`dpc` + `si` + `opc` (ignore `cic`)	Partial
	3	`dpc` + `si` (ignore `opc` & `cic`)	Partial
	4	`dpc` (ignore `si`, `opc` & `cic`)	Partial
	5	`si` (ignore `dpc`, `opc` & `cic`)	Partial
	6	None	Default
SCCP	1	`dpc` + `si` + `ssn`	Full
	2	`dpc` + `si` (ignore `ssn`)	Partial
	3	`dpc` (ignore `si` & `ssn`)	Partial
	4	`si` (ignore `dpc` & `ssn`)	Partial
	5	None	Default
OtherSI	1	`dpc` + `si`	Full
	2	`dpc` (ignore `si`)	Partial
	2	`si` (ignore `dpc`)	Partial
	3	None	Default

When an MSU has an si value of 5, 13, or 4 (ITU only), it is a CIC message. Messages with an si value of 3 are SCCP messages. All other MSUs are considered OtherSI messages. The EAGLE first tries to match each MSU with a full routing key and second with one of the partial keys as numbered in ascending order in the table. Third, if no segment of the routing key matches either full or partial routing keys, the EAGLE assigns the MSU a default routing key.

Support for MTP Status Functions

This feature, available only on IP cards that support the ss7ipgw and ipgwi applications, allows the Message Transfer Part (MTP) status of point codes in the SS7 networks to be made available to IP-connected media gateway controllers (MGCs) and IP-SCPs. This feature is similar to the MTP3 network management procedures used in an SS7 network.

This feature enables an IP device to:

Divert traffic from a secure gateway that is not able to access a point code that the mated secure gateway can access
Audit point code status
Build up routing tables before sending traffic
Be warned about network congestion
Abate congestion (ss7ipgw application only)
Obtain SS7 User Part Unavailability status

2.6 SNMP Agent Implementation

This feature implements a Simple Network Management Protocol (SNMP) agent on each IP card that runs the ss7ipgw, ipgwi, iplim, or iplimi applications. SNMP is an industry-wide standard protocol used for network management. SNMP agents interact with network management applications called Network Management Systems (NMSs).

Supported Managed Object Groups

The SNMP agent maintains data variables that represent aspects of the IP card. These variables are called managed objects and are stored in a management information base (MIB). The SNMP protocol arranges managed objects into groups. Table 2-6 shows the groups that are supported.

Table 2-6 SNMP Object Groups

Group Name	Description	Contents
system	Text description of agent in printable ASCII characters	System description, object identifier, length of time since reinitialization of agent, other administrative details
interfaces	Information about hardware interfaces on the IP card	Table that contains for each interface, speed, physical address, current operational status, and packet statistics
ip	Information about host and router use of the IP	Scalar objects that provide IP-related datagram statistics, and 3 tables: address table, IP-to-physical address translation table, and IP-forwarding table
icmp	Intranetwork control messages, representing various ICMP operations within the IP card	26 scalar objects that maintain statistics for various Internet Control Message Protocol (ICMP) messages
tcp	Information about TCP operation and connections	14 scalar objects that record TCP parameters and statistics, such as the number of TCP connections supported and the total number of TCP segments transmitted, and a table that contains information about individual TCP connections
udp	Information about UDP operation	4 scalar objects that maintain UDP-related datagram statistics, and a table that contains address and port information
snmp	Details about SNMP objects	30 scalar objects, including SNMP message statistics, number of MIB objects retrieved, and number of SNMP traps sent

Supported SNMP Messages

The SNMP agent interacts with up to two NMSs by:

Responding to Get and GetNext commands sent from an NMS for monitoring the IP card.
Responding to Set commands sent from an NMS for maintaining the IP card and changing managed objects as specified.
Sending Trap messages to asynchronously notify an NMS of conditions such as a link going up or down. Traps provide a way to alert the NMS in a more timely fashion than waiting for a Get or GetNext from the NMS. Two hostnames, DCMSNMPTRAPHOST1 and DCMSNMPTRAPHOST2, are utilized to specify the SNMPNMS to which traps are sent. In this release, only the following traps are supported:
- coldStart, sent one time only when the IP stack initialization occurs on the IP card as part of boot processing
- linkUp, sent when one of the ports on the IP card initially comes up or recovers from a previous failure
- linkDown, sent when one of the ports on the IP card fails

When a trap occurs at the IP card agent, the agent sends the trap to each of the SNMP specific host names that can be resolved to an IP address. Resolution is based on configuration data in the chg-ip-card command (or default data) which specifies DNS search order and DNS information.

