sip trunking workshop for service providers with real life considerations and practical solutions...
TRANSCRIPT
SIP Trunking Workshop for Service Providers
With real life considerations and practical solutions for offering SIP Trunks using Ingate and Intertex E-SBCs
The Ingate SIP Trunk-Unified Communications Summit
© Intertex Data AB, Ingate Systems, February 2011
1
Karl Erik StåhlPresident and CTO, IntertexChairman and CTO, Ingate
© 2011 Intertex Data and Ingate Systems 2
1. The Case for SIP Trunking
1:00pm-1:30pmModerator: None
Opening remarks and overview of the benefits of SIP trunking and UC for service providers, by Ingate Systems.
© 2011 Intertex Data and Ingate Systems 3
2. Delivering SIP to the Enterprise
1:30pm-2:30pmModerator: Maloff NetResults
1:30-1:35 Moderator 1:35-2:00 Broadvox 2:00-2:30 Intertex Data AB – Practical solutions
© 2011 Intertex Data and Ingate Systems 4
There is more to it…
Voice only, or Voice & Data on the pipe?
Internet or Private Pipe?
Quality Measures on the Pipe?
Is there a (data) Firewall in the way?
Delivery to just a PBX? … or to a UC LAN
Is an E-SBC required? When?
Who provides/owns the E-SBC?
Just SIP Trunking of PBXs or also Remote users Hosted services
PSTN
SIP Trunking Provider
GW
SIP System
PBX with PBX with system system phonesphones
S
IP T
run
k
In
terf
ac
e
5
This Would be Simple
PSTNPublic
Internet
SIP Trunking Provider Network GW
SIP System
Data LAN
FirewallIP-PBX
SIP Trunk
VoIP LAN
© 2011 Intertex Data and Ingate Systems 6
But This is What We Want
PSTNPublic
Internet
SIP Trunking Provider
GWSIP System
Data & VoIP LAN
IP-PBX
Demarcation point of service and bringing SIP communication to the LAN
Soft Clients and Multimedia Terminals
Intertex IX78
Remote Users
7
So this is Not a Good Solution, at least not for a General Service
PSTNPublic
Internet
SIP Trunking Provider Network GW
SIP System
Data LAN
FirewallIP-PBX
Managed
SIP Trunk
No Remote Users!
VoIP LAN
Provider: Security Warning!
Enterprise: Security Warning!
?? UC?
No Soft or Multimedia Clients!
Will Service Provider issue IP addresses to every Phone?
8
And there is Often a Non SIP Capable Firewall in Place
PSTN
SIP Trunking Provider
GWSIP System
Data & VoIP LAN
IP-PBX
Remote Users
SIParator®Firewall
Ingate/Intertex E-SBCs enable SIP based Live UC Across the Borders!
(SIP does not traverse ordinary NAT/Firewalls.)
Soft Clients and Multimedia Terminals
9
And There are Different Types of PBXs to Consider
Data LAN only
PBX with PBX with system system phonesphones
PBX Type 1.5
VoIP & Data LAN
PBX Type 2
IPIP-- PBXPBX
Few PBXs are of this type. Asterisk with firewall (IPtables /NETfilter) can be compiled and configured this way, but requires a lot.
A Good E-SBC Should Provide:1) NAT/Firewall Traversal – Must NAT to same address space!
2) Basic SIP and Network Interoperability - E.g. Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc.
3) SIP Repair - E.g. Call Transfer, Fragmented packets, Bugs, etc. 4) Features - E.g. Remote Users, Administration (remote and local)
5) Security - LAN/PBX/VoIP network protection, Service attack protection
VoIP & Data LAN
IPIP-- PBXPBX
PBX Type 1
Modern IP-PBXs are of this type. Media goes directly between phone and SIP Trunk.
SIP Trunk Interface
Signaling:Media:
SIP Trunk
PSTNSIP Trunking
Provider NetworkGW
SIP System
2) 3) 4) 5)2) 3) 4) 5)IX78
1)1) 2) 3) 4) 5)2) 3) 4) 5) 2) 3) 4) 5)2) 3) 4) 5)
© 2010 Intertex Data AB 10
NAT & Firewalls are a Severe Infrastructure Problem…
LAN
LAN
FW FW
FWFW
InternetInternet
email web
SIP does not traverse the common NATs and firewalls protecting the LANs .
IMS
(SIP based)
IMS
(SIP based)
What about SIP for Live Person-to-Person Communication?
