January 23-26, 2007 Ft. Lauderdale, Florida SIP Trunking for the Intermediate/Advanced Reseller The SIP Connection From A to Z Presented by Pete Sandstrom,

January 23-26, 2007• Ft. Lauderdale, Florida

SIP Trunking for the Intermediate/Advanced Reseller

The SIP Connection From A to Z Presented by

Pete Sandstrom, CTO BandTelJanne Magnusson, Director Operations Ingate


Advanced SIP Session Overview

1. Open Systems Interconnection Model (OSI) is more than a model

• Real-Time Protocol (RTP• Real-Time Control Protocol (RTCP)

2. Quality of Service (QoS)• IP – Multi-Protocol Label Switching (MPLS)• Peering for Performance

3. SIP Applications – the reason for doing anything

4. SIP Security – protecting what we have

5. SIP trunking CPE Architectures

6. The role of the ITSP – provider performance


1. Open Systems Interconnection (OSI)Understanding Where You Are


SIP is a Fully-Featured Protocol


RTP Carries SIP over UDP/IP/etc.


RTCP Reports on Traffic Conditions

Real-Time Control Protocol (RTCP) packets are used to provide QoS measurement reports and other information. The VoIP RTCP Extended Reports (XR) Metrics Report Block (MRB) provides measurements (metrics) for monitoring quality of VoIP calls and conversations. These measurements include packet loss and discard metrics, delay metrics, analog metrics, and voice quality metrics.


2. QoS and the Internet

• The Economics of peering and why it works in North America

• Tier I/II space- It is over provisioned and it is Managed


QoS and the Internet: The Economics of peering and why it works in North America

IP NETIP NET

NET A drops packets making the other to retransmit, and lowers his overall throughput. That’s lost revenue for B.


QoS and the Internet: It is over provisioned and managed

MPLS MPLS

MPLS MPLS

INTERNET


VoIP in Private and Public IP Space

• Local and remote phone stations in private space

• SIP trunking POPs in public space• If MPLS then equipment costs are radically

lowered.


IP-PBXs Migrate PBXs – ITSPs Emerge

ITSP

PTSN

IP

PBX

SIP Services

GW

SAFW

SIP-Aware FireWall (SAFW)


IP by Itself has No QoS


MPLS was Created to Provide QoS


3. SIP Trunking Basic Features

SIP Trunking Applications:• Competes with and beats T1 trunking• “Event notification” - disaster recovery options • Add Bandwidth QoS and security provided via

SAFW and or MPLS • On demand N-way conferencing• 411 Directory Assistance • Enhanced 911 services Access • Directory Listing • Local and Inbound Calling • Platform for personalized applications and rich

media services


SIP Trunking Competes

• VoIP to compete economically, and beat, T1 trunking to a TDM PBX.

• Hosted can’t scale well and doesn’t fit needs of the enterprise

• SIP trunking means X voice paths to Y stations where Y/X > 1; generally the ratio would be 4 trunks to 10 stations


SIP Trunking Feature - Conferencing

On demand business meetings, training, broadcast announcements, call-to-meeting notifications, even reverse 911 are enhanced with SIP trunking.


4. SIP Security & Firewalls

• Before we explore viable architectures for SIP systems, let’s understand one more critical concept.

• While SIP brings advancement in VoIP call connections, SIP faces the same security attacks as other IP protocols such as HTTP and SMTP such as malformed message attacks, SPIT-SPam over Internet Telephony, buffer overflow attacks, DOS-Denial-of Service attacks, eavesdropping, hijacking, injection of malicious RTP packets into existing RTP flows and other known and yet to be created attacks.

• In other words, special SIP firewall and other protection systems are recommended.


SIP Trunking Security and Reliability

• Need to Ensure Enterprise LAN is Correctly Designed for VoIP (i.e. a SIP-Aware Firewall Needs to be in Place)

• CPE Protection: SIP-Aware Firewall that allows L5 Security (i.e. no L2 pinholes)

• Require ITSP MD5 or IP Authentication for Account Authorization

• ITSP Should Split Media and Signaling to Different Redundant Locations, Making Taps Virtually Impossible

• ITSP Must Have Secure POPs That Can Fend Off all Outside Attacks: - DOS (Denial of Service)- IP Spoofing- SPIT (Spam over Internet Telephony)


SIP Trunking Security and Reliability

MPLS

INTERNET

HOT SPOTS

DSL-CABLE MODEMS


Let’s take a breakto understand how your customer

may see the “project.”