Deviations from SNMP Protocol

Table 2-7 shows how the EAGLE deviates from the standard SNMP protocol definition.

Table 2-7 Deviations from SNMP Protocols

Group	Variable Name	Usage	Deviation
system	sysContact	Text identification of contact information for agent	Cannot be set by Set command; may be set only by `chg-sg-opts` command.
	sysLocation	Physical location of agent	Cannot be set by Set command; internally set using configuration data already available; set to <CLLI>-<slot of IP card>
	sysName	Administratively assigned name for agent	Cannot be set by Set command; internally set using configuration data already available; set to <CLLI>-<slot of IP card>
interface	ifAdminStatus	Desired state of the interface	Cannot be set by Set command (to ensure that an NMS does not disrupt SS7 traffic by placing an IP interface in a nonoperable state)
ip	ipForwarding ipDefaultTTL ipRoute Dest ipRouteIfIndex ipRouteMetric1-5 ipRouteNextHop ipRouteType iprouteAge ipRouteMask	IP route-specific values	Cannot be set by Set command
ip	ipNetToMediaIfIndex ipNetToMediaPhysAdress ipNetToMediaNetAddress ipNetToMediaType	IP-address specific information	Can be set by Set command, but not saved across IP card reloads
tcp	tcpConnState	State of a TCP connection	Cannot be set by Set command
snmp	snmpEnableAuthenTraps	Indicate whether agent is permitted to generate authentication failure traps	Cannot be set by Set command

2.7 Mixed Networks Using the ANSI/ITUMTP Gateway Feature

The optional ANSI/ITUMTP Gateway feature, now also available for IP networks, and the addition of the iplimi and ipgwi applications enables the EAGLE to act as an interface between nodes that support ANSI, ITU-I, and ITU-N protocols. For more information on the ANSI/ITUMTP Gateway feature, contact your Oracle Sales Representative.

Figure 2-11 shows an example of a complex network that includes all these types of nodes. Table 2-8 provides more detail about the nodes, network types, and point codes used in this example.

The following SS7 protocol constraints determine how the network must be configured:

A linkset is a group of links that terminate into the same adjacent point code. All links in the linkset can transport compatible MSU formats. The network type of the linkset is the same as the network type of the adjacent point code assigned to the linkset.
When nodes in different networks need to communicate, each node must have either a true point code or an alias point code for each of the network types. For example, if Node 1 (in an ANSI network) needs to communicate to Node 7 (in an ITU-N network), Node 1 must have an ANSI true point code and an ITU-N alias point code, while Node 7 must have an ITU-N true point code and an ANSI alias point code.
The systems are usually deployed as mated pairs. The links connecting the EAGLE to its mate are C links. Each EAGLE must have a C linkset for each network type that the EAGLE connects to. Therefore, in Figure 2-11, Nodes 5 and 6 are connected with three linksets, one each for ANSI traffic, ITU-I traffic, and ITU-N traffic.

To perform routing, the EAGLE must convert the routing labels in MSUs. To perform this conversion, every destination point code (DPC), originating point code (OPC), and concerned point code must be defined in the Routing table. Even if the EAGLE does not route MSUs to these nodes, they must be provisioned in the Routing table to provision the alias point codes required in the conversion process.

Figure 2-11 Complex Network with ANSI, ITU-I, and ITU-N Nodes

Table 2-8 Nodes and Point Codes in Complex Network Example

Node	Node Type	Network Types Supported	True Point Codes1	Alias Point Codes2
1	SSP	ANSI	A1	N1, I1
2	SSP	ANSI	A2	I2
3	SSP	ANSI	A3	N3, I3
4	SSP	ANSI	A4	N4
5	STP (with IP⁷ Secure Gateway functionality)	ANSI, ITU-N, ITU-I	A5, N5, I5
6	STP (with IP⁷ Secure Gateway functionality)	ANSI, ITU-N, ITU-I	A6, N6, I6
7	STP (with IP⁷ Secure Gateway functionality)	ITU-N, ITU-I	N7, I7	A7
8	STP (with IP⁷ Secure Gateway functionality)	ITU-N, ITU-I	N8, I8	A8
9	STP (with IP⁷ Secure Gateway functionality)	ITU-N, ITU-I	N9, I9	A9
10	STP (with IP⁷ Secure Gateway functionality)	ITU-N, ITU-I	N10, I10	A10
11	SSP	ITU-N	N11	I11, A11
12	SSP	ITU-I	I12	N12, A12
13	SSP	ITU-I	I13	N13, A13
14	SSP	ITU-N	N14	I14, A14
15	SSP	ITU-I	I15	N15, A15
16	SSP	ITU-I	I16	N16, A16
Notes: 1. A true point code (TPC) defines a destination in the EAGLE’s destination point code table.A TPC is a unique identifier of a node in a network. An STP (with IP7 Secure Gateway functionality) must have a TPC for each network type that the EAGLE connects to. An SSP connects to only one type of network, so it has only one TPC. 2. An alias point code is used to allow nodes in other networks to send traffic to and from a EAGLE when that EAGLE does not have a TPC for the same network type.

