Transcript Deploying SIP on a Global Scale

Deploying SIP on a Global Scale
Thom O’Connor
Director, Product and Services
CommuniGate Systems
January 25, 2007
January 23-26, 2007• Ft. Lauderdale, Florida
VoIP in the News
“We are in the midst of a VoIP communications revolution“ - Jeff Pulver
The use of IP PBXs is poised to soar, according to a study by In-Stat that predicts
sales of these devices will represent 51% of all PBX sales this year and grow to 91%
worldwide by 2009. - Network World, August 2005
January 23-26, 2007• Ft. Lauderdale, Florida
Long-term Benefits of VoIP
• Sophisticated call management – presence, call
forwarding/routing
• Integrated voice, video, file transfer, IM
• (Arguably) communications at lower cost and with
richer media (although the cost benefits of are in
transition and debatable)
• Consolidated identity management
• Granular policy/compliance capabilities
• ENUM for convergence of telephone numbers & IP
addresses
• Mobility, access, flexibility
January 23-26, 2007• Ft. Lauderdale, Florida
Focusing on SIP-initiated VoIP
• VoIP is an ambiguous concept encompassing many
protocols including H.323, MGCP, SIP, 3GPP/IMS
• VoIP provides the IP-based transfer of:
– Audio & Video (multimedia)
– Instant Messages
– Client-driven application sharing & whiteboarding
• Session Initiation Protocol (RFC 3261): SIP provides
for open and standards-based signaling
• SIP provides registration, authentication, and
discovery - allows two or more clients to locate each
other, select a media type & define media sockets
using SDP
• RTP used for audio/video payload, and often times
directly between end devices
January 23-26, 2007• Ft. Lauderdale, Florida
Diagram of SIP-initiated VoIP
January 23-26, 2007• Ft. Lauderdale, Florida
Network Models for IP Communications
1.
2.
3.
4.
5.
Service-Provider Model
Internet SIP usage with basic SIP Proxies
Client-Server SIP model, trusted users only
P2P Model
Distributed SIP model
January 23-26, 2007• Ft. Lauderdale, Florida
Service-Provider Model
Advantages
• Easy to implement
and use for end
users
• Theoretical
possibility of
security within
each provider
• Standardization
not required
Disadvantages
• Proprietary, (often)
closed networks
• Many non-interop
devices
• Relatively few
providers,
relatively little
choice & potential
for oligopoly
• Actual security of
data and accounts
is unknown
• Little/no policy
control
January 23-26, 2007• Ft. Lauderdale, Florida
Internet SIP with basic SIP Proxies
Advantages
•Stateless proxies can
achieve high performance, but
often not usable or secure
Disadvantages
•Great difficulty in consistent
signaling and media
establishment with end users,
especially those behind
firewalls
•Little or no gateway session
control (may be most
significant for enterprise
users)
•NAT traversal problems –
STUN/TURN provides some
NAT capabilities
•Presence conflicts when
more than one end-user agent
per user
January 23-26, 2007• Ft. Lauderdale, Florida
Client-Server SIP model, trusted users only
Advantages
• Tight authentication
and REGISTER control
• Little threat of Spam,
Caller ID spoofing
•Mostly-secure internal
communications
• “Near-end” and “Farend” NAT traversal
capable (if the SIP
infrastructure is)
Disadvantages
• Not truly a Internetwide distributed SIP
infrastructure
• All non-local sessions
routed through PSTN or
other public service
providers (IM gateways,
etc.)
January 23-26, 2007• Ft. Lauderdale, Florida
P2P Model
Advantages
•True IP-to-IP (as well as
potentially IP-to-PSTN
connectivity)
•Potentially free and
unrestricted for IP-to-IP
•Cost
Disadvantages
•Not appropriate for
Enterprises with controls
on security/privacy
•Implemented today as
another closed network
•Skype authentication
network would appear to
be a single point of failure
•Current implementations
are not open standards
therefore restricted and
unknown security
Depending on viewpoint…
•Very difficult to block
Ref: http://arxiv.org/ftp/cs/papers/0412/0412017.pdf
January 23-26, 2007• Ft. Lauderdale, Florida
Distributed SIP Model
Advantages
•True “Internet Communication”
•Sophisticated SIP gateways
with session control capabilities
•Reliable media streams
•Server-based presence
agents
•Session border control
capabilities allow for content
scanning, policy control (such
as being able to enforce SIPS
and SRTP)
Disadvantages
•Predictable addressing leads
to same problems of spam
•Depending on your point of
view, greater possibility of
stream interception at gateway
choke points (as compared to
P2P
-> Begins to look a whole lot like email today
January 23-26, 2007• Ft. Lauderdale, Florida
Evolutionary Path for Internet Communications?
• Current IM and “free VoIP” model is similar to that of the PSTN
phone network – centralized services providing end-user
accounts
• VoIP as a form of Internet Communications is far more powerful –
distributed, open, interoperable with many servers/clients
• Ultimately – will look more like email does today?