Now back to getting serious

5. SIP trunking CPE Architectures

Type 1 – Dedicated IP Pipe for VoIP

Type 2 – Merged MPLS-Pipe with LER Tagging VoIP

Type 3 – Merged IP pipe with SIP-Aware Firewall (SAFW)

Type 4 – Separate IP Pipe for VoIP with Existing Non-SIP Firewall and SIP-Aware Firewall (SOFW)

Type 5 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall, No DMZ Port and SIP-aware Firewall

Type 6 – Looks like Type 5 but Merged IP Pipe with Incumbent Non-SIP-Aware Firewall, No DMZ Port and SIP-Aware Firewall

Type 7 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall with a DMZ Port

Type 8 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall



1- The IP pipe is dedicated to VoIP so no QoS arrangements are needed with the carrier.

2 - No firewall is needed as there are no LAN connections with other enterprise devices.

3 - This is a common architecture for dedicated media gateway deployments.



1 – VoIP and enterprise data share the same IP pipe. MPLS tags the VoIP as the highest priority via the LER-Label Edge Router.

2 – The SAFW handles all SIP addressing transformation issues between the LAN and WAM demarc.

3 – Architecture offers full QoS for VoIP.

4 – Excellent utilization of IP pipe resources.


Type 3 – Merged IP pipe with SIP-aware Firewall (SAFW)

1 – VoIP and bulk enterprise share the same IP pipe.

2 – The SAFW-SIP-Aware Firewall handles all the QoS issues by prioritizing VoIP traffic over the bulk enterprise network.


4 – Architecture offers partial QoS for VoIP (no inbound UDP QoS).

5 – Excellent utilization of IP pipe resources.


Type 4 – Separate IP Pipe for VoIP with Existing Non-SIP Firewall and SIP-Only Firewall (SOFW)

1 – A separate IP pipe deployed for VoIP traffic only.

2 – QoS for VoIP realized by separating VoIP and bulk traffic to separate IP pipe.

3 – The SIP-Aware Firewall (SAFW) handles all SIP addressing transformation issues between the LAN and WAN demarc.

4 – The SAFE configuration is untouched and handles no VoIP traffic.

5 – No utilization of existing IP pipe for VoIP.


Type 5 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall, No DMZ Port and SIP-Aware Firewall


2 – QoS is not realized for VoIP as there is no single point to control traffic. Excessive bandwidth is needed for VoIP to function.



5 – Full utilization of incumbent IP pipe for VoIP realized.



2 – QoS is realized for VoIP as there is a single point to control traffic.








2 – QoS is not realized for VoIP as there is no single point to control traffic. Excessive bandwidth is needed for VoIP to function.


4 – The USAFW configuration is touched to allow VoIP to utilize the SAFE DMZ resource.


6 – Works with the SAFW as SIP traffic traverses twice.




2 – QoS is not realized for VoIP since there is no QoS feature in the SAFE.

3 – The UA handles all SIP addressing transformation issues between the LAN and WAN demarc via SIP NAT transversal features and/or by using STUN-Simple Transversal of User datagram protocol with an external STUN server.

4 – The SAFE security is breached by having ports opened for SIP UDP traffic.


6 – Architecture does not scale well for anything beyond a few VoIP calls.

7 – This is architecture is suited only for hosted VoIP services with a small number of end-user stations in the LAN space.


??? About Architectures



Type 3 – Merged IP pipe with SIP-Aware Firewall (SAFW)

Type 4 – Separate IP Pipe for VoIP with Existing Non-SIP Firewall and SIP-Aware Firewall (SOFW)

Type 5 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall, No DMZ Port and SIP-aware Firewall





6. The ITSP behind the SIP Trunk

• Getting to the ITSP proxy

• Resiliency in the event of failure

• Load to the ITSP proxy (dynamic routing to)

• When an ITSP element fails (real-time dynamic fault switchover)

• Getting to the PSTN- PSTN carrier options


ITSPs “Peer” For Customer Performance


VoIP Network – N-Plus™


Special ITSP Services for SIP Trunkers

• Online Traffic monitoring (TotalView)• Online Billing• Traffic re-routing (Total Reroute)• Silent Running – Bandwidth Conservation


Completed Call Percentages


Real-Time Call Activity


Accounting History


101 Summary

• SIP trunking competes- and beats T1 Trunking on price and features

• QoS- SAFW and or MPLS needed for bandwidth QoS

• SIP Security – private or public, it can be made secure

• SIP CPE Architecture- critical for creating a secure clear call

• The ITSP behind the SIP Trunk








SIP Trunks

Internet

IP-PBX

Firewall

Service Provider

SIP Trunks

Internet

IP-PBX

Firewall

Service Provider

• Important to have a reliable and well dimensioned network

– Consider delay and QoS

• As secure as the corporate network for e-mail etc.