The configured links and point codes in the complex network shown in Figure 2-11 allows most nodes to communicate with other nodes. However, note that Node 2 cannot communicate with Node 13 or Node 16, or with any node in the ITU-N network because Node 2 does not have an ITU-N alias point code.

Routing and Conversion Within a Single Network Type

The following steps demonstrate how an EAGLE routes and converts when an ITU-N node sends an MSU to another ITU-N node. For example, assume that Node 11 in Figure 2-11 sends an MSU to Node 14. The MSU is routed from Node 11 to Node 7 to Node 5 to Node 9 to Node 14. The following steps describe the actions performed at Node 5 (an STP with IP⁷ Secure Gateway functionality):

An ITU-N formatted MSU (which has a network identifier=01b and a 14-bit destination point code/originating point code) is received on an iplimi card (for this example at location 1103).
MSU discrimination is performed with the following substeps:
1. Compare the received network identifier (NI) to the list of valid NIs. (Each configured linkset for a receiving link has a defined list of valid NIs.) If the comparison fails, the MSU is discarded and an STP measurement is logged. In this example, the received NI (01b) is valid for an iplimi card.
2. Extract the NI and destination point code (DPC) from the received MSU.
3. Determine whether the destination of the received MSU is this STP. If not (as is the case in this example), the MSU is passed to the STP’s routing function.
The routing function selects which outgoing link to use by searching a routing table for an entry for the DPC (N14 in this example). The routing table identifies another iplimi card (for this example at location 1107) to be used for the outgoing link.
Determine whether MSU conversion is required (required when the source network type is not the same as the destination network type). In this example, both Node 11 and Node 14 are ITU-N nodes, so conversion is not required.
Forward the MSU across the Interprocessor Message Transport (IMT) bus from location 1103 to location 1107, where the MSU is transmitted out the link towards Node 14.

Routing and Conversion Between Different Network Types

The routing and conversion steps performed by a EAGLE when an ITU-N node sends an MSU to an ITU-I node are the same as the steps shown in the Routing and Conversion Within a Single Network Type section, except for the conversion step.

For example, assume that Node 11 in Figure 2-11 sends an MSU to Node 16. The MSU is routed from Node 11 to Node 7 to Node 5 to Node 9 to Node 16. The following steps describe the actions performed at Node 5 (an EAGLE with IP⁷ Secure Gateway functionality):

Perform step 1 through step 3 as shown in the Routing and Conversion Within a Single Network Type section. In this example, assume that the routing function determines that the outgoing link is configured on the IP card at location 1203.
Determine whether MSU conversion is required (required when the source network type is not the same as the destination network type). In this example, Node 11 is an ITU-N node and Node 16 is an ITU-I node, so conversion is required. Conversion consists of two phases: Message Transfer Part (MTP) conversion and user part conversion.
Perform MTP conversion (also known as routing label conversion). The following parts of the MSU can be affected by MTP conversion:
- Length indicator — for ITU-N to ITU-I conversion, the length of the MSU does not change
- Service Information Octet (SIO), Priority — for conversion to ITU, the priority is set to 0. For conversion to ANSI, the priority is set to a default of 0, which can later be changed based on user part conversion.
- Service Information Octet (SIO), Network Indicator — the NI bits are set to the NI value for the destination node. In this example, NI is set to 00b.
- Routing Label, Destination Point Code (DPC) — the DPC is replaced with the destination’s true point code. In this example, N16 is replaced by I16.
- Routing Label, Originating Point Code (OPC) — the OPC is replaced with the appropriate network type’s alias point code for the originating node. In this example, N11 is replaced with I11.
- Routing Label, Signaling Link Selector (SLS) — no SLS conversion is required between ITU-I and ITU-N nodes. However, if one of the nodes were an ANSI node, conversion would be required between a 5-bit or 8-bit SLS for ANSI nodes and a 4-bit SLS for ITU nodes.
Perform user part conversion, if necessary. Currently, only SCCP traffic and only network management messages have the Message Transfer Part (MTP) converted. All other user parts have their data passed through unchanged.
Forward the MSU across the Interprocessor Message Transport (IMT) bus from location 1103 to location 1203, where the MSU is transmitted out the link towards Node 16.

