january 23-26, 2007 ft. lauderdale, florida sip trunking for the intermediate/advanced reseller the...
TRANSCRIPT
January 23-26, 2007• Ft. Lauderdale, Florida
SIP Trunking for the Intermediate/Advanced Reseller
The SIP Connection From A to Z Presented by
Pete Sandstrom, CTO BandTelJanne Magnusson, Director Operations Ingate
January 23-26, 2007• Ft. Lauderdale, Florida
Advanced SIP Session Overview
1. Open Systems Interconnection Model (OSI) is more than a model
• Real-Time Protocol (RTP• Real-Time Control Protocol (RTCP)
2. Quality of Service (QoS)• IP – Multi-Protocol Label Switching (MPLS)• Peering for Performance
3. SIP Applications – the reason for doing anything
4. SIP Security – protecting what we have
5. SIP trunking CPE Architectures
6. The role of the ITSP – provider performance
January 23-26, 2007• Ft. Lauderdale, Florida
1. Open Systems Interconnection (OSI)Understanding Where You Are
January 23-26, 2007• Ft. Lauderdale, Florida
RTCP Reports on Traffic Conditions
Real-Time Control Protocol (RTCP) packets are used to provide QoS measurement reports and other information. The VoIP RTCP Extended Reports (XR) Metrics Report Block (MRB) provides measurements (metrics) for monitoring quality of VoIP calls and conversations. These measurements include packet loss and discard metrics, delay metrics, analog metrics, and voice quality metrics.
January 23-26, 2007• Ft. Lauderdale, Florida
2. QoS and the Internet
• The Economics of peering and why it works in North America
• Tier I/II space- It is over provisioned and it is Managed
January 23-26, 2007• Ft. Lauderdale, Florida
QoS and the Internet: The Economics of peering and why it works in North America
IP NETIP NET
NET A drops packets making the other to retransmit, and lowers his overall throughput. That’s lost revenue for B.
January 23-26, 2007• Ft. Lauderdale, Florida
QoS and the Internet: It is over provisioned and managed
MPLS MPLS
MPLS MPLS
INTERNET
January 23-26, 2007• Ft. Lauderdale, Florida
VoIP in Private and Public IP Space
• Local and remote phone stations in private space
• SIP trunking POPs in public space• If MPLS then equipment costs are radically
lowered.
January 23-26, 2007• Ft. Lauderdale, Florida
IP-PBXs Migrate PBXs – ITSPs Emerge
ITSP
PTSN
IP
PBX
SIP Services
GW
SAFW
SIP-Aware FireWall (SAFW)
January 23-26, 2007• Ft. Lauderdale, Florida
3. SIP Trunking Basic Features
SIP Trunking Applications:• Competes with and beats T1 trunking• “Event notification” - disaster recovery options • Add Bandwidth QoS and security provided via
SAFW and or MPLS • On demand N-way conferencing• 411 Directory Assistance • Enhanced 911 services Access • Directory Listing • Local and Inbound Calling • Platform for personalized applications and rich
media services
January 23-26, 2007• Ft. Lauderdale, Florida
SIP Trunking Competes
• VoIP to compete economically, and beat, T1 trunking to a TDM PBX.
• Hosted can’t scale well and doesn’t fit needs of the enterprise
• SIP trunking means X voice paths to Y stations where Y/X > 1; generally the ratio would be 4 trunks to 10 stations
January 23-26, 2007• Ft. Lauderdale, Florida
SIP Trunking Feature - Conferencing
On demand business meetings, training, broadcast announcements, call-to-meeting notifications, even reverse 911 are enhanced with SIP trunking.
January 23-26, 2007• Ft. Lauderdale, Florida
4. SIP Security & Firewalls
• Before we explore viable architectures for SIP systems, let’s understand one more critical concept.
• While SIP brings advancement in VoIP call connections, SIP faces the same security attacks as other IP protocols such as HTTP and SMTP such as malformed message attacks, SPIT-SPam over Internet Telephony, buffer overflow attacks, DOS-Denial-of Service attacks, eavesdropping, hijacking, injection of malicious RTP packets into existing RTP flows and other known and yet to be created attacks.
