SIP Trunking - Ingate Systems
Download
Report
Transcript SIP Trunking - Ingate Systems
SIP Trunking Workshop
for Service Providers
With real life considerations and practical solutions for
offering SIP Trunks using Ingate and Intertex E-SBCs
The Ingate SIP Trunk-Unified Communications Summit
Karl Erik Ståhl
President and CTO, Intertex
Chairman and CTO, Ingate
© Intertex Data AB, Ingate Systems, February 2011
1
1.
The Case for SIP Trunking
1:00pm-1:30pm
Moderator: None
Opening remarks and overview of the benefits of SIP trunking
and UC for service providers, by Ingate Systems.
© 2011 Intertex Data and Ingate Systems
2
2.
Delivering SIP to the Enterprise
1:30pm-2:30pm
Moderator: Maloff NetResults
1:30-1:35
Moderator
1:35-2:00
Broadvox
2:00-2:30
Intertex Data AB – Practical solutions
© 2011 Intertex Data and Ingate Systems
3
There is more to it…
PSTN
Voice only, or Voice & Data on the pipe?
Internet or Private Pipe?
Quality Measures on the Pipe?
SIP Trunking
Provider
SIP System
Delivery to just a PBX?
… or to a UC LAN
Is an E-SBC required? When?
Who provides/owns the E-SBC?
Just SIP Trunking of PBXs or also
Remote users
Hosted services
© 2011 Intertex Data and Ingate Systems
SIP Trunk
Interface
Is there a (data) Firewall in the way?
PBX with
system
phones
4
This Would be Simple
Public
Internet
SIP Trunking
Provider Network
PSTN
SIP System
SIP Trunk
IP-PBX
Data LAN
VoIP LAN
5
But This is What We Want
Public
Internet
SIP Trunking
Provider
PSTN
SIP System
Remote
Users
Intertex IX78
Demarcation point of
service and bringing SIP
communication to the LAN
IP-PBX
Data & VoIP LAN
Soft Clients and Multimedia Terminals
© 2011 Intertex Data and Ingate Systems
6
So this is Not a Good Solution,
at least not for a General Service
Public
Internet
SIP Trunking
Provider Network
PSTN
SIP System
No Remote
Users!
Managed
SIP Trunk
Enterprise:
Security
Warning!
IP-PBX
Will Service
Provider issue
IP addresses to
every Phone?
Provider:
Security
Warning!
Data LAN
VoIP LAN
?
?
No Soft or Multimedia Clients!
UC?
7
And there is Often a Non SIP Capable Firewall in Place
SIP Trunking
Provider
PSTN
SIP System
Remote
Users
Ingate/Intertex E-SBCs
enable SIP based Live
UC Across the Borders!
SIParator®
IP-PBX
(SIP does not traverse
ordinary NAT/Firewalls.)
Data & VoIP LAN
Soft Clients and Multimedia Terminals
8
And There are Different Types of PBXs to Consider
PSTN
A Good E-SBC Should Provide:
1) NAT/Firewall Traversal – Must NAT to same address space!
2) Basic SIP and Network Interoperability - E.g.
SIP Trunking
Provider Network
Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc.
SIP System
3) SIP Repair - E.g. Call Transfer, Fragmented packets, Bugs, etc.
4) Features - E.g. Remote Users, Administration (remote and local)
5) Security - LAN/PBX/VoIP network protection, Service attack protection
SIP Trunk
1) 2) 3) 4) 5)
IX78
IPPBX
2) 3) 4) 5)
2) 3) 4) 5)
SIP Trunk Interface
Modern IP-PBXs are of
this type. Media goes
directly between phone
and SIP Trunk.
PBX with
system
phones
IPPBX
Few PBXs are of this type.
Asterisk with firewall
(IPtables /NETfilter) can be
compiled and configured
this way, but requires a lot.
VoIP & Data LAN
VoIP & Data LAN
Data LAN only
PBX Type 1
Signaling:
Media:
PBX Type 1.5
PBX Type 2
9
NAT & Firewalls are a Severe Infrastructure Problem…
A common Network and common Protocols changed our lives:
SMTP gave us global email!
HTTP gave us the Web!
IMS
NATs and Firewalls were
designed to allow such
protocols.
What about SIP for Live
Person-to-Person
Communication?
(SIP based)
Internet
email
FW
SIP does not traverse the
common NATs and
firewalls protecting the
LANs .