2.8 IETF Adapter Layer Support

2.8.1 Overview

The current implementation of the IETF adapter layers in the EAGLE uses three adapter layers: SUA, M3UA, and M2PA. These adapter layers are assigned to SCTP associations which define the connection to the far end. An SCTP association is defined in the EAGLE by the local host name, the local SCTP port, the remote host name, and the remote SCTP port.

The three adapter layers used in the EAGLE are supported depending on the type of IP card being used for the IP connection. The SUA and M3UA adapter layers can be used only on IPGWx cards (cards running either the SS7IPGW or IPGWI applications). The M2PA adapter layer can be used only on IPLIMx cards (cards running either the IPLIM or IPLIMI applications).

SCTP associations on IPGWx cards use routing keys to distinguish between the IP devices being connected to. SCTP associations cannot be assigned directly to routing keys. To get an SCTP association ultimately assigned to a routing key, the IETF adapter layers use the concept of the application server (AS). The SCTP association is assigned to an application server. One or more associations are normally actively processing traffic. A group of associations (up to 16) can be assigned to an application server. An application server, a logical entity serving a specific routing key, is assigned to a routing key. This results in assigning the SCTP association, up to a maximum of 16, to a routing key.

The IETFSUA and M3UA adapter layers are supported on IPGWx cards. These adapter layers support the full implementation of the AS and routing key for the EAGLE. SCTP associations assigned to IPGWx cards can be assigned to application servers and routing keys.

The IETFM2PA adapter layer is supported on IPLIMx cards. The M2PA adapter layer does not support application servers, therefore SCTP associations assigned to M2PA links on IPLIMx cards cannot be assigned to application servers.

Figure 2-12 shows a typical configuration with four connections (SCTP associations) out of the EAGLE using IPGWx cards. Each association is connected to a process on the far end.

Figure 2-12 AS/Association Relationship

img/c_overview_overview_dbadmin_ip7-fig1.jpg

Feature Components

The EAGLE with IP⁷ Secure Gateway functionality is used as a signaling gateway between the PSTN and IP networks as shown in Figure 2-13. This figure shows that signaling gateways interface with media gateway controllers (MGCs) and MGCs interface with media gateways (MGs).

Figure 2-13 SG/MGC/MG Network Diagram

img/c_overview_overview_dbadmin_ip7_fig3.jpg

To provide a signaling gateway solution that will be able to communicate with a larger number of IP devices, the EAGLE needs to be able to communicate with multiple MGCs which are using SCTP as the transport layer and M3UA, M2PA, or SUA as an adapter layer. On an IPLIMx card, the M2PA adapter layer can be used with SCTP as shown in Figure 2-14. On an IPGWx card, the M3UA and SUA adapter layers can be used with SCTP as shown in Figure 2-15.

Figure 2-14 IPLIMx Protocol Stack with SCTP as the Transport Layer

img/c_overview_overview_dbadmin_ip7_fig5.jpg

Figure 2-15 IPGWx Protocol Stack with SCTP as the Transport Layer

img/c_overview_overview_dbadmin_ip7_fig6.jpg

SUA Layer

The SUA layer, only supported on IP cards running either the SS7IPGW or IPGWI applications (IPGWx cards), was designed to fit the need for the delivery of SCCP-user messages (MAP & CAP over TCAP, RANAP, etc.) and new third generation network protocol messages over IP between two signaling endpoints. Consideration is given for the transport from an SS7 signaling gateway to an IP signaling node (such as an IP-resident database). This protocol can also support transport of SCCP-user messages between two endpoints wholly contained within an IP network. The layer is expected to meet the following criteria:

Support for transfer of SS7SCCP-User Part messages (for example, TCAP, RANAP, etc.)
Support for SCCP connectionless service.
Support for the seamless operation of SCCP-User protocol peers
Support for the management of SCTP transport associations between a signaling gateway and one or more IP-based signaling nodes).
Support for distributed IP-based signaling nodes.
Support for the asynchronous reporting of status changes to management

Depending upon the SCCP-users supported, the SUA layer supports the four possible SCCP protocol classes transparently. The SCCP protocol classes are defined as follows:

Protocol class 0 provides unordered transfer of SCCP-user messages in a connectionless manner.
Protocol class 1 allows the SCCP-user to select the in-sequence delivery of SCCP-user messages in a connectionless manner.
Protocol class 2 allows the bi-directional transfer of SCCP-user messages by setting up a temporary or permanent signaling connection.
Protocol class 3 allows the features of protocol class 2 with the inclusion of flow control. Detection of message loss or mis-sequencing is included.

Protocol classes 0 and 1 make up the SCCP connectionless service. Protocol classes 2 and 3 make up the SCCP connection-oriented service.

The SUA layer supports the following SCCP network management functions:

Coord Request
Coord Indication
Coord Response
Coord Confirm
State Request
State Indication
Pcstate Indication

The SUA layer provides interworking with SCCP management functions at the signaling gateway for seamless inter-operation between the SCN network and the IP network. This means:

An indication to the SCCP-user at an application server process that a remote SS7 endpoint/peer is unreachable.
An indication to the SCCP-user at an application server process that a remote SS7 endpoint/peer is reachable.
Congestion indication to SCCP-user at an application server process.
The initiation of an audit of remote SS7 endpoints at the signaling gateway.

M3UA Layer

The M3UA layer, supported on only IPGWx cards, was designed to fit the need for signaling protocol delivery from an SS7 signaling gateway to a media gateway controller (MGC) or IP-resident database. The layer is expected to meet the following criteria:

Support for the transfer of all SS7MTP3-User Part messages (for example, ISUP, SCCP, TUP, etc.)
Support for the seamless operation of MTP3-User protocol peers
Support for the management of SCTP transport associations and traffic between a signaling gateway and one or more MGCs or IP-resident databases
Support for MGC or IP-resident database process fail-over and load-sharing
Support for the asynchronous reporting of status changes to management

The M3UA layer at an application server provides a set of primitives at its upper layer to the MTP3-Users that is the equivalent of those provided by the MTP Level 3 to its local users at an SS7 SEP. In this way, the ISUP or SCCP layer at an application server process is unaware that the expected MTP3 services are offered remotely from an MTP3 Layer at a signaling gateway, and not by a local MTP3 layer. The MTP3 layer at a signaling gateway may also be unaware that its local users are actually remote user parts over the M3UA layer. The M3UA layer extends access to the MTP3 layer services to a remote IP-based application. The M3UA layer does not provide the MTP3 services.

The M3UA layer provides the transport of MTP-TRANSFER primitives across an established SCTP association between a signaling gateway and an application server process and between IPSPs. The MTP-TRANSFER primitives are encoded as MTP3-User messages with attached MTP3 Routing Labels as described in the message format sections of the SCCP and ISUP recommendations. In this way, the SCCP and ISUP messages received from the SS7 network are not re-encoded into a different format for transport to or from the server processes. All the required MTP3 Routing Label information (OPC, DPC, and SIO) is available at the application server process and the IPSP as is expected by the MTP3-User protocol layer.

At the signaling gateway, the M3UA layer also provides inter-working with MTP3 management functions to support seamless operation of the signaling applications in the SS7 and IP domains. This includes:

Providing an indication to MTP3-Users at an application server process that a remote destination in the SS7 network is not reachable.
Providing an indication to MTP3-Users at an application server process that a remote destination in the SS7 network is now reachable.
Providing an indication to MTP3-Users at an application server process that messages to a remote MTP3-User peer in the SS7 network are experiencing SS7 congestion
Providing an indication to MTP3-Users at an application server process that a remote MTP3-User peer is unavailable.

The M3UA layer at the signaling gateway maintains the availability of all configured remote application server processes, in order to manage the SCTP Associations and the traffic between the signaling gateway and application server processes. As well, the Active/Inactive state of remote application server processes is also maintained - Active application server processes are those currently receiving traffic from the signaling gateway.

M2PA Layer

The M2PA layer, supported only on IPLIMx cards, is a peer-to-peer protocol and provides mappings for all SS7 messages. In a peer-to-peer mode, either side of the IP connection may initiate the connection.

