SG-1 Service Gateway:
Intelligent IP Network Value-Added Service
Enhancements to Existing Broadband Networks
WHITE PAPER
Introduction
Wireline network operators have increased available customer bandwidth with xDSL
modems, DSLAMs and Broadband Remote Access Server (BRAS) systems. While this
basic topology enables standard broadband service, most service providers want to
expand their portfolios of broadband offerings to improve their competitive position,
increase revenues and decrease operational expenses.
At the same time, they realize that any enhancement to a network should leverage the
existing architecture and easily integrate with it. Such enhancements require only
incremental capital investment with minimal replacement of existing network
elements. These enhancements also eliminate unnecessary operating expenses arising
from changes in the network elements like operation and support, management and
billing, and BRAS systems.
Integration with the existing network, including its operational processes, is, therefore,
a decisive factor in the choice of any new equipment and systems that enable value-
added services such as bandwidth on demand and application awareness. These
advanced services can be charged to the user with little or no impact on existing
network elements and with minimal investment for the network operator.
ADC’s SG-1 Service Gateway meets these requirements since it is designed for simple
and straightforward integration with a wide range of network elements and
topologies. With its drop-in architecture, the SG-1 takes the responsibility for service
creation, service enforcement and dynamic service management, independent of the
access network elements being used. The access network is responsible for access,
transmission and switching, while service management and provisioning are handled
in central or regional locations by the SG-1. This concept and topology are similar to a
voice intelligent network, where signaling and voice data transport are separate.
The SG-1’s network integration capability simplifies the system’s integration with the
existing network, which shortens time-to-market for new value-added services,

decreases the total cost of ownership including maintenance, and facilitates training.
The SG-1 integrates well with existing network devices such as a BRAS, dialup RAS,
CMTS (Cable Modem Termination Systems) and WLAN Access Points. The SG-1 also
integrates easily with existing or third-party portals, operation and support systems,
and management and billing. The SG-1 enables any portal to handle user interactive
service selection and subscription, regardless of the access or aggregation devices
terminating the calls.
Intelligent IP Network
To Existing Broadband Networks
Value-Added Service Enhancements
Intelligent IP Network Value-Added Service Enhancements to Existing Broadband Networks
Page 2
SG-1 as a Service Enabler in an
Existing xDSL Network
With its own advanced service-creation functionality,
the SG-1 is capable of upgrading existing BRAS systems
that lack service-creation capabilities. It can also
simultaneously act as a BRAS by terminating the PPPoE
and PPPoA sessions using redundant SONET/SDH
interfaces. Thus, users terminated by the existing BRAS
and those who are directly terminated by the SG-1
receive the same service and have the same user
experience.
For example, users connected through the Redback
SMS 10000 are offered Try-Before-Buy, Third Party
Boost, Bandwidth-on-Demand, and other advanced
services, although the Redback system terminating
those users cannot provide those services by itself.
Such enhanced functionality can be provided using the
methods described below.

Tunnel Termination /
Tunnel Switching Method
The existing BRAS transmits (tunnel-switches) the user
PPP session via an L2TP tunnel to the SG-1. The
transmission is done using the existing AAA server,
which responds to each BRAS Access-Request message
with a tunnel switching command (tunnel switching
attributes).
The SG-1 can terminate the L2TP tunnels initiated by
the BRAS and terminate each of the tunneled user’s PPP
session within those tunnels. On the other hand, it can
switch the tunnel to another LNS. For example, the
tunnel may be switched by the SG-1 to an ISP network
that will terminate the tunnel and the PPP session.
When the SG-1 terminates the tunnel, the SG-1
authenticates the user PPP session in the same way it
was authenticated by the BRAS, using the same AAA
server. The SG-1 provides IP addresses and maintains
the point-to-point connection of the user PC or routers.
The tunneled traffic to the SG-1 may be carried by
SDH/ATM or by Gigabit Ethernet using the SG-1 multi-
interface support. The BRAS in this case may either
tunnel a group of users through one tunnel or create a
separate tunnel for each user.
When the SG-1 switches the tunnel without
termination of the PPP session, it can still authenticate
the user and communicate with the AAA server. Value-
added services can be performed and additional user
scenarios may be supported. For example, if the session
is terminated by a third-party ISP LNS, the network