© 2010 Intertex Data AB
web
FW FW
FW
LAN
LAN
10
Why are NATs and Firewalls Such Obstacles
Typical Internet protocol (SMTP, HTTP…)
SERVER
HOST
Internet
SIP is the Protocol for IP Communication
Person-to-Person,
BUT IT DOES NOT REACH THE USER’s!
SIP (and H.323…) connects Person-to-Person
PERSON
PERSON
Internet
Locate the person
+ Set up a session + Open real time media streams
© 2010 Intertex Data AB
11
Ordinary Voice IADs – Good for Telephony Replication…
Telephone ports (FXS) on the CPE is a popular
way to deploy IP telephony. By logically placing
the SIP clients on the outside of the NAT/Firewall,
unreliable work-around methods like STUN,
TURN and ICE become unnecessary. However,
this only gives POTS replication, often even
stopping general SIP based services!
Internet
The 5060 SIP-port is just grabbed on the
outside to the FXS ports!
Lower level SIP ALGs often cause problems
and do not handle more than basic scenarios.
Often problems with, or total lack of:
• SIP to the LAN or WiFi
• Calls between SIP clients on LAN
• Calls between internal ATA ports and LAN clients
• Call transfers, 3-party calls, etc.
• Using SIP generally over the Internet (Operator “took all the SIP”)
(Users must not be deprived of general SIP-functionality!)
© 2011 Intertex Data AB
12
Our CPEs are SIP Capable NAT/Router/Firewalls
IMS
Internet
SIP
No battery draining of WiFi mobile phones, otherwise
caused by keep-alive packets* inhibiting sleep mode.
* Work-around methods for SIP NAT-traversal like STUN, TURN, ICE and Far End NAT
Traversal use frequent keep-alive packets to keep holes in the NAT/Firewall open.
Problems solved where they occur
Wired or wireless SIP clients (phones, soft clients, PDAs)
No special requirements on the SIP Client – Just standard SIP
All Intertex CPEs have a SIP Proxy based SIP aware Firewall/NAT
General, can handle complex call scenarios and all SIP services
Additional functionality available (SIP server, PBX functionality etc.)
© 2011 Intertex Data AB
13
QoS: Common VoIP and Data Pipe
Public
Internet
SIP Trunking
Provider
PSTN
SIP System
E-SBC also Data Firewall
Demarcation point of
service and bringing SIP
communication to the LAN
IP-PBX
Data & VoIP LAN
Using the Ingate or Intertex
as the enterprise firewall
allows both prioritization and
traffic shaping.
© 2011 Intertex Data and Ingate Systems
14
14
QoS: Separate VoIP Pipe in Parallel with Data
Public
Internet
SIP Trunking
Provider
PSTN
SIP System
E-SBC SIParator®
Demarcation point of
service and bringing SIP
communication to the LAN
IP-PBX
Data & VoIP LAN
No prioritization or traffic
shaping to be done by the ESBC. But get a good pipe!
© 2011 Intertex Data and Ingate Systems
15
QoS: Common VoIP and Data Pipe with Firewall
PSTN
Public
Internet
SIP Trunk
Provider
SIP System
PSTN
Public
Internet
SIP Trunk
Provider
SIP System
Bridge for Existing
NAT/ Firewall
(non SIP aware)
IPPBX
SIParator®
IPPBX
WAN
SIParator®
Data & VoIP LAN
Data & VoIP LAN
If common IP pipe, the existing
firewall must restrict bandwidth
usage to allow sufficient voice
bandwidth. Often problematic.
WAN SIParator mode allows the
Ingate or Intertex to control data
usage on the Pipe to assure
sufficient voice bandwidth!
16
16
Advanced QoS Configurations for Ingate
At a detailed level, for SIP and other traffic
17
Intertex IX78 Smart QoS Defaults
For traffic shaping, just fill in your
bandwidth!
(For internal ADSL it is mostly automatic.)
Data will be pushed back in favor of voice to
keep the used bandwidth within the limit.
And for a specific SIP Trunk provider one can select for the voice:
© 2011 Intertex Data AB
18
Carriers having Quality Separated Triple Networks can Preferably Reuse
Those for SIP Trunking. Clouds may be Private or Globally Routable.