A common Network and common Protocols changed our lives:
SMTP gave us global email!
HTTP gave us the Web!
NATs and Firewalls were designed to allow such protocols.
© 2010 Intertex Data AB 11
Why are NATs and Firewalls Such Obstacles
Typical Internet protocol (SMTP, HTTP…)
Internet
HOSTSERVER
SIP (and H.323…) connects Person-to-Person
Internet
PERSONPERSON
SIP is the Protocol for IP Communication Person-to-Person,
BUT IT DOES NOT REACH THE USER’s!
Locate the person Set up a session+ Open real time media streams+
© 2011 Intertex Data AB 12
Ordinary Voice IADs – Good for Telephony Replication…
InternetInternet
The 5060 SIP-port is just grabbed on the outside to the FXS ports!
Lower level SIP ALGs often cause problems and do not handle more than basic scenarios.
• SIP to the LAN or WiFi• Calls between SIP clients on LAN • Calls between internal ATA ports and LAN clients• Call transfers, 3-party calls, etc.• Using SIP generally over the Internet (Operator “took all the SIP”) (Users must not be deprived of general SIP-functionality!)
Often problems with, or total lack of:
Telephone ports (FXS) on the CPE is a popular way to deploy IP telephony. By logically placing the SIP clients on the outside of the NAT/Firewall, unreliable work-around methods like STUN, TURN and ICE become unnecessary. However, this only gives POTS replication, often even stopping general SIP based services!
© 2011 Intertex Data AB 13
No battery draining of WiFi mobile phones, otherwise caused by keep-alive packets* inhibiting sleep mode.* Work-around methods for SIP NAT-traversal like STUN, TURN, ICE and Far End NAT Traversal use frequent keep-alive packets to keep holes in the NAT/Firewall open.
Our CPEs are SIP Capable NAT/Router/Firewalls
InternetInternet
Problems solved where they occur
Wired or wireless SIP clients (phones, soft clients, PDAs)
No special requirements on the SIP Client – Just standard SIP
SIP
All Intertex CPEs have a SIP Proxy based SIP aware Firewall/NAT
General, can handle complex call scenarios and all SIP services
Additional functionality available (SIP server, PBX functionality etc.)
IMSIMS
© 2011 Intertex Data and Ingate Systems 14
QoS: Common VoIP and Data Pipe
14
PSTNPublic
Internet
SIP Trunking Provider
GWSIP System
Data & VoIP LAN
IP-PBX
Demarcation point of service and bringing SIP communication to the LAN
E-SBC also Data Firewall
Using the Ingate or Intertex as the enterprise firewall allows both prioritization and traffic shaping.
© 2011 Intertex Data and Ingate Systems 15
QoS: Separate VoIP Pipe in Parallel with Data
PSTNPublic
Internet
SIP Trunking Provider
GWSIP System
Data & VoIP LAN
IP-PBX
Demarcation point of service and bringing SIP communication to the LAN
E-SBC SIParator®
Firewall
No prioritization or traffic shaping to be done by the E-SBC. But get a good pipe!
16
QoS: Common VoIP and Data Pipe with Firewall
PSTN
Public Internet
SIP Trunk Provider GW
SIP System
IP- PBX
NAT/ Firewall
Data & VoIP LAN
If common IP pipe, the existing firewall must restrict bandwidth usage to allow sufficient voice bandwidth. Often problematic.
PSTN
Public Internet
SIP Trunk Provider GW
SIP System
IP- PBX
NAT/ Firewall
Bridge for Existing NAT/ Firewall (non SIP aware)
Data & VoIP LAN
WAN SIParator mode allows the Ingate or Intertex to control data usage on the Pipe to assure sufficient voice bandwidth!
WAN SIParator®SIParator®
16
17
Advanced QoS Configurations for Ingate
At a detailed level, for SIP and other traffic
© 2011 Intertex Data AB 18
Intertex IX78 Smart QoS Defaults
And for a specific SIP Trunk provider one can select for the voice:
For traffic shaping, just fill in your bandwidth!
(For internal ADSL it is mostly automatic.)
Data will be pushed back in favor of voice to keep the used bandwidth within the limit.
© 2011 Intertex Data AB 19
Carriers having Quality Separated Triple Networks can Preferably Reuse Those for SIP Trunking. Clouds may be Private or Globally Routable.