• In other words, special SIP firewall and other protection systems are recommended.
January 23-26, 2007• Ft. Lauderdale, Florida
SIP Trunking Security and Reliability
• Need to Ensure Enterprise LAN is Correctly Designed for VoIP (i.e. a SIP-Aware Firewall Needs to be in Place)
• CPE Protection: SIP-Aware Firewall that allows L5 Security (i.e. no L2 pinholes)
• Require ITSP MD5 or IP Authentication for Account Authorization
• ITSP Should Split Media and Signaling to Different Redundant Locations, Making Taps Virtually Impossible
• ITSP Must Have Secure POPs That Can Fend Off all Outside Attacks: - DOS (Denial of Service)- IP Spoofing- SPIT (Spam over Internet Telephony)
January 23-26, 2007• Ft. Lauderdale, Florida
SIP Trunking Security and Reliability
MPLS
INTERNET
HOT SPOTS
DSL-CABLE MODEMS
January 23-26, 2007• Ft. Lauderdale, Florida
Let’s take a breakto understand how your customer
may see the “project.”
January 23-26, 2007• Ft. Lauderdale, Florida
Now back to getting serious
5. SIP trunking CPE Architectures
Type 1 – Dedicated IP Pipe for VoIP
Type 2 – Merged MPLS-Pipe with LER Tagging VoIP
Type 3 – Merged IP pipe with SIP-Aware Firewall (SAFW)
Type 4 – Separate IP Pipe for VoIP with Existing Non-SIP Firewall and SIP-Aware Firewall (SOFW)
Type 5 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall, No DMZ Port and SIP-aware Firewall
Type 6 – Looks like Type 5 but Merged IP Pipe with Incumbent Non-SIP-Aware Firewall, No DMZ Port and SIP-Aware Firewall
Type 7 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall with a DMZ Port
Type 8 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall
January 23-26, 2007• Ft. Lauderdale, Florida
Type 1 – Dedicated IP Pipe for VoIP
1- The IP pipe is dedicated to VoIP so no QoS arrangements are needed with the carrier.
2 - No firewall is needed as there are no LAN connections with other enterprise devices.
3 - This is a common architecture for dedicated media gateway deployments.
January 23-26, 2007• Ft. Lauderdale, Florida
Type 2 – Merged MPLS-Pipe with LER Tagging VoIP
1 – VoIP and enterprise data share the same IP pipe. MPLS tags the VoIP as the highest priority via the LER-Label Edge Router.
2 – The SAFW handles all SIP addressing transformation issues between the LAN and WAM demarc.
3 – Architecture offers full QoS for VoIP.
4 – Excellent utilization of IP pipe resources.
January 23-26, 2007• Ft. Lauderdale, Florida
Type 3 – Merged IP pipe with SIP-aware Firewall (SAFW)
1 – VoIP and bulk enterprise share the same IP pipe.
2 – The SAFW-SIP-Aware Firewall handles all the QoS issues by prioritizing VoIP traffic over the bulk enterprise network.
3 – The SAFW handles all SIP addressing transformation issues between the LAN and WAM demarc.
4 – Architecture offers partial QoS for VoIP (no inbound UDP QoS).
5 – Excellent utilization of IP pipe resources.
January 23-26, 2007• Ft. Lauderdale, Florida
Type 4 – Separate IP Pipe for VoIP with Existing Non-SIP Firewall and SIP-Only Firewall (SOFW)
1 – A separate IP pipe deployed for VoIP traffic only.
2 – QoS for VoIP realized by separating VoIP and bulk traffic to separate IP pipe.
3 – The SIP-Aware Firewall (SAFW) handles all SIP addressing transformation issues between the LAN and WAN demarc.
4 – The SAFE configuration is untouched and handles no VoIP traffic.
5 – No utilization of existing IP pipe for VoIP.
January 23-26, 2007• Ft. Lauderdale, Florida
Type 5 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall, No DMZ Port and SIP-Aware Firewall
1 – VoIP and bulk enterprise share the same IP pipe.