E.g. Telia
E.g. Telia
Internet
IP-TV
VoD
Internet
IMS
IP-TV
VoIP
VoD
IMS
VoIP
PVC1
VLAN1
PVC3
PVC2
ADSL
Private Virtual Circuits
E.g. B2
VLAN3
VLAN2
Virtual LANs (VLAN)
Ethernet
E.g. BT
Internet
IMS
IP-TV
VoIP
VoD
IP-TV
VoD
Internet
Priority2
Priority3
IMS
VoIP
Priority1
WAN1
WAN2
Ethernet
WAN3
IP QoS Separated Subnets
ADSL or Ethernet
IP Level QoS
The Intertex IX78 Supports All of these Architectures!
© 2011 Intertex Data AB
19
On Telia’s (Sweden’s Incumbent Telco) Network, the IX78 Delivers a Multimedia
LAN, Ready for UC PBXs, Hosted Services and End-to-End SIP Services
The Multimedia LAN
Internet
IMS
TR-069
VoIP
IP-TV
All services must be available to
multimedia terminals! – Over
controlled high QoS pipes as well
as over the Internet.
Application Innovation Requires it!
VoD
VLANs or ADSL
Virtual Circuits
WiFi
Internet
The Multimedia LAN
IPPBX
Telepresence
PDA
20
3.
The Value of a Service Provider Demarcation Point
2:30pm-3:30pm
Moderator: Maloff NetResults
2:30-2:35
Moderator
2:35-3:00
EarthLink Business
3:00-3:30
Intertex Data AB – Practical solutions
© 2011 Intertex Data and Ingate Systems
21
Service Provider Demarcation Point
PSTN
Public
Internet
SIP Trunk
Provider
SIP System
IP Access
IPPBX
Service
Provider’s
Demarcation
Point
THE POINTS
Delivery of Service:
To a PBX or UC LAN
Provisioning, Definition of Service:
Installation, Configuration, CAC
Monitoring:
Network performance, QoS MOS
Management:
Support, Debugging, Upgrade
Data & VoIP LAN
Billing - Why not?
Here we know what is going on!
22
The Role of the E-SBC
To get SIP Trunking working:
SIP NAT/Firewall Traversal
Must NAT SIP to the protected private address space!
Basic SIP and Network Interoperability
E.g. Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc.
SIP Repair
E.g. Call Transfer, Fragmented packets, Bugs, etc.
But don’t forget:
Security
LAN/PBX/VoIP network protection, Service attack protection
QoS – Quality of Services
Requirements depending on IP delivery and firewall
Features
E.g. Remote Users, Administration (remote and local)
Provisioning, Monitoring, Management
© 2011 Intertex Data and Ingate Systems
23
All Types of PBXs has to be Supported
PSTN
A Good E-SBC Should Provide:
1) NAT/Firewall Traversal – Must NAT to same address space!
2) Basic SIP and Network Interoperability - E.g.
SIP Trunking
Provider Network
Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc.
SIP System
3) SIP Repair - E.g. Call Transfer, Fragmented packets, Bugs, etc.
4) Features - E.g. Remote Users, Administration (remote and local)
5) Security - LAN/PBX/VoIP network protection, Service attack protection
SIP Trunk
1) 2) 3) 4) 5)
IX78
IPPBX
2) 3) 4) 5)
2) 3) 4) 5)
SIP Trunk Interface
Modern IP-PBXs are of
this type. Media goes
directly between phone
and SIP Trunk.
PBX with
system
phones
IPPBX
Few PBXs are of this type.
Asterisk with firewall
(IPtables /NETfilter) can be
compiled and configured
this way, but requires a lot.
VoIP & Data LAN
VoIP & Data LAN
Data LAN only
PBX Type 1
Signaling:
Media:
PBX Type 1.5
PBX Type 2
24
Also Important to Support Multimedia and UC Terminals and
Remote Users in a Modern UC PBX Environment
Public
Internet
SIP Trunking
Provider
PSTN
SIP System
Remote
Users
Intertex IX78
Demarcation point of
service and bringing SIP
communication to the LAN
IP-PBX
Data & VoIP LAN
Soft Clients and Multimedia Terminals
© 2011 Intertex Data AB
25
Creating an Interface for ALL PBXs
Proxy Mode
IP-PBX talks to SIP System
Registration/Authentication model must match
Little configuration in the IX78
Service credentials in the PBX
IPPBX
B2BUA Mode (Proxy still doing the basics)
IP-PBX only talks to the IX78
Wider separation between PBX and SIP System
Service Credentials only in the IX78
More SIP Normalization possibilities (e.g. REFER)
Any new operator service platform only requires IX78
reconfiguration (the PBX configuration can remain)
IPPBX
26
Trunk-side Parameters
SIP Connect 1.1
can be setup
(for any PBX)
Read-only value set by Service
Provider (in some cases).