The Intertex IX78 Supports All of these Architectures!
Private Virtual Circuits
E.g. Telia
InternetInternet
ADSL
PVC1
IP-TV
VoD
IP-TV
VoD
IMS
VoIP
IMS
VoIP
PVC2 PVC3
E.g. Telia
InternetInternet
Ethernet
VLAN1
IP-TV
VoD
IP-TV
VoD
IMS
VoIP
IMS
VoIP
VLAN2 VLAN3
Virtual LANs (VLAN)
E.g. B2
InternetInternet
Ethernet
WAN1
IP-TV
VoD
IP-TV
VoD
IMS
VoIP
IMS
VoIP
WAN2 WAN3
IP QoS Separated Subnets IP Level QoS
E.g. BT
InternetInternet
ADSL or Ethernet
Priority3Priority2 Priority1
IMSVoIP
IP-TVVoD
20
On Telia’s (Sweden’s Incumbent Telco) Network, the IX78 Delivers a Multimedia LAN, Ready for UC PBXs, Hosted Services and End-to-End SIP Services
TR-069TR-069InternetInternet
IP-TV
VoD
IP-TV
VoD
IMS
VoIP
IMS
VoIP
PDA
VLANs or ADSL Virtual Circuits
All services must be available to multimedia terminals! – Over
controlled high QoS pipes as well as over the Internet.
The Multimedia LAN
The Multimedia LAN
WiFi
InternetInternet
Application Innovation Requires it!
Telepresence
IP- PBX
© 2011 Intertex Data and Ingate Systems 21
3. The Value of a Service Provider Demarcation Point
2:30pm-3:30pmModerator: Maloff NetResults
2:30-2:35 Moderator 2:35-3:00 EarthLink Business 3:00-3:30 Intertex Data AB – Practical solutions
22
Service Provider’s Demarcation Point
Service Provider Demarcation Point PSTN
Public Internet
SIP Trunk Provider GW
SIP System
IP- PBX
NAT/ Firewall
IP Access
Delivery of Service:
To a PBX or UC LAN
Provisioning, Definition of Service:
Installation, Configuration, CAC
Monitoring:
Network performance, QoS MOS
Management:
Support, Debugging, Upgrade
Billing - Why not?
Here we know what is going on!
Data & VoIP LAN
THE POINTS
© 2011 Intertex Data and Ingate Systems 23
The Role of the E-SBC
To get SIP Trunking working: SIP NAT/Firewall Traversal
Must NAT SIP to the protected private address space!
Basic SIP and Network Interoperability E.g. Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc.
SIP Repair E.g. Call Transfer, Fragmented packets, Bugs, etc.
But don’t forget: Security
LAN/PBX/VoIP network protection, Service attack protection
QoS – Quality of Services Requirements depending on IP delivery and firewall
Features E.g. Remote Users, Administration (remote and local)
Provisioning, Monitoring, Management
24
All Types of PBXs has to be Supported
Data LAN only
PBX with PBX with system system phonesphones
PBX Type 1.5
VoIP & Data LAN
PBX Type 2
IPIP-- PBXPBX
Few PBXs are of this type. Asterisk with firewall (IPtables /NETfilter) can be compiled and configured this way, but requires a lot.
A Good E-SBC Should Provide:1) NAT/Firewall Traversal – Must NAT to same address space!
2) Basic SIP and Network Interoperability - E.g. Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc.
3) SIP Repair - E.g. Call Transfer, Fragmented packets, Bugs, etc. 4) Features - E.g. Remote Users, Administration (remote and local)
5) Security - LAN/PBX/VoIP network protection, Service attack protection
VoIP & Data LAN
IPIP-- PBXPBX
PBX Type 1
Modern IP-PBXs are of this type. Media goes directly between phone and SIP Trunk.
