SIP Trunking for the Intermediate/Advanced Reseller

1
(No Transcript)
2
SIP Trunking for the Intermediate/Advanced
Reseller

• The SIP Connection From A to Z
• Presented by
• Pete Sandstrom, CTO BandTel
• Janne Magnusson, Director Operations Ingate

3
Advanced SIP Session Overview

• 1. Open Systems Interconnection Model (OSI) is
  more than a model
• Real-Time Protocol (RTP
• Real-Time Control Protocol (RTCP)
• 2. Quality of Service (QoS)
• IP Multi-Protocol Label Switching (MPLS)
• Peering for Performance
• 3. SIP Applications the reason for doing
  anything
• 4. SIP Security protecting what we have
• 5. SIP trunking CPE Architectures
• 6. The role of the ITSP provider performance

4
1. Open Systems Interconnection
(OSI)Understanding Where You Are
5
SIP is a Fully-Featured Protocol
6
RTP Carries SIP over UDP/IP/etc.
7
RTCP Reports on Traffic Conditions
Real-Time Control Protocol (RTCP) packets are
used to provide QoS measurement reports and other
information. The VoIP RTCP Extended Reports (XR)
Metrics Report Block (MRB) provides measurements
(metrics) for monitoring quality of VoIP calls
and conversations. These measurements include
packet loss and discard metrics, delay metrics,
analog metrics, and voice quality metrics.
8
2. QoS and the Internet

• The Economics of peering and why it works in
  North America
• Tier I/II space- It is over provisioned and it is
  Managed

9
QoS and the Internet The Economics of peering
and why it works in North America
IP NET
IP NET
NET A drops packets making the other to
retransmit, and lowers his overall throughput.
Thats lost revenue for B.
10
QoS and the Internet It is over provisioned and
managed
MPLS
MPLS
INTERNET
MPLS
MPLS
11
VoIP in Private and Public IP Space

• Local and remote phone stations in private space
• SIP trunking POPs in public space
• If MPLS then equipment costs are radically
  lowered.

12
IP-PBXs Migrate PBXs ITSPs Emerge
PTSN
IP PBX
GW
ITSP
SAFW
SIP Services
SIP-Aware FireWall (SAFW)
13
IP by Itself has No QoS
14
MPLS was Created to Provide QoS
15
3. SIP Trunking Basic Features

• SIP Trunking Applications
• Competes with and beats T1 trunking
• Event notification - disaster recovery options
• Add Bandwidth QoS and security provided via SAFW
  and or MPLS
• On demand N-way conferencing
• 411 Directory Assistance
• Enhanced 911 services Access
• Directory Listing
• Local and Inbound Calling
• Platform for personalized applications and rich
  media services

16
SIP Trunking Competes

• VoIP to compete economically, and beat, T1
  trunking to a TDM PBX.
• Hosted cant scale well and doesnt fit needs of
  the enterprise
• SIP trunking means X voice paths to Y stations
  where Y/X gt 1 generally the ratio would be 4
  trunks to 10 stations

17
SIP Trunking Feature - Conferencing
On demand business meetings, training, broadcast
announcements, call-to-meeting notifications,
even reverse 911 are enhanced with SIP trunking.
18
4. SIP Security Firewalls

• Before we explore viable architectures for SIP
  systems, lets understand one more critical
  concept.
• While SIP brings advancement in VoIP call
  connections, SIP faces the same security attacks
  as other IP protocols such as HTTP and SMTP such
  as malformed message attacks, SPIT-SPam over
  Internet Telephony, buffer overflow attacks,
  DOS-Denial-of Service attacks, eavesdropping,
  hijacking, injection of malicious RTP packets
  into existing RTP flows and other known and yet
  to be created attacks.
• In other words, special SIP firewall and other
  protection systems are recommended.

19
SIP Trunking Security and Reliability

• Need to Ensure Enterprise LAN is Correctly
  Designed for VoIP (i.e. a SIP-Aware Firewall
  Needs to be in Place)
• CPE Protection SIP-Aware Firewall that allows L5
  Security (i.e. no L2 pinholes)
• Require ITSP MD5 or IP Authentication for Account
  Authorization
• ITSP Should Split Media and Signaling to
  Different Redundant Locations, Making Taps
  Virtually Impossible
• ITSP Must Have Secure POPs That Can Fend Off all
  Outside Attacks
• - DOS (Denial of Service)
• - IP Spoofing
• - SPIT (Spam over Internet Telephony)

20
SIP Trunking Security and Reliability
HOT SPOTS
MPLS
INTERNET
DSL-CABLE MODEMS
21
Lets take a breakto understand how your
customermay see the project.
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
Now back to getting serious5. SIP trunking CPE
Architectures

• Type 1 Dedicated IP Pipe for VoIP
• Type 2 Merged MPLS-Pipe with LER Tagging VoIP
• Type 3 Merged IP pipe with SIP-Aware Firewall
  (SAFW)
• Type 4 Separate IP Pipe for VoIP with Existing
  Non-SIP Firewall and SIP-Aware Firewall (SOFW)
• Type 5 Merged IP Pipe with Incumbent
  Non-SIP-Aware Firewall, No DMZ Port and
  SIP-aware Firewall
• Type 6 Looks like Type 5 but Merged IP Pipe