operator can still provide independent value-added
network services and apply additional functions such as
bandwidth control.
A customer service request, initiated through an
existing portal (anywhere in the network) results in a
personal service profile definition and support,
independent of the type of edge router or BRAS being
used. The existing BRAS uses its L2TP tunnel switching
capability that is standard for most BRAS systems and
edge routers. The SG-1 uses its own capabilities as an
LNS or L2TP switcher to support this topology.
The network operator, using this method, can divide
the user sessions into two groups. One group can be
provided with an extended range of services and can be
tunneled to the SG-1, while the other group can be
served with the current range of services and will
continue to be terminated as before. This capability
enables gradual introduction of new services to the
customers, based on geographic or other criteria.
In parallel to upgrading existing tunneled sessions, the
SG-1 can have a direct connection to the ATM cloud
and provide direct enhanced services to additional
sessions directly from the DSLAMs. As the number of
new xDSL customers grows, the network operator may
route the new DSLAM traffic directly to the SG-1, which
may terminate the user PPPoE and PPPoA sessions, or
aggregate the traffic for termination in another
network. The SG-1 can support simultaneously ATM
and IP traffic through the same chassis.
The network diagram below illustrates the SG-1’s role in

an existing xDSL network according to this method.
User traffic can be supported by both the SG-1 and the
BRAS: Network architecture can now provide service
using the existing infrastructure, and the SG-1 can act
as a service enhancement platform and as an additional
BRAS. The SG-1, in this case, is actually enhancing the
BRAS service capabilities by providing advanced services
to part or all of the users. The SG-1 can support
simultaneously both ATM and IP traffic.
MTA
SLPM-PI
eroC
sPSI
1-GS
MALSD
MA
L
SD
sresU
re
s
U
BD sresU
tnetnoC
SARB
Tunnel Termination / Tunnel Switching Method
IP Routing Method A
In the following topology, the BRAS is not required to
use L2TP capabilities. In fact, the BRAS does not change
its behavior in any way. This topology might be most

suitable in two scenarios:
• When the service creation functionality is managed
by the network operator, independent of an access
network that includes BRAS systems. In this case, the
manager of the SG-1 may not want or may not be
able to make any changes in the BRAS configuration.
• When the processing power of the existing BRAS
may be overloaded with additional functionality and
may not support the required L2TP tunneling for all
the traffic.
The router, using its policy-based routing, sends the IP
traffic to the SG-1, which monitors the user sessions
and provides each user with a selected or configured
service profile. The SG-1 may authenticate the users just
before enabling the service. In this application, the
SG-1 uses its native IP service creation features. The
routed traffic to the SG-1 may be carried both by
SDH/ATM or IP Gigabit Ethernet using the SG-1 multi-
interface support.
The network diagram below illustrates the SG-1’s role in
an existing xDSL network supporting this method.
Sessions can be supported by the SG-1 and DSLAMs;
the router distributes the traffic according to provider
service policy, and routes the session traffic to the SG-1
for adding the service layer.
Sessions can be authenticated and authorized
simultaneously through web authentication or PPPoE
application through the existing AAA server. Different
users or user groups, or different service requests, may
be authenticated, authorized and billed by different

AAA servers. The SG-1 can interact with many different
AAA servers accordingly.
IP Routing Method B
The BRAS in this method uses its own IP interface and
routing capabilities, and routes the users’ IP traffic to
the SG-1. The SG-1 monitors the user sessions and
provides each user with its selected or configured
service profile. The SG-1 can act as the existing BRAS
default gateway and may authenticate the sessions
before enabling the service. The routed traffic to the
SG-1 may be carried both by SDH/ATM or IP Gigabit
Ethernet using the SG-1 multi-interface support.
The network diagram below illustrates the SG-1’s role in
an xDSL network supporting this method. The BRAS
interface with the SG-1 (illustrated by the blue dash line
in the diagram) represents the new routed traffic from
the BRAS to the SG-1.
Intelligent IP Network Value-Added Service Enhancements to Existing Broadband Networks
Page 3
MTA
SLPM-PI
eroC
sPSI
1-GS
MALSD
M
AL
SD
sresU
re