SIP Trunk Interface
Signaling:Media:
SIP Trunk
PSTNSIP Trunking
Provider NetworkGW
SIP System
2) 3) 4) 5)2) 3) 4) 5)IX78
1)1) 2) 3) 4) 5)2) 3) 4) 5) 2) 3) 4) 5)2) 3) 4) 5)
© 2011 Intertex Data AB 25
PSTNPublic
Internet
SIP Trunking Provider
GWSIP System
Data & VoIP LAN
IP-PBX
Demarcation point of service and bringing SIP communication to the LAN
Soft Clients and Multimedia Terminals
Intertex IX78
Also Important to Support Multimedia and UC Terminals and Remote Users in a Modern UC PBX Environment
Firewall
Remote Users
26
Creating an Interface for ALL PBXs
Proxy Mode IP-PBX talks to SIP System
Registration/Authentication model must match
Little configuration in the IX78
Service credentials in the PBX
B2BUA Mode (Proxy still doing the basics) IP-PBX only talks to the IX78
Wider separation between PBX and SIP System
Service Credentials only in the IX78
More SIP Normalization possibilities (e.g. REFER)
Any new operator service platform only requires IX78 reconfiguration (the PBX configuration can remain)
IP- PBX
IP- PBX
27
Trunk-side Parameters
Read-only value set by Service Provider (in some cases). Regulates customer’s monthly fee!
SIP Connect 1.1 can be setup(for any PBX)
2828
PBX-side Parameters
29
Registration, Call Routing, CallerID
SIP Connect 1.1
Setup
30
Trouble Shooting & Debugging – Network Status
31
Trouble Shooting & Debugging – Logging!
32
Trouble Shooting & Debugging – Internal SIP Log
33
Packet Captures
Creates a WireShark PCAP network trace
Network Interface Selection – All Interfaces
Start – Stop - Download
© 2011 Intertex Data and Ingate Systems 34
Monitoring - Call Quality Statistics
Internal Call Log, containing CDRs with Quality Statistics. Can be output via SYSLOG, RADIUS (Ingate) or to the management system iEMS (see later).
© 2011 Intertex Data and Ingate Systems 35
Experience: Existing management systems often difficult to change
• Resistance against touching what has been built over the years
Remote GUI access to CPE often used Requirements
• Quite few functions and possibilities are actually used• Alive, Configured, Upgrades, New configuration - A must!• Often on wish list: Bad Sound (MOS) alarm, etc.
EMS (instead of NMS) is a trend Element Management System (EMS)
• Specially built for the Product• Interfaces to OSS and Fault Management System at high level.
Intertex and Ingate EMS in progress – iEMS• Easy to program and interface to • Highly scalable
Management of the CPE / E-SBC
Provisioning, Configuration, Monitoring, Reporting, Upgrade, Logging, Debugging, Diagnostics, Support…
© 2011 Intertex Data AB 36
Element Management System – The iEMS Functions for Provisioning, Monitoring, Reporting, Diagnostics, Logging,
Debugging, Support, Configuration and Upgrade. Available now with basic functionality.
Will handle both Ingate and Intertex Firewalls and SIParators.
Highly scalable, runs on PC servers under the Linux OS.
HTTPS/SOAP interface to the IX78. Can read and write all configuration parameters, as well as asynchronous reporting by the device (like SNMP traps).
Web based secure access to the iEMS. Customized portals for operators, installers and customers, for the purpose of administration, management and usage.
The iEMS has northbound interfaces for integrating with the operator’s OSS and Fault Management systems, using XML-RPC and/or SOAP.
36
37
iEMS – CDRs with Call Quality Metrics
© 2011 Intertex Data and Ingate Systems 38
iEMS Interfaces
<?xml version="1.0"?>
<methodCall>
<methodName>setTrunk</methodName>
<params><param><struct>
<member><name>version</name><value>1.0</value></member>
<member><name>ems</name><value><struct>
<member><name>username</name><value>installer</value> <member><name>password</name><value>foobar123</value></
</struct></value></member>
<member><name>service</name><value><struct>
<member><name>registrar</name><value>sip.intertex.se</ <member><name>proxy</name><value>proxy.intertex.se</value </struct></value></member>
<member><name>trunk</name><value>
<array><data>
<value><struct>
<member><name>identity</name><value>5162809890</val <member><name>password</name><value>foobar</value></membe
</struct></value>
<value><struct>
<member><name>identity</name><value>5162809895</val
<member><name>password</name><value>barfoo</value>
</struct></value>
</data></array>
</value></member>
</struct></param></params>
</methodCall>
CPE
WAN
OSS, Fault Management, etc.
Northbound API
CPE
CPECPE
CPECPE
CPE
Southbound API
WEB GUI DB DB DB
XML-RPC (or SOAP) (GET/SET/EVENTS)
39
SIP Trunking Made Easy
Installation Wizard
40
Assign IP Addresses, the tool will config the Ingate.