Regulates customer’s monthly fee!
27
PBX-side Parameters
28
28
Registration, Call Routing, CallerID
SIP Connect 1.1
Setup
29
Trouble Shooting & Debugging – Network Status
30
Trouble Shooting & Debugging – Logging!
31
Trouble Shooting & Debugging – Internal SIP Log
32
Packet Captures
Creates a WireShark
PCAP network trace
Network Interface
Selection – All
Interfaces
Start – Stop - Download
33
Monitoring - Call Quality Statistics
Internal Call Log, containing CDRs with Quality Statistics. Can be output via
SYSLOG, RADIUS (Ingate) or to the management system iEMS (see later).
© 2011 Intertex Data and Ingate Systems
34
Management of the CPE / E-SBC
Provisioning, Configuration, Monitoring, Reporting,
Upgrade, Logging, Debugging, Diagnostics, Support…
Experience:
Existing management systems often difficult to change
•
Resistance against touching what has been built over the years
Remote GUI access to CPE often used
Requirements
•
•
•
Quite few functions and possibilities are actually used
Alive, Configured, Upgrades, New configuration - A must!
Often on wish list: Bad Sound (MOS) alarm, etc.
EMS (instead of NMS) is a trend
Element Management System (EMS)
•
•
Specially built for the Product
Interfaces to OSS and Fault Management System at high level.
Intertex and Ingate EMS in progress – iEMS
•
•
Easy to program and interface to
Highly scalable
© 2011 Intertex Data and Ingate Systems
35
Element Management System – The iEMS
Functions for Provisioning, Monitoring, Reporting, Diagnostics, Logging,
Debugging, Support, Configuration and Upgrade. Available now with basic
functionality.
Will handle both Ingate and Intertex Firewalls and SIParators.
Highly scalable, runs on PC servers under the Linux OS.
HTTPS/SOAP interface to the IX78. Can read and write all configuration
parameters, as well as asynchronous reporting by the device (like SNMP
traps).
Web based secure access to the iEMS. Customized portals for operators,
installers and customers, for the purpose of administration, management
and usage.
The iEMS has northbound interfaces for integrating with the operator’s OSS
and Fault Management systems, using XML-RPC and/or SOAP.
© 2011 Intertex Data AB
36
36
iEMS – CDRs with Call Quality Metrics
37
iEMS Interfaces
OSS, Fault Management, etc.
XML-RPC (or SOAP)
(GET/SET/EVENTS)
Northbound API
WEB GUI
DB DB DB
Southbound API
WAN
CPE
CPE
CPE
<?xml version="1.0"?>
<methodCall>
<methodName>setTrunk</methodName>
<params><param><struct>
<member><name>version</name><value>1.0</value></member>
<member><name>ems</name><value><struct>
<member><name>username</name><value>installer</value>
<member><name>password</name><value>foobar123</value></
</struct></value></member>
<member><name>service</name><value><struct>
<member><name>registrar</name><value>sip.intertex.se</
<member><name>proxy</name><value>proxy.intertex.se</value
</struct></value></member>
<member><name>trunk</name><value>
<array><data>
<value><struct>
<member><name>identity</name><value>5162809890</val
<member><name>password</name><value>foobar</value></membe
</struct></value>
<value><struct>
<member><name>identity</name><value>5162809895</val
<member><name>password</name><value>barfoo</value>
</struct></value>
</data></array>
</value></member>
CPE
</struct></param></params>
</methodCall>
CPE
CPE
CPE
© 2011 Intertex Data and Ingate Systems
38
SIP Trunking Made Easy
Installation Wizard
39
SIP Trunk-UC Workshop
Startup Tool – Network Topology
Assign IP
Addresses, the
tool will config
the Ingate.
Select the
deployment
according to the
picture
Status Information,
helpful for
troubleshooting
40
SIP Trunk-UC Workshop
Startup Tool – IP-PBX Selection
Select IP-PBX
Vendor and
Model
Assign the IPPBX IP Address
Assign the IPPBX Domain (if
required)
For every IP-PBX
vendor on the List
Ingate has captured
the programming
requirements to
ensure quick and
easy config
Status
Information,
helpful for
troubleshooting
41
SIP Trunk-UC Workshop
Startup Tool – ITSP Selection
Select ITSP Vendor
For every ITSP
vendor on the List
Ingate has captured
the programming
requirements to
ensure quick and
easy config
User Account
Information, DID
Assignment and
Registration
Authentication
Assign the ITSP IP
Address
Status Information,
helpful for
troubleshooting
42
4.