2 – QoS is not realized for VoIP as there is no single point to control traffic. Excessive bandwidth is needed for VoIP to function.
3 – The SAFW handles all SIP addressing transformation issues between the LAN and WAM demarc.
4 – The SAFE configuration is untouched and handles no VoIP traffic.
5 – Full utilization of incumbent IP pipe for VoIP realized.
January 23-26, 2007• Ft. Lauderdale, Florida
1 – VoIP and bulk enterprise share the same IP pipe.
2 – QoS is realized for VoIP as there is a single point to control traffic.
3 – The SAFW handles all SIP addressing transformation issues between the LAN and WAM demarc.
4 – The SAFE configuration is untouched and handles no VoIP traffic.
5 – Full utilization of incumbent IP pipe for VoIP realized.
Type 6 – Looks like Type 5 but Merged IP Pipe with Incumbent Non-SIP-Aware Firewall, No DMZ Port and SIP-Aware Firewall
January 23-26, 2007• Ft. Lauderdale, Florida
Type 7 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall with a DMZ Port
1 – VoIP and bulk enterprise share the same IP pipe.
2 – QoS is not realized for VoIP as there is no single point to control traffic. Excessive bandwidth is needed for VoIP to function.
3 – The SAFW handles all SIP addressing transformation issues between the LAN and WAM demarc.
4 – The USAFW configuration is touched to allow VoIP to utilize the SAFE DMZ resource.
5 – Full utilization of incumbent IP pipe for VoIP realized.
6 – Works with the SAFW as SIP traffic traverses twice.
January 23-26, 2007• Ft. Lauderdale, Florida
Type 8 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall
1 – VoIP and bulk enterprise share the same IP pipe.
2 – QoS is not realized for VoIP since there is no QoS feature in the SAFE.
3 – The UA handles all SIP addressing transformation issues between the LAN and WAN demarc via SIP NAT transversal features and/or by using STUN-Simple Transversal of User datagram protocol with an external STUN server.
4 – The SAFE security is breached by having ports opened for SIP UDP traffic.
5 – Full utilization of incumbent IP pipe for VoIP realized.
6 – Architecture does not scale well for anything beyond a few VoIP calls.
7 – This is architecture is suited only for hosted VoIP services with a small number of end-user stations in the LAN space.
January 23-26, 2007• Ft. Lauderdale, Florida
??? About Architectures
Type 1 – Dedicated IP Pipe for VoIP
Type 2 – Merged MPLS-Pipe with LER Tagging VoIP
Type 3 – Merged IP pipe with SIP-Aware Firewall (SAFW)
Type 4 – Separate IP Pipe for VoIP with Existing Non-SIP Firewall and SIP-Aware Firewall (SOFW)
Type 5 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall, No DMZ Port and SIP-aware Firewall
Type 6 – Looks like Type 5 but Merged IP Pipe with Incumbent Non-SIP-Aware Firewall, No DMZ Port and SIP-Aware Firewall
Type 7 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall with a DMZ Port
Type 8 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall
January 23-26, 2007• Ft. Lauderdale, Florida
6. The ITSP behind the SIP Trunk
• Getting to the ITSP proxy
• Resiliency in the event of failure
• Load to the ITSP proxy (dynamic routing to)
• When an ITSP element fails (real-time dynamic fault switchover)
• Getting to the PSTN- PSTN carrier options
January 23-26, 2007• Ft. Lauderdale, Florida
Special ITSP Services for SIP Trunkers
• Online Traffic monitoring (TotalView)• Online Billing• Traffic re-routing (Total Reroute)• Silent Running – Bandwidth Conservation
January 23-26, 2007• Ft. Lauderdale, Florida
101 Summary
• SIP trunking competes- and beats T1 Trunking on price and features
• QoS- SAFW and or MPLS needed for bandwidth QoS
• SIP Security – private or public, it can be made secure
• SIP CPE Architecture- critical for creating a secure clear call
• The ITSP behind the SIP Trunk
January 23-26, 2007• Ft. Lauderdale, Florida
SIP Trunks
Internet
IP-PBX
Firewall
Service Provider
SIP Trunks
Internet
IP-PBX
Firewall
Service Provider
• Important to have a reliable and well dimensioned network
– Consider delay and QoS
• As secure as the corporate network for e-mail etc.