s
U
BD sresU
tnetnoC
SARB
MTA
SLPM-PI
eroC
sPSI
1-GS
MALSD
MALSD
sresU
resU
BD sresU
tnetnoC
retuoR
SARB
IP Routing Method B
IP Routing Method A
Intelligent IP Network Value-Added Service Enhancements to Existing Broadband Networks
Page 4
Integration with IP DSLAM
The SG-1 includes support for the new generation of IP
DSLAMs. The IP DSLAM in this case uses its own IP
interface and routing capabilities, and routes the users’
IP traffic directly to the SG-1. The routed traffic from
the DSLAM to the SG-1 may be carried both by
SDH/ATM or IP Gigabit Ethernet using the SG-1 multi-
interface support. The SG-1 monitors the user sessions

and provides each user with its selected or configured
service profile. The SG-1 can act as the IP DSLAM
default gateway and may authenticate the sessions
before enabling the service.
The network diagram below illustrates the SG-1’s role in
an xDSL network supporting the new IP DSLAM along
with the existing ones.
Advanced and Unique Services
Functionality
The SG-1 delivers a new set of functionalities that are
applicable to all of the topologies mentioned above.
The main capabilities are:
• No Profile/Policy/Service Server: SG-1 does not
require any type of profile, policy or service server
because the profiles are kept within a Standard
RADIUS database format. This concept simplifies
integration and significantly decreases deployment
time.
• Real-Time Profile Change Without Session
Termination: To offer services such as “Turbo
Button”, the SG-1 handles real-time profile changes
without session termination.
• Dynamic Access Lists For Walled Gardens:
Dynamic access lists are important to modify a user's
profile to exit a garden or to access another type of
garden, all within one session.
• Real-Time User Profile Bandwidth Limitations:
For Turbo Button features, it is important that user
bandwidth limitations can be changed within a
session real-time. SG-1 is capable of this.

• Real-Time User Profile Prepaid and Quota
Limitations: For prepaid and quota features, it is
important that a user time limitation can be changed
within a session real-time.
• Scalability: The system can grow as service demand
grows. The operator can start with a lean 4,000 end-
user session support and gradually and seamlessly
scale up the system without service interruption.
Eventually, a 10U system can populate up to 64,000
concurrent sessions.
• Standard Protocols: The SG-1 is designed to use
standard protocols, so the operator doesn’t need to
invest heavily in new platforms and/or servers and go
through painful network upgrades and
enhancements.
• Support For Home Networks: The SG-1 is able to
authorize, authenticate and support self-provisioning
for each terminal or home appliance within a home
network separately and with an individual associated
service profile.
• Advanced Security Features For The Mass
Market: By using the SG-1, the operator can now
offer new and exciting security services for the
Broadband user mass market. The SG-1 is offered
with a third party anti-virus system that scans
HTTP/FTP traffic and delivers a full-service suite in real
time to users. Combined with SG-1 service
capabilities, the operator can receive a complete
platform, geared to handle the new challenges in
Internet service provisioning:

– An anti-virus engine certified to block 100% of the
"in the wild" viruses as well as more than 50,000
samples of malware (viruses, worms, Trojans, etc.).
Scans all MIME types and compressed files. Virus
protection is certified by ICSA Labs and Check
Mark to comply with industry standards.
– Ghost Machine
®
proactively protects against
sophisticated, encrypted, stealth and polymorphic
viruses.
– SmartScript™ proactively blocks all malicious scripts
in email and web pages. Non-malicious scripts still
function without difficulty.
– MacroTerminator™ heuristically detects and blocks
variants of known Microsoft Office macro viruses,
as well as unknown ones.
MTA
tenrehtE
SLPM-PI
eroC
sPSI
1-GS
MALSD
MALSD
MALSD
sresU
sresU
resU
BD sresU

tnetnoC
retuoR
Integration with IP DSLAM