• Move from IP-to-PSTN/PSTN-to-IP to end-to-end, IP-to-IP
• Trend towards distributed services out towards end-points
(domain/DNS-based, maybe true P2P)
• WiFi/WiMAX phones may provide the last mile for end-to-end
Conclusion: SIP/RTP must be implemented via the standards
and architectural best practices to be opened at the gateway
points
January 23-26, 2007• Ft. Lauderdale, Florida
Implications of Distributed VoIP
• Recipients must be given tools to manage
accessibility and risks
• Strong requirements for user and domain-level
authentication and ultimately, reputation services
• Requirements for relay protections, content filtering,
gateway policies, anti-spoofing, lawful intercept
• Protection against DDoS, IP-based restrictions RBLs, blacklists, whitelists
• User-based rules for protection
• Requirements for HA, clustering, and QOS
• Less reliance/dependence on service providers
(acting as oligopolies)
• Policy management through sophisticated SIP
gateway controls
January 23-26, 2007• Ft. Lauderdale, Florida
Challenges of Implementing VoIP/SIP
• SIP protocol still in rolling development
• Many vendors adding non-standard methods that don’t
always interop
• QOS and bandwidth issues, lost/out-of-order packets
• Power over Ethernet (PoE) not widespread
• Each SIP end-user device may state its own presence
• “Near-end” and “Far-end” NAT traversal
• Little policy/compliance for end-to-end data transfer
• Scalability & HA of VoIP infrastructure
• Emergency procedures (911)
• Security challenges (data capture, MITM, DDoS, virus?,
encryption not commonly used)
• CALEA – capturing end-point data and media (though not
necessarily un-encrypted media)
January 23-26, 2007• Ft. Lauderdale, Florida
Dynamic Cluster with SIP Farm
•Single-address
for email,
collaboration,
and VoIP
•Email traffic can
be separated
from SIP Farm
•Consolidated
Identity
management but
Frontends are
“specialized”
•Protects voice
QOS even in
event of DDoS
or spam
January 23-26, 2007• Ft. Lauderdale, Florida
Implications of Presence & Availability
• Far more invasive to be receiving voice calls
unexpectedly than email/IM
• Requires assurance of identity in order to
make presence and availability decisions
• Presence could reveal vulnerabilities, and
must be granted granularly and selectively,
especially outside the protected environment
January 23-26, 2007• Ft. Lauderdale, Florida
Total Converged Solution with CGP
CommuniGate Pro •Complete SIPbased
infrastructure
and applications
•Personalized
voice and data
services for
thousands of
domains
•All-Active
Dynamic Cluster
for 99.999%
uptime for
Messaging and
Real-time traffic
•CGP handles all
SBC and NAT
traversal
functions
January 23-26, 2007• Ft. Lauderdale, Florida
Super Cluster
• Cluster of
Clusters
• Used for
scaling when
regions are
desired or
when limited by
storage
subsystem
• Capable of
sharing
mailboxes
between
Backend
clusters
January 23-26, 2007• Ft. Lauderdale, Florida
CGP is not a Closed System
•The closed-network
model for VoIP will
inevitably end
•No one ever needs to
ask whether their
system can send an
email to Yahoo
•Insecure for business
– relies on outside,
often unknown vendors
•Susceptible to cost
hikes
•Not based on
standards
•Not a true “end-to-end”
model for direct
connectivity
•Not a real Internet
model - based more on
the PSTN of the past
January 23-26, 2007• Ft. Lauderdale, Florida
CGP Embraces Open Standards
•Open, RFC-compliant
standards ensure all users
can communicate
•The distributed Internet
model has been proven with
email, and is inevitable with
voice
•Businesses are empowered
with the ability to define their
security and privacy policies
•Service Providers can offer
security and encryption as
well as perform Lawful
Interception
•All users can choose their
own choice of client for
email, collaboration, and
voice and still interoperate
with one another
January 23-26, 2007• Ft. Lauderdale, Florida
EdgeGate Services
•In a Dynamic Cluster, the
CommuniGate Pro “Frontend
Servers” handle most
EdgeGate Services
•In the Core Server, all
functions handled on the
same server
•Built-in Connection flow
control, SPF, Reverse
Connect, and Session
Border Control
•Third-party plugins provided
to complete the antispam/anti-virus defense:
- Mailshell
SpamCatcher
- Cloudmark Authority
- McAfee VirusScan
- Sophos Virus Scanner
- Kaspersky Virus
Scanner
January 23-26, 2007• Ft. Lauderdale, Florida
Massively Scalable Clustering for VoIP
Media
Session
Signaling
Media
Session
Session
Media Proxy
Signaling
Media
Session
Session
January 23-26, 2007• Ft. Lauderdale, Florida
HP-CommuniGate-Navtel VoIP Benchmark
January 23-26, 2007• Ft. Lauderdale, Florida
VoIP Benchmark Results - Navtel
January 23-26, 2007• Ft. Lauderdale, Florida
VoIP Benchmark Results - sipp
January 23-26, 2007• Ft. Lauderdale, Florida
January 23-26, 2007• Ft. Lauderdale, Florida