• Possible to increase security by implementation of encrypted SIP signaling (TLS) and media (SRTP)
Communication on the LAN
January 23-26, 2007• Ft. Lauderdale, Florida
WithoutSupport for OPWithSupport for OP
[email protected] Default Gwy: 10.500.10.11 Outb. Proxy: -
[email protected] Default Gwy: 10.500.10.11 Outb. Proxy: -
[email protected] Default Gwy: 10.500.10.11 Outb. Proxy: 10.500.10.13
603-883-6569
Many IP-PBXs can’t handle outbound Proxy
SIP-unaware Firewall
IP-PBX
Ingate SIParator®
PSTN Gwy
Service Provider
PSTN
IP 10.200.10.16
Outbound ProxyIP 10.500.10.13 IP 168.105.45.19
IP 168.203.30.11DMZ
Default GatewayIP 10.200.10.11
with
IP-packets to destinations outside the logical network is sent to the Default Gateway for routing.
Outbound Proxy is the equivalence to Default Gateway, but for SIP.
972-678-0464
SIP Trunking Module
Configure IP-PBX to ”pretend” that Ingate is the Service Provider
168.203.30.11
Rewrites the domain part
January 23-26, 2007• Ft. Lauderdale, Florida
SIP Trunks
Internet
IP-PBX
Firewall
Service Provider
SIP Trunks
Internet
IP-PBX
Firewall
Service Provider
• Important to have a reliable and high quality Internet connection
– Consider delay to ITSP– Of your connection QoS (voice
should have priority)
• Voice travels over public Internet (as e-mail)
• Possible to increase security by implementation of encrypted SIP signaling (TLS) and media (SRTP)
Communications outside the LAN
January 23-26, 2007• Ft. Lauderdale, Florida
Ingate SIP Trunking module solves this problem !What if the Service Provider can’t handle domains ?
Many Service Providers can’t handle domain names
IP-PBX
Ingate SIParator®
PSTN Gwy
Service Provider
PSTN
IP 10.500.10.13 IP 168.105.45.19
IP 168.203.30.11DMZ
603-883-6569
IP 10.200.10.16
withSIP Trunking Module [email protected] 10.200.10.16
972-678-0464 SIP-unaware Firewall
With domain name, no problem !
Can only address the known public IP-address of the SIParator.
Rewrites the domain part
DNS record pbx.ingate.com resolves to IP 168.105.45.19
DNS overridepbx.ingate.com 10.200.10.16
January 23-26, 2007• Ft. Lauderdale, Florida
About BandTel
• Headquartered in Newport Beach, California, BandTel is a leading worldwide provider of SIP Trunking services. The company is dedicated to ensuring its customers and partners alike have access to the most reliable, end-to-end VoIP service available on the market today.
• Its N-Plus™ network architecture is designed to solve the throughput and redundancy problems on high-capacity SIP-based networks and eliminate any single point of failure.
• BandTel continues to develop strong partnerships with leading carriers and telecommunications companies, including Global Crossing, XO Communications, Level 3, Qwest Communications, Verizon Business, and Primus.
January 23-26, 2007• Ft. Lauderdale, Florida
About Ingate
• Formed 2001– Firewall technology from Cendio Systems
• Appliance firewalls since 1994– Capital and SIP technology from Intertex Data AB
• Began SIP development in 1998
• Released the worlds first SIP capable Firewall in 2001
• Located in Stockholm and Linköping, Sweden with a subsidiary, Ingate Systems Inc., based in Hollis, NH.
• Confirmed IP-PBX interoperability:3Com, Asterisk, Avaya, Broadsoft, Cisco Call Manager, Ericsson MX-One, Mitel, Pingtel, SER, Shoretel, Sphere, Swyx, Zultys
• Confirmed carrier interoperability:Bandtel, Broadband.com, Cbeyond, Global Crossing, IP-Only, O1, RNKTel, Tele2, VoEx