The M2PA layer lies below MTP3 in the protocol stack. Figure 2-16 shows the protocol layers in three interconnected nodes involving the M2PA layer.

Figure 2-16 M2PA in the IP⁷ Signaling Gateway

img/c_overview_overview_dbadmin_ip7_fig7.jpg

The M2PA layer receives the primitives sent from MTP3 to its lower layer. The M2PA layer processes these primitives or maps them to appropriate primitives at the M2PA/SCTP interface. Likewise, the M2PA layer sends primitives to MTP3 like those used in the MTP3/MTP2 interface.

The M2PA layer provides MTP2 functionality that is not provided by SCTP. This includes:

Reporting of link status changes to MTP3
Processor outage procedure
Link alignment procedure

The M2PA layer allows MTP3 to perform all of its Message Handling and Network Management functions with IPSPs as with other SS7 nodes.

The M2PA layer also supports full retrieval because it assigns sequence numbers to all protocol messages and provides for acknowledgements from the M2PA peer. This means that an M2PA signaling link is able to execute the Change-Over and Change-Back procedures. The M2PA layer makes use of the SS7 Extended Changeover (XCO) and SS7 Extended Changeover Acknowledgement (XCA) messages in order to communicate 24-bit sequence numbers with the peer.

SCTP

SCTP is a protocol designed to operate on top of a non-reliable protocol such as IP, while providing a reliable data delivery to the SCTP user. The SCTP protocol is designed to be a discrete protocol.

Although SCTP is similar in some respects to the Transport Control Protocol (TCP), it differs in several key areas. The two protocols are similar in that they both provide reliable data delivery over a non-reliable network protocol (IP). The SCTP protocol is a more robust and higher performance protocol than TCP.

Broader Definition of Connection Four-Tuple

The TCP protocol defines a connection via a four-tuple – a specific local IP address, local transport protocol port, a specific remote host IP address and remote transport protocol port. The TCP connection is point-to-point and once the session is established the four-tuple can not change. SCTP uses a similar four-tuple concept, but provides for the local and remote IP address values to be a list of IP addresses. SCTP allows a multi-homed host, with multiple network interfaces and more than one way to reach the far-end host, the capability to make use of this additional network connectivity to support the transport of data via the SCTP protocol. Redundancy through the support of multi-homing session end-points is a major SCTP advantage.

Multiple Streams

TCP is a point-to-point byte stream oriented transport protocol. In such a protocol if a single byte is corrupted or lost, then all data that follows must be queued and delayed from delivery to the application until the missing data is retransmitted and received to make the stream valid. With the TCP protocol, all data being transmitted is affected because there is only one path from end-to-end. The SCTP protocol addresses this limitation by providing the capability to specify more than one transport path between the two end-points. In SCTP, the four-tuple – with the multi-homing feature – defines what the SCTP protocol calls an association.

The association is composed of one or more uni-directional transport paths called streams. The number of inbound and outbound streams is independent of one another and is determined at session initiation time (for example, an association may be composed of three outbound and one inbound stream). In this scheme, a data retransmission only affects a single stream. If an association is defined with multiple streams and a packet is lost on a specific stream, data transmission on the other streams, which form this association, is not blocked. However, this feature is only beneficial if the upper layer application uses it.

In the EAGLE, a maximum of 2 inbound and 2 outbound streams can be defined for an association. Stream 0 in each direction is designated for Link Status messages. Stream 1 is designated for User Data messages. Separating the Link Status and User Data messages onto separate streams allows the adapter layer to prioritize the messages in a manner similar to MTP2. If the peer chooses to configure the association to have only one stream, then the signaling gateway will be able to use only stream 0 for both Link Status messages and User Data messages.

Datagram Stream

While TCP is implemented as a byte-oriented stream protocol, SCTP is based on a datagram-oriented protocol stream. By choosing the datagram as the smallest unit of transport, the SCTP protocol removes the need for the upper layer application to encode the length of a message as part of the message. An SCTP send results in the data being sent as a unit – a datagram – and received at the receiving node as a datagram.

Selective Acknowledgements

TCP acknowledgements are specified as the last consecutive byte in the byte stream that has been received. If a byte is dropped, the TCP protocol on the receiving side cannot pass inbound data to the user until the sender retransmits the lost byte; the stream is blocked. SCTP uses a feature known as selective acknowledgement in which each data chunk is identified by a chunk number – the Transmission Sequence Number (TSN) in SCTP terminology – and is explicitly acknowledged at a data chunk granularity. This means that if a data chunk is dropped, only that one data chunk needs to be retransmitted. In SCTP, a dropped data chunk only effects one stream, since ordered transmission of data is only enforced at the stream and not the association level.