Ensuring Interoperability – The Key to Service Revenue Growth
3:30pm-4:30pm
Moderator: Maloff NetResults
3:30-3:35
Moderator
3:35-3:50
Bandwidth.com
4:00-4:30
Intertex Data AB – Practical solutions
© 2011 Intertex Data and Ingate Systems
43
PBX and ITSP Interoperability
Large variation among PBX:s
Even larger variation towards ITSP:s
“SIP Connect” recommendation by SIP Forum
… helps and improves, but is not implemented yet.
Installation tools
Ix78 Wizard live demo
Ingate Start UP Tool – See Provision section!
© 2011 Intertex Data and Ingate Systems
44
Confirmed Interoperability: Ingate & Intertex
SIP Trunk Providers
360 Networks
Airespring
AT&T
BandTel
Bandwidth.com
Broadvox
BT (British Telecom)
Cablecom
Cbeyond
Cellip
Comm Partners
Cordia Corporation
Excel Switching
Gamma Telecom
Global Crossing
IP-Only
Nectart
Juma Networks
Level 3
Netlogic
Nexvortex
Nuvox
O1
Paetec
Primus
RNK Telecom
TDC
Telavox
Tele2
Tele Pacific
Teletek
Telia
Toplink
Tritel
VoEX
Voice Flex
VoIP Unlimited
Voxbone
Voxitas
XeloQ
More in pipeline.....
Carrier Equipment
Acme Packet
Broadsoft
NexPoint
More in pipeline.....
already interoperate with most
SIP Trunk
Compliant with
Sonus
Sylantro
SER
© 2011 Intertex Data and Ingate Systems
IP-PBXs
3Com
Aastra
Aastra MX One
Digium/Asterisk
Avaya IP Office
Avaya SES/CM
Avaya QE
Brekeke
Broadsoft
Cisco Call Manager
Ericsson MX-One
Fonality
Innovaphone
Interactive Intelligence
Iwatsu
LG Nortel
Microsoft
Mitel
NEC / Sphere
Nortel BCM
Nortel SCS
Objectworld
Panasonic
Pingtel
Samsung
SER
Shoretel
Siemens 8000
SIP-Gear
Sonus
Sphere Communications
Swyx
More in pipeline....
45
Is there a SIP Connect Compliant IP-PBX + ITSP?
If any, the E-SBC could just be SIP proxy, with only simple network
setup, and perform:
NAT / Firewall traversal
QoS (Quality of Service)
SIP Security (Attack Protection)
Monitoring and Debugging
Ingate & Intertex E-SBCs can be SIP Connect towards the ITSP, but
specific towards the PBXs
Ingate & Intertex E-SBCs can be SIP Connect towards the PBXs, but
specific towards the ITSP
But usually, we have to be specific to both the ITSP and the PBX
© 2011 Intertex Data and Ingate Systems
46
Trunk-side Parameters
SIP Connect 1.1
can be setup
(for any PBX)
47
PBX-side Parameters
48
48
Registration, Call Routing, CallerID
SIP Connect 1.1
Setup
49
If More is Required – There is plenty...
50
... ........and More
51
... and if that is not enough
There is Generic Header Manipulation
E. g. add Diversion header:
sip:[email protected]?Diversion=%3csip%3a
$(from.user)%40192.168.1.1%3e
To cope with not foreseen behavior
Can fix much – not all
Needs SIP expertise
How do we know what to configure and how to
set it up?
© 2011 Intertex Data and Ingate Systems
52
Roll-out and Maintenance
Ease and security of role out and maintenance, are
main Service Provider concerns
Initial configuration
SIP Trunking requires input from 3 “places”
• Numbers and credentials from Service Provider
• Information/Knowledge about the PBX and ITSP
• Information about the customer network and setup
More complex than usual
• And all compiled at installation time
Upgrades
New configuration
Exchange of hardware
© 2011 Intertex Data and Ingate Systems
53
Ingate has the Startup Tool
for a very wide variety of PBXs and ITSPs
“Out of the Box” setup and commissioning of the
Firewall and SIParator products
Update current configuration
Product Registration and unit Upgrades, including
Software and Licenses.
