Real-Time Communications in Web browser platform (RTCWeb) allows browsers to initiate real time communication sessions. One use case of this new technology would be browsers accessing legacy Session Initiation Protocol (SIP) world. For example, a company's web page may have a “call customer service” button and this could initiate a SIP session from the browser to the call center.
In the legacy SIP world, a Session Border Controller (SBC) assumes either an access or peering role. In the access role, endpoints/Internet Protocol Private Branch Exchanges (IP-PBXs) perform SIP registration and authorization of the registration by the Registrar is considered by the SBC, provided that the endpoint/IP-PBX is a valid entity. For peering scenarios, usually the Internet Protocol (IP) address of peers is preconfigured or their identity is verified through Transport Layer Security (TLS).
Web initiated real time calls create a new challenge as a SBC could receive SIP session initiation requests from non-registered entities, where SBC does not necessarily know the IP addresses of the devices from which the requests may be received a priori.
There is a need for to protect the call center infrastructure in the legacy SIP domain from excessive call rates. This task of protecting the call center is usually is performed by a SBC which interfaces between the SIP domain and legacy telephone domain. It is desirable to apply rate control among legitimate calls and reject other calls directly without considering them for call rate calculation. However, such an approach is call rate control and protecting legacy devices is complicated by the SBC's inability to reliably distinguish between valid call attempts and unauthorized or malicious call attempts based on the IP address of the call initiator given the inability to know the IP addresses of all callers who may initiate a call in real time from a Web application prior to the call being placed.
Thus, new methods and apparatus are need to screen session initiation requests which may be initiated via a web browser. It would be desirable is such methods could avoid the need for a query from an SBC and an authorization entity in response to individual calls since such queries may introduce delays and place loads on the SBC that can be undesirable especially where there are concerns with regard to possibly malicious attaches which may be designed to load the SBC and/or other network elements such as in the case of denial of service attacks.