Select the deployment according to the picture
Status Information, helpful for troubleshooting
SIP Trunk-UC Workshop Startup Tool – Network Topology
41
Select IP-PBX Vendor and Model
Status Information, helpful for troubleshooting
Assign the IP-PBX Domain (if required)
Assign the IP-PBX IP Address For every IP-PBX
vendor on the List Ingate has captured the programming requirements to ensure quick and easy config
SIP Trunk-UC Workshop Startup Tool – IP-PBX Selection
42
Select ITSP Vendor
Status Information, helpful for troubleshooting
Assign the ITSP IP Address
For every ITSP vendor on the List Ingate has captured the programming requirements to ensure quick and easy config
User Account Information, DID Assignment and Registration Authentication
SIP Trunk-UC Workshop Startup Tool – ITSP Selection
© 2011 Intertex Data and Ingate Systems 43
4. Ensuring Interoperability – The Key to Service Revenue Growth
3:30pm-4:30pmModerator: Maloff NetResults
3:30-3:35 Moderator 3:35-3:50 Bandwidth.com 4:00-4:30 Intertex Data AB – Practical solutions
© 2011 Intertex Data and Ingate Systems 44
PBX and ITSP Interoperability
Large variation among PBX:s
Even larger variation towards ITSP:s
“SIP Connect” recommendation by SIP Forum… helps and improves, but is not implemented yet.
Installation tools Ix78 Wizard live demo Ingate Start UP Tool – See Provision section!
© 2011 Intertex Data and Ingate Systems 45
Confirmed Interoperability: Ingate & IntertexSIP Trunk Providers already interoperate with most IP-PBXs
SIP Trunk
3Com AastraAastra MX One Digium/Asterisk Avaya IP Office Avaya SES/CM Avaya QE Brekeke Broadsoft Cisco Call Manager Ericsson MX-One Fonality Innovaphone Interactive Intelligence Iwatsu LG Nortel Microsoft Mitel NEC / Sphere Nortel BCM Nortel SCS Objectworld Panasonic Pingtel Samsung SER Shoretel Siemens 8000 SIP-Gear Sonus Sphere Communications SwyxMore in pipeline....
360 Networks Airespring AT&T BandTel Bandwidth.com Broadvox BT (British Telecom) Cablecom Cbeyond Cellip Comm Partners Cordia Corporation Excel Switching Gamma Telecom Global Crossing IP-OnlyNectart Juma Networks Level 3
Netlogic Nexvortex Nuvox O1 Paetec Primus RNK Telecom TDC Telavox Tele2 Tele Pacific Teletek Telia ToplinkTritel VoEX Voice Flex VoIP Unlimited Voxbone Voxitas XeloQMore in pipeline.....
Carrier Equipment Acme Packet Broadsoft NexPointMore in pipeline.....
Sonus Sylantro SER
Compliant with
© 2011 Intertex Data and Ingate Systems 46
Is there a SIP Connect Compliant IP-PBX + ITSP?
If any, the E-SBC could just be SIP proxy, with only simple network setup, and perform:
NAT / Firewall traversal QoS (Quality of Service) SIP Security (Attack Protection) Monitoring and Debugging
Ingate & Intertex E-SBCs can be SIP Connect towards the ITSP, but specific towards the PBXs
Ingate & Intertex E-SBCs can be SIP Connect towards the PBXs, but specific towards the ITSP
But usually, we have to be specific to both the ITSP and the PBX
47
Trunk-side Parameters
SIP Connect 1.1 can be setup(for any PBX)
4848
PBX-side Parameters
49
Registration, Call Routing, CallerID
SIP Connect 1.1
Setup
50
If More is Required – There is plenty...
51
... ........and More
© 2011 Intertex Data and Ingate Systems 52
... and if that is not enough
There is Generic Header Manipulation
E. g. add Diversion header: sip:[email protected]?Diversion=%3csip%3a $(from.user)%40192.168.1.1%3e
To cope with not foreseen behavior Can fix much – not all Needs SIP expertise
How do we know what to configure and how to set it up?
© 2011 Intertex Data and Ingate Systems 53
Roll-out and Maintenance
Initial configuration SIP Trunking requires input from 3 “places”
• Numbers and credentials from Service Provider
• Information/Knowledge about the PBX and ITSP
• Information about the customer network and setup
More complex than usual • And all compiled at installation time
Upgrades New configuration Exchange of hardware
Ease and security of role out and maintenance, are main Service Provider concerns
54
Ingate has the Startup Toolfor a very wide variety of PBXs and ITSPs
“Out of the Box” setup and commissioning of the Firewall and SIParator products
Update current configuration
Product Registration and unit Upgrades, including Software and Licenses.