Automatic selection of ITSP and IP-PBX
Backup of Startup Tool database
Located at www.ingate.com FREE!
54
For Volume Deployment there Must be Provisioning
The IX78 has Several Provisioning Methods
Web Wizard adapted to Provider’s Trunk Service
No Provider integration needed
Installer inputs trunk side and PBX side data
Configuration fetched from Provider’s Web Server
Configuration, Upgrades, Licenses
At boot, by timer, or by kick (on request)
Installer runs small Wizard for PBX side
Via Element Management System: iEMS
Provider inputs Trunk Data manually or
automatically via OSS (via XML-RPC or SOAP)
IX78 connects automatically
Installer runs small Wizard for PBX side
Or a combination can be used (on request)
In the two latter methods, URL’s to the Provider’s
provisioning server and iEMS are preloaded in the
IX78, or fetched via DHCP.
© 2011 Intertex Data AB
55
The SIP Trunking Configuration Wizard
jkjjk
5.
Addressing Security Issues
4:30pm-5:30pm
Moderator: Maloff NetResults
4:30-4:35
Moderator
4:35-5:00
Ingate – Presenting a case study.
5:00-5:30
Intertex Data AB – Practical solutions
© 2011 Intertex Data and Ingate Systems
57
Security
Privacy – little concern today
Theft of Service & Toll Fraud
Denial of Service (DoS)
Protecting the PBX
Protecting the Service Provider
© 2011 Intertex Data and Ingate Systems
58
Privacy – Similar to PSTN
SIP Trunking and SIP UC can be more private than
traditional PSTN solutions (POTS and PRI)
Compromising Privacy of POTS and PRI requires
physical presence, and these are never encrypted
SIP signalling and media rarely encrypted, but can be
59
Signaling Encryption
TLS is Transport Layer encryption and certificate check
Both Ingate and Intertex E-SBCs can transcode
between UDP, TCP and TLS for any call
60
Privacy - Media
SRTP is encryption of the media (voice)
The Ingate E-SBCs can transcode between RTP (in the
clear) and SRTP (encrypted) media
61
Theft of Service & Toll Fraud
What is Theft of Service? (or Intrusion of Service)
A Third Party attempting to defraud either the
Enterprise or the Carrier
Devices attempting “Spoof” a Client device in an
attempt to look like an extension (or enterprise)
and gain services directly
62
Theft of Service & Toll Fraud
Now a Real World Problem
But only a Problem when:
Authentication is not used. There are:
Digest Authentication (password)
IP address
Relies on that packets must return to the caller
MTLS (TLS is not sufficient)
The Caller must be authenticated
Too weak passwords are used
Most common cause!
Typical 1234, admin, demo, test or the extension number
The methods are good – The usage may be poor..
63
Trend for Theft Protection
Service providers provision the credentials for
their service, so the customer never sees them.
Service Providers are starting to own CPE edge
equipment (E-SBCs) and provision the security
credentials for their own access to that CPE.
64
IX78 Preventing Unauthorized Usage
Simple General Default Configuration in the Intertex IX78
Remote users to the
PBX can be
authenticated by the
IX78 (also)
© 2011 Intertex Data AB
65
Allowed Usage of the SIP Trunk
© 2011 Intertex Data AB
66
Protection Against Password Guessing
Brute Force Attack Protection
Attackers are nowadays trying to find simple passwords by brute force testing.
10 – 100 trials/second have been seen (e.g. SipVicious / friendli-scanner).
After 3 trial we pretend all attempts are wrong, so the correct one is never
found.
© 2011 Intertex Data AB
67
Denial of Service (DoS)
What is Denial of Service?
A Third Party makes a communications resource unavailable
to its intended users
Generally consists of the concerted efforts to prevent SIP
communications service from functioning efficiently or at all,
temporarily or indefinitely
One common method of attack involves saturating the target
(victim) IP-PBX with external communications requests, such
that it cannot respond to legitimate traffic, or responds so
slowly as to be rendered effectively unavailable
68
Denial of Service
Nowadays Real DoS Attacks are Occurring
Few pure DoS attacks, but scanning for open SIP
servers and trying passwords (e.g. SIPvicious.org
/ friendly-scanner) may become a DoS attack.
Attacked SIP devices can simply choke from
overload, when requesting authentication
Or SMB with limited IP bandwidth can have that
consumed
Communication Servers have direct relationships
with revenue and should be isolated from DoS
69
SIP DoS Detection and Prevention
Intrusion Detection System (IDS) for SIP
Intrusion Prevention System (IPS) for SIP
Ingate has an IDS / IPS system that identifies
intrusions by examining network traffic.