Un-order Delivery Capability

The SCTP protocol provides a mechanism for un-ordered datagram delivery. This feature means that a datagram can be transmitted and received independent of datagram sequencing and thus not delayed while awaiting a retransmission. TCP does not provide an equivalent feature of this type.

Enhanced Security

The TCP protocol has a known and easily exploitable vulnerability to denial of service attacks (for example, SYN attacks). This weakness is due to the three-way handshake used by the TCP session-establishment protocol. The TCP session establishment method causes EAGLE resources to be committed prior to actually establishing the session. SCTP uses a four-way handshake where resources are not committed by the host being contacted until the contacting host confirms that it is actually making a contact request to prevent such attacks.

SCTP Connectivity Concepts

The basic connectivity provided by the SCTP protocol is illustrated by Figure 2-17:

Figure 2-17 SCTP Connectivity

img/c_overview_overview_dbadmin_ip7_fig8.jpg

Key elements of the SCTP connection include:

SCTP Instance
SCTP Endpoint
SCTPAssociation
SCTP Stream

An SCTP instance is defined by the local SCTP port number. Each local SCTP port number requires its own SCTP instance. An SCTP instance as an entity defines the various SCTP characteristics that will apply to “all” SCTP associations that are created as part of the SCTP instance. These include timeout values, maximum receive windows, and so forth.

In Figure 2-17 there are three hosts: SCTP node A, node B and node C. Node A has two SCTP instances: local SCTP port 2000 and 2100. Both node B and node C have a single SCTP instance, local SCTP port 3000 and 3000 respectively. The fact that both node B and C are using port 3000 does not tie them together in any way.

An SCTP endpoint is defined as the logical sender/receiver of SCTP packets. On a multi-homed host, an SCTP endpoint is represented to its peers as a combination of a set of eligible destination transport addresses to which SCTP packets can be sent and a set of eligible source transport addresses from which SCTP packets can be received. All transport addresses used by an SCTP endpoint must use the same port number, but can use multiple IP addresses. A transport address used by an SCTP endpoint must not be used by another SCTP endpoint. In other words, a transport address is unique to an SCTP endpoint.

The concept of SCTP instance clarifies this definition. In Figure 2-17, IP addresses are not shown, but to illustrate this definition, assume the following:

Node A is multi-homed having two network interface cards with IP addresses 192.168.110.10 and 192.168.55.10
Node B has a single network interface card with IP address of 192.168.110.20
Node C is multi-homed having two network interface cards with IP addresses 192.168.110.30 and 192.168.55.30

Based on these IP addresses from above and the defined port numbers for Figure 2-17, there are four SCTP endpoints (Table 2-9).

Table 2-9 Sample SCTP Endpoints

Node	Local IP Address	Local SCTP Port
Node-1	192.168.110.10 192.168.55.10	2000
Node-1	192.168.110.10 192.168.55.10	2100
Node-2	192.168.110.20	3000
Node-3	192.168.110.30 192.168.55.30	3000

An SCTP association is defined as a protocol relationship between SCTP endpoints, composed of the two SCTP endpoints and protocol state information including verification tags and the currently active set of Transmission Sequence Numbers (TSNs), etc. An association can be uniquely identified by the transport addresses used by the endpoints in the association. Two SCTP endpoints must not have more than one SCTP association between them at any given time.

Based on this definition, given the endpoints listed above and Figure 2-17, there are three defined SCTP associations.

Table 2-10 Sample SCTP Associations

Association	Local IP Address	Local SCTP Port	Remote IP Address	Remote SCTP Port
Association-1	192.168.110.10 192.168.55.10	2000	192.168.110.20	3000
Association-2	192.168.110.10 192.168.55.10	2000	192.168.110.30 192.168.55.30	3000
Association-3	192.168.110.10 192.168.55.10	2100	192.168.110.30 192.168.55.30	3000

Association

Local IP Address

Local SCTP Port

Remote IP Address

Remote SCTP Port

Association-1

192.168.110.10

192.168.55.10

2000

192.168.110.20

3000

Association-2

192.168.110.10

192.168.55.10

2000

192.168.110.30

192.168.55.30

3000

Association-3

192.168.110.10

192.168.55.10

2100

192.168.110.30

192.168.55.30

3000

An SCTP stream is defined as a uni-directional logical channel established from one to another associated SCTP endpoint, within which all user messages are delivered in sequence except for those submitted to the unordered delivery service.