Automatic selection of ITSP and IP-PBX
Backup of Startup Tool database
Located at www.ingate.com FREE!
© 2011 Intertex Data AB 55
For Volume Deployment there Must be Provisioning The IX78 has Several Provisioning Methods
In the two latter methods, URL’s to the Provider’s provisioning server and iEMS are preloaded in the IX78, or fetched via DHCP.
Web Wizard adapted to Provider’s Trunk Service No Provider integration needed Installer inputs trunk side and PBX side data
Configuration fetched from Provider’s Web Server Configuration, Upgrades, Licenses At boot, by timer, or by kick (on request) Installer runs small Wizard for PBX side
Via Element Management System: iEMS Provider inputs Trunk Data manually or
automatically via OSS (via XML-RPC or SOAP) IX78 connects automatically Installer runs small Wizard for PBX side
Or a combination can be used (on request)
The SIP Trunking Configuration Wizard
jkjjk
© 2011 Intertex Data and Ingate Systems 57
5. Addressing Security Issues
4:30pm-5:30pmModerator: Maloff NetResults
4:30-4:35 Moderator 4:35-5:00 Ingate – Presenting a case study. 5:00-5:30 Intertex Data AB – Practical solutions
© 2011 Intertex Data and Ingate Systems 58
Security
Privacy – little concern today
Theft of Service & Toll Fraud
Denial of Service (DoS)
Protecting the PBX
Protecting the Service Provider
59
Privacy – Similar to PSTN
SIP Trunking and SIP UC can be more private than traditional PSTN solutions (POTS and PRI)
Compromising Privacy of POTS and PRI requires physical presence, and these are never encrypted
SIP signalling and media rarely encrypted, but can be
60
Signaling Encryption TLS is Transport Layer encryption and certificate check
Both Ingate and Intertex E-SBCs can transcode between UDP, TCP and TLS for any call
61
Privacy - Media
SRTP is encryption of the media (voice)
The Ingate E-SBCs can transcode between RTP (in the clear) and SRTP (encrypted) media
62
Theft of Service & Toll Fraud
What is Theft of Service? (or Intrusion of Service) A Third Party attempting to defraud either the
Enterprise or the Carrier Devices attempting “Spoof” a Client device in an
attempt to look like an extension (or enterprise) and gain services directly
63
Theft of Service & Toll Fraud Now a Real World Problem
But only a Problem when: Authentication is not used. There are:
Digest Authentication (password) IP address
Relies on that packets must return to the caller
MTLS (TLS is not sufficient) The Caller must be authenticated
Too weak passwords are used Most common cause! Typical 1234, admin, demo, test or the extension number
The methods are good – The usage may be poor..
64
Trend for Theft Protection
Service providers provision the credentials for their service, so the customer never sees them.
Service Providers are starting to own CPE edge equipment (E-SBCs) and provision the security credentials for their own access to that CPE.
© 2011 Intertex Data AB 65
IX78 Preventing Unauthorized Usage
Simple General Default Configuration in the Intertex IX78
Remote users to the PBX can be authenticated by the IX78 (also)
© 2011 Intertex Data AB 66
Allowed Usage of the SIP Trunk
© 2011 Intertex Data AB 67
Protection Against Password Guessing
Brute Force Attack Protection
Attackers are nowadays trying to find simple passwords by brute force testing. 10 – 100 trials/second have been seen (e.g. SipVicious / friendli-scanner). After 3 trial we pretend all attempts are wrong, so the correct one is never found.
68
Denial of Service (DoS)
What is Denial of Service? A Third Party makes a communications resource
unavailable to its intended users
Generally consists of the concerted efforts to prevent SIP communications service from functioning efficiently or at all, temporarily or indefinitely
One common method of attack involves saturating the target (victim) IP-PBX with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable
69
Denial of Service
Nowadays Real DoS Attacks are Occurring Few pure DoS attacks, but scanning for open SIP
servers and trying passwords (e.g. SIPvicious.org / friendly-scanner) may become a DoS attack.