Ingate is located at choke points in the network to
be monitored, often in the demilitarized zone
(DMZ) or at network borders/edges.
Ingate captures all SIP traffic and analyzes the
content of individual packets for malicious traffic,
that will be stopped.
70
Ingate SIP IDS/IPS: Attack Recognition
IDS/IPS - Rule Packs
Predefined Rule Packs (signatures) for
filtering known industry DoS patterns
specific for SIP applications
71
Ingate SIP IDS/IPS: Rate Limiting
SIP signaling late limiting is generally effective
Untrusted
Network
SIP Protocol Method,
Response Code
Matching/Filtering Traffic Rate
Blacklist
Policy
72
IX78 Preventing SIP DoS Attack
Signature Recognition
If the internal SIP proxy detects known
signatures in SIP headers from
attackers, it instructs the internal firewall
to block attacking IP address for 60
seconds. New signatures can be added
manually or provisioned automatically.
SIP Rate Limiting:
If there are more than 20 SIP packets/seconds from the same IP-address,
the internal firewall blocks that IP-address for 20 seconds and does not
respond to that IP address until the SIP packed rate is below 3
packets/seconds.
© 2011 Intertex Data AB
73
Protecting the PBX and Carrier
SIP Protocol Packet Error Detection and Correction
SIP Signaling are only passed through the Internal
SIP proxy in Ingate and Intertex products.
Malformed SIP Packets will not reach the PBXs or
Service Providers from our side.
Standardized SIP Interface in both directions
74
6.
Generating Revenue from HD Video
5:30pm-6:30pm
Moderator: Maloff NetResults
5:30-5:35
Moderator
5:35-6:00
UCIF – Polycom
6:00-6:30
Intertex Data AB – Reusing the E-SBC SIP trunking
infrastructure.
© 2011 Intertex Data and Ingate Systems
75
Global Video Calling Using the E-SBC
Telco Opportunity
Video Calling
High Quality, Chargeable, Global Video Calling
Ready to go, using SIP Trunking Infrastructure
•
•
•
High Quality (Telepresence) Video Calling
Routed and Billed (CDRs produced) by the E-SBC
Simple settlement free IP Peering between Telcos
© 2011 Intertex Data AB
76
What’s Special About Video Calling?
We have been building islands – again…
But there is no old Video PSTN to connect those together
However, there is a standard (SIP) and a network (Internet)
We have seen such video calls for a long time
What more is needed?
High quality – Teleprecense; Guaranteed bandwidth and QoS?
Global; Not only within a company and not only within one carrier’s
network
Telephone numbers (in addition to sip addresses)
Allow Telcos to Bill (being more than just Bandwidth Providers)?
© 2011 Intertex Data AB
77
There is a Solution!
Do More at the Enterprise Edge!
We can route here – The earlier the better
We can produce CDR’s for billing here
We can do number resolution here (or the ITSP can do it)
The Good News:
Reuse the SIP Trunking infrastructure (using E-SBCs)
Simple peering between carriers
© 2011 Intertex Data AB
78
Reusing the SIP Trunking E-SBC
Telco owned E-SBCs are already used for (voice) SIP Trunking
Full operator control
Service provider’s demarcation point
Enables the SIP Trunking – Video is not different from voice for:
NAT/Firewall traversal, PBX interoperability and Security
Reuse the same E-SBC for Video Calling!
In the Ingate and Intertex E-SBCs, it is all there:
Classify outgoing calls (as Video, HD voice or plain voice)
Assure right quality pipe and/or quality marking is used
Route the call directly to the other party (or
• Use ENUM (public or private) for E.164 number to SIP address resolution
• Only settlement free IP peering between operators required
• Can fallback to best effort IP peering (Internet) in operator network
Produce and deliver CDRs for each call
• Report Minutes and Data used
• Include video and voice quality metrics (including MOS scores)
• Deliver via Radius, Syslog, Management system (TR-069 informs) or method by choice
© 2011 Intertex Data AB
79
Simple For the Carrier
AT&T Internet
Qwest Internet
QoS IP Network
QoS IP Network
MPLS
MPLS
ENUM
C
D
R
C
D
R
SIParator
IX78
© 2011 Intertex Data AB
80
Quality Separated Networks Out to the Customer Edge is Not New
Widely Used for Triple Play Services
E.g. Telia
E.g. Telia
Internet
IP-TV
VoD
Internet
IMS
IP-TV
VoIP
VoD
IMS
VoIP
PVC1
VLAN1
PVC3
PVC2
ADSL
Private Virtual Circuits
E.g. B2
VLAN3
VLAN2
Virtual LANs (VLAN)
Ethernet
E.g. BT
Internet
IMS
IP-TV
VoIP
VoD
IP-TV
VoD
Internet
Priority2
Priority3
IMS
VoIP
Priority1
WAN1
WAN2
Ethernet
WAN3
IP QoS Separated Subnets
ADSL or Ethernet
IP Level QoS
The Intertex IX78 Supports All of these Architectures!