Note:

The relationship between stream numbers in opposite directions is strictly a matter of how the applications use them. It is the responsibility of the SCTP user to create and manage these correlations if they are so desired.

Based on this definition and Figure 2-17, there are a total of seven streams for the three associations.

Table 2-11 Sample SCTP Associations

Association	Stream Number	Local IP Address	Local SCTP Port	Remote IP Address	Remote SCTP Port
Association-1	Stream 0 Out	192.168.110.10 192.168.55.10	2000	192.168.110.20	3000
Association-1	Stream 0 In	192.168.110.10 192.168.55.10	2000	192.168.110.20	3000
Association-2	Stream 0 Out	192.168.110.10 192.168.55.10	2000	192.168.110.30 192.168.55.30	3000
Association-2	Stream 1 Out	192.168.110.10 192.168.55.10	2000	192.168.110.30 192.168.55.30	3000
Association-2	Stream 0 In	192.168.110.10 192.168.55.10	2000	192.168.110.30 192.168.55.30	3000
Association-3	Stream 0 Out	192.168.110.10 192.168.55.10	2100	192.168.110.30 192.168.55.30	3000
Association-3	Stream 0 In	192.168.110.10 192.168.55.10	2100	192.168.110.30 192.168.55.30	3000

2.9 IP Signaling Gateway (IPSG)

The IP Signaling Gateway (IPSG) feature provides a signaling gateway (SG) application as an alternative to the IPLIM and IPGW applications. However, the IPLIM and IPGW applications continue to be supported.

The IPSG feature can run the M2PA and M3UA protocols simultaneously on the same card. They can also have GTT-enabled capabilities support with SLIC running the 64-bit IPSG GPL. The feature also supports ANSI, ITU-N or ITUN-24, and ITU-I simultaneously on one card and one association.

The IPSG feature runs on the E5-ENET-B and SLIC cards with the IPSG application. An E5-ENET-B or SLIC card running the IPSG application is referred to as an IPSG card.

For the M3UA protocol, the IPSG feature equates a linkset with an application server (AS) and equates a signaling link with an application-server/application server process instance (AS-ASP).

Note:

The following M3UA application server (AS) procedures are not currently supported by the IP Signaling Gateway (IPSG):

AS Pending procedure with non-zero T(recovery) timer
AS Override traffic mode

The connection to the remote host is provided by IPSG M3UA and IPSG M2PA signaling links. An IPSG M3UA signaling link is a signaling link that is assigned to an IPSG linkset whose ADAPTER value is m3ua. An IPSG M2PA signaling link is a signaling link that is assigned to an IPSG linkset whose ADAPTER value is m2pa. A maximum of 128 IPSG M2PA or IPSG M3UA signaling links are supported per IPSG card running on SLIC hardware.

The IPSG M2PA signaling link can run the ANSI or ITU protocol, but not both simultaneously. ANSI and ITU can run on the same IPSG card on separate IPSG M2PA signaling links. ANSI and ITU can run on the same IPSG M3UA signaling link.

A series of three IS-NR link count thresholds are used to control the transition of the IPSG-M3UA links between Allowed, Restricted, and Prohibited states.

M2PA links on IPLIMx and IPSG cards can exist in the same linkset. M3UA links on IPSG and IPGWx cards cannot exist in the same linkset. M2PA and M3UA links cannot exist within the same linkset.

Each IPSG card running on SLIC hardware can host up to 128 SCTP associations. A maximum of 16 M3UA links or 1 M2PA link can be assigned to an association. M3UA and M2PA cannot be mixed on the same association.

The SCTP ADLER-32 or CRC-32 checksum algorithm can be selected for an individual IPLIM, IPGW, or IPSG card.

The adjacent point code (APC) of the IPSG-M3UA linkset is the point code assigned to an AS.

Provisioning for the IP Signaling Gateway feature uses the card, linkset, signaling link, IP card, IP link, IP host, and association database entities. The relationship between these entities is shown in Figure 2-18. The provisioning for the IP Signaling Gateway feature is shown in IPSG M2PA and M3UA Configuration Procedures.

Figure 2-18 IP Signaling Gateway Database Relationships