• Possible to increase security by implementation of encrypted SIP signaling (TLS) and media (SRTP)

Communication on the LAN


WithoutSupport for OPWithSupport for OP

[email protected] Default Gwy: 10.500.10.11 Outb. Proxy: -

[email protected] Default Gwy: 10.500.10.11 Outb. Proxy: -

[email protected] Default Gwy: 10.500.10.11 Outb. Proxy: 10.500.10.13

603-883-6569

Many IP-PBXs can’t handle outbound Proxy

SIP-unaware Firewall

IP-PBX

Ingate SIParator®

PSTN Gwy

Service Provider

PSTN

IP 10.200.10.16

Outbound ProxyIP 10.500.10.13 IP 168.105.45.19

IP 168.203.30.11DMZ

Default GatewayIP 10.200.10.11

with

IP-packets to destinations outside the logical network is sent to the Default Gateway for routing.

Outbound Proxy is the equivalence to Default Gateway, but for SIP.

972-678-0464

SIP Trunking Module

Configure IP-PBX to ”pretend” that Ingate is the Service Provider

[email protected]

168.203.30.11

Rewrites the domain part


SIP Trunks

Internet

IP-PBX

Firewall

Service Provider

SIP Trunks

Internet

IP-PBX

Firewall

Service Provider

• Important to have a reliable and high quality Internet connection

– Consider delay to ITSP– Of your connection QoS (voice

should have priority)

• Voice travels over public Internet (as e-mail)

• Possible to increase security by implementation of encrypted SIP signaling (TLS) and media (SRTP)

Communications outside the LAN


Ingate SIP Trunking module solves this problem !What if the Service Provider can’t handle domains ?

Many Service Providers can’t handle domain names

IP-PBX

Ingate SIParator®

PSTN Gwy

Service Provider

PSTN

IP 10.500.10.13 IP 168.105.45.19

IP 168.203.30.11DMZ

603-883-6569

IP 10.200.10.16

withSIP Trunking Module [email protected] 10.200.10.16

972-678-0464 SIP-unaware Firewall

With domain name, no problem !

Can only address the known public IP-address of the SIParator.

[email protected]

Rewrites the domain part

DNS record pbx.ingate.com resolves to IP 168.105.45.19

DNS overridepbx.ingate.com 10.200.10.16

[email protected]



Questions?


About BandTel

• Headquartered in Newport Beach, California, BandTel is a leading worldwide provider of SIP Trunking services. The company is dedicated to ensuring its customers and partners alike have access to the most reliable, end-to-end VoIP service available on the market today.

• Its N-Plus™ network architecture is designed to solve the throughput and redundancy problems on high-capacity SIP-based networks and eliminate any single point of failure.

• BandTel continues to develop strong partnerships with leading carriers and telecommunications companies, including Global Crossing, XO Communications, Level 3, Qwest Communications, Verizon Business, and Primus.


About Ingate

• Formed 2001– Firewall technology from Cendio Systems

• Appliance firewalls since 1994– Capital and SIP technology from Intertex Data AB

• Began SIP development in 1998

• Released the worlds first SIP capable Firewall in 2001

• Located in Stockholm and Linköping, Sweden with a subsidiary, Ingate Systems Inc., based in Hollis, NH.

• Confirmed IP-PBX interoperability:3Com, Asterisk, Avaya, Broadsoft, Cisco Call Manager, Ericsson MX-One, Mitel, Pingtel, SER, Shoretel, Sphere, Swyx, Zultys

• Confirmed carrier interoperability:Bandtel, Broadband.com, Cbeyond, Global Crossing, IP-Only, O1, RNKTel, Tele2, VoEx


For More Information About SIP Trunking

Visit BandTel’s New SIP Trunking Resource Center

www.BandTel.com/siptrunking2.asp

Documents

January 23-26, 2007 Ft. Lauderdale, Florida SIP Trunking for the Intermediate/Advanced Reseller The SIP Connection From A to Z Presented by Pete Sandstrom,