Attacked SIP devices can simply choke from overload, when requesting authentication
Or SMB with limited IP bandwidth can have that consumed
Communication Servers have direct relationships with revenue and should be isolated from DoS
70
SIP DoS Detection and Prevention
Intrusion Detection System (IDS) for SIP
Intrusion Prevention System (IPS) for SIP Ingate has an IDS / IPS system that identifies
intrusions by examining network traffic. Ingate is located at choke points in the network to
be monitored, often in the demilitarized zone (DMZ) or at network borders/edges.
Ingate captures all SIP traffic and analyzes the content of individual packets for malicious traffic, that will be stopped.
71
Ingate SIP IDS/IPS: Attack Recognition
IDS/IPS - Rule Packs
Predefined Rule Packs (signatures) for filtering known industry DoS patterns specific for SIP applications
72
Ingate SIP IDS/IPS: Rate Limiting
SIP signaling late limiting is generally effective
Untrusted Network
SIP Protocol Method, Response Code
Matching/Filtering Traffic RateBlacklist
Policy
© 2011 Intertex Data AB 73
IX78 Preventing SIP DoS Attack
Signature Recognition
If the internal SIP proxy detects known signatures in SIP headers from attackers, it instructs the internal firewall to block attacking IP address for 60 seconds. New signatures can be added manually or provisioned automatically.
SIP Rate Limiting:
If there are more than 20 SIP packets/seconds from the same IP-address, the internal firewall blocks that IP-address for 20 seconds and does not respond to that IP address until the SIP packed rate is below 3 packets/seconds.
74
Protecting the PBX and Carrier SIP Protocol Packet Error Detection and Correction
SIP Signaling are only passed through the Internal SIP proxy in Ingate and Intertex products.
Malformed SIP Packets will not reach the PBXs or Service Providers from our side.
Standardized SIP Interface in both directions
© 2011 Intertex Data and Ingate Systems 75
6. Generating Revenue from HD Video
5:30pm-6:30pmModerator: Maloff NetResults
5:30-5:35 Moderator 5:35-6:00 UCIF – Polycom 6:00-6:30 Intertex Data AB – Reusing the E-SBC SIP trunking
infrastructure.
© 2011 Intertex Data AB 76
Global Video Calling Using the E-SBC
Telco Opportunity
Video Calling
High Quality, Chargeable, Global Video CallingReady to go, using SIP Trunking Infrastructure
• High Quality (Telepresence) Video Calling• Routed and Billed (CDRs produced) by the E-SBC• Simple settlement free IP Peering between Telcos
© 2011 Intertex Data AB 77
What’s Special About Video Calling?
We have been building islands – again… But there is no old Video PSTN to connect those together
However, there is a standard (SIP) and a network (Internet) We have seen such video calls for a long time
What more is needed? High quality – Teleprecense; Guaranteed bandwidth and QoS? Global; Not only within a company and not only within one carrier’s
network Telephone numbers (in addition to sip addresses) Allow Telcos to Bill (being more than just Bandwidth Providers)?
© 2011 Intertex Data AB 78
There is a Solution!
Do More at the Enterprise Edge! We can route here – The earlier the better We can produce CDR’s for billing here We can do number resolution here (or the ITSP can do it)
The Good News: Reuse the SIP Trunking infrastructure (using E-SBCs) Simple peering between carriers
© 2011 Intertex Data AB 79
Reusing the SIP Trunking E-SBC
Telco owned E-SBCs are already used for (voice) SIP Trunking Full operator control Service provider’s demarcation point Enables the SIP Trunking – Video is not different from voice for:
NAT/Firewall traversal, PBX interoperability and Security
Reuse the same E-SBC for Video Calling!
In the Ingate and Intertex E-SBCs, it is all there: Classify outgoing calls (as Video, HD voice or plain voice) Assure right quality pipe and/or quality marking is used Route the call directly to the other party (or
• Use ENUM (public or private) for E.164 number to SIP address resolution• Only settlement free IP peering between operators required• Can fallback to best effort IP peering (Internet) in operator network
Produce and deliver CDRs for each call• Report Minutes and Data used • Include video and voice quality metrics (including MOS scores)• Deliver via Radius, Syslog, Management system (TR-069 informs) or method by choice
© 2011 Intertex Data AB 80
Simple For the Carrier
Qwest Internet AT&T Internet
SIParator IX78
ENUM
QoS IP Network QoS IP Network
CDR
CDR
MPLSMPLS
© 2011 Intertex Data AB 81
Quality Separated Networks Out to the Customer Edge is Not NewWidely Used for Triple Play Services
The Intertex IX78 Supports All of these Architectures!