© 2011 Intertex Data AB
81
iEMS – CDRs with Call Quality Metrics
© 2011 Intertex Data AB
82
For the Telcos To Do
Provide high quality IP pipes for Video and HD Voice (e.g. MPLS)
If on separate layer 2 networks for quality, still make them routable to the Internet
(for fallback to “best effort peered” = Internet)
Enter users in ENUM (public or private)
E.164 numbers to SIP address resolution
Settlement Free Peering between carriers for high QoS IP networks
Just like for the Internet - Now also for high quality IP network (e.g. by MPLS)
Deploy same CPEs (E-SBCs) as for SIP Trunking
Can also be general SIP enablers (at least Intertex’ and Ingate’s) for offering all
types of SIP based services
Process the CDRs from the E-SBC as usual for Billing
© 2011 Intertex Data AB
83
What’s out there 1? - Cisco TIP
http://newsroom.cisco.com/dlls/2010/prod_012610.html
Telepresence Interoperability(?) Protocol (TIP)
“Cisco already supports H.323, which allows Cisco…”
Don’t we already have SIP, SDP, RTP, RTCP and Codec standards? …
And don’t they define interoperability far beyond Cisco?
Cisco, Cisco, Cisco – And what more?
© 2011 Intertex Data AB
84
What’s out there 2? – The IMS World
Fine – But when?
Stuck in its own complexity… Where is the Multimedia and Interoperability?
And the IMS world still has to find out how reach the users on the fixed network the LANs behind NATs and Firewalls – Or stay with POTSoIP on FXS-ports
A “OneVoice” initiative to create VoLTE
AT&T, Bell Canada, China Mobile, Deutsche Telekom/T-Mobile,
KDDI, mobilkom austria, MTS, NTT DoCoMo, Orange, SKT,
SoftBank, Telecom Italia, Telecom New Zealand, Telefónica,
Telenor, TeliaSonera, Verizon Wireless, Vodafone, Acme Packet,
Alcatel-Lucent, Aylus, Camiant, Cisco, Colibra, Communigate,
Comneon, Ericsson, Fujitsu, Genband, Huawei, LG, Motorola,
Movial, Mu, NEC, Nokia, Nokia Siemens Networks, Qualcomm,
RADVISION, Samsung, Sony Ericsson and Tekelec
Isn’t VoIP already invented?
“OneVideo” initiative can be expected…
Until then: Route at the edge by the E-SBC!
E-SBC still needed to reach users on LAN and for UC PBX interoperability
The IMS can still be the SIP registrar and billing server…
© 2011 Intertex Data AB
85
What’s out there 3? Juniper, Polycom...
Juniper, Polycom forge telepresence, video conferencing alliance
http://www.zdnet.com/blog/btl/juniper-polycom-forge-telepresence-video-conferencing-alliance/29868
“a counterweight to Cisco Systems and its recent acquisition of Tandberg”
“optimize their platforms so service providers can offer video and telepresence
cheaply. The argument: It’s cheaper for enterprises to deploy telepresence as a
service from their network providers instead of building out their own networks.”
Sure!
http://www.juniper.net/us/en/local/pdf/solutionbriefs/3510358-en.pdf
A Polycom – Juniper solution
© 2011 Intertex Data AB
86
SIP Capable Firewalls and SIParators®
Thank You!
Ingate Systems Inc.
Intertex Data AB
www.ingate.com
Contact: Steve Johnson
[email protected]
sip:[email protected]
Tel: +1 603 883 6569
Mob: +1603 557 7918
www.intertex.se
Contact: Karl Stahl
[email protected]
sip:[email protected]
Tel: +46 8 12205629
Mob: +46 70 7254532
87