Private Virtual Circuits
E.g. Telia
InternetInternet
ADSL
PVC1
IP-TV
VoD
IP-TV
VoD
IMS
VoIP
IMS
VoIP
PVC2 PVC3
E.g. Telia
InternetInternet
Ethernet
VLAN1
IP-TV
VoD
IP-TV
VoD
IMS
VoIP
IMS
VoIP
VLAN2 VLAN3
Virtual LANs (VLAN)
E.g. B2
InternetInternet
Ethernet
WAN1
IP-TV
VoD
IP-TV
VoD
IMS
VoIP
IMS
VoIP
WAN2 WAN3
IP QoS Separated Subnets IP Level QoS
E.g. BT
InternetInternet
ADSL or Ethernet
Priority3Priority2 Priority1
IMSVoIP
IP-TVVoD
© 2011 Intertex Data AB 82
iEMS – CDRs with Call Quality Metrics
© 2011 Intertex Data AB 83
For the Telcos To Do
Provide high quality IP pipes for Video and HD Voice (e.g. MPLS) If on separate layer 2 networks for quality, still make them routable to the Internet
(for fallback to “best effort peered” = Internet)
Enter users in ENUM (public or private) E.164 numbers to SIP address resolution
Settlement Free Peering between carriers for high QoS IP networks Just like for the Internet - Now also for high quality IP network (e.g. by MPLS)
Deploy same CPEs (E-SBCs) as for SIP Trunking Can also be general SIP enablers (at least Intertex’ and Ingate’s) for offering all
types of SIP based services
Process the CDRs from the E-SBC as usual for Billing
© 2011 Intertex Data AB 84
What’s out there 1? - Cisco TIP
http://newsroom.cisco.com/dlls/2010/prod_012610.html Telepresence Interoperability(?) Protocol (TIP) “Cisco already supports H.323, which allows Cisco…”
Don’t we already have SIP, SDP, RTP, RTCP and Codec standards? … And don’t they define interoperability far beyond Cisco?
Is there more than how to transfer to several screens?
© 2011 Intertex Data AB 85
What’s out there 2? – The IMS World
Fine – But when? Stuck in its own complexity… Where is the Multimedia and Interoperability? And the IMS world still has to find out how reach the users on the fixed network -
the LANs behind NATs and Firewalls – Or stay with POTSoIP on FXS-ports
A “OneVoice” initiative to create VoLTE AT&T, Bell Canada, China Mobile, Deutsche Telekom/T-Mobile,
KDDI, mobilkom austria, MTS, NTT DoCoMo, Orange, SKT,
SoftBank, Telecom Italia, Telecom New Zealand, Telefónica,
Telenor, TeliaSonera, Verizon Wireless, Vodafone, Acme Packet,
Alcatel-Lucent, Aylus, Camiant, Cisco, Colibra, Communigate,
Comneon, Ericsson, Fujitsu, Genband, Huawei, LG, Motorola,
Movial, Mu, NEC, Nokia, Nokia Siemens Networks, Qualcomm,
RADVISION, Samsung, Sony Ericsson and Tekelec
Isn’t VoIP already invented?
“OneVideo” initiative can be expected…
Until then: Route at the edge by the E-SBC! E-SBC still needed to reach users on LAN and for UC PBX interoperability The IMS can still be the SIP registrar and billing server…
© 2011 Intertex Data AB 86
What’s out there 3? Juniper, Polycom...
Juniper, Polycom forge telepresence, video conferencing alliance
http://www.zdnet.com/blog/btl/juniper-polycom-forge-telepresence-video-conferencing-alliance/29868
“a counterweight to Cisco Systems and its recent acquisition of Tandberg” “optimize their platforms so service providers can offer video and telepresence
cheaply. The argument: It’s cheaper for enterprises to deploy telepresence as a service from their network providers instead of building out their own networks.”
Sure!
http://www.juniper.net/us/en/local/pdf/solutionbriefs/3510358-en.pdf
About pre-reservation of capacity for high bandwidth calls
87
SIP Capable Firewalls and SIParators®
Intertex Data ABwww.intertex.seContact: Karl [email protected]:[email protected]: +46 8 12205629Mob: +46 70 7254532
Ingate Systems Inc.www.ingate.comContact: Steve [email protected]:[email protected]: +1 603 883 6569Mob: +1603 557 7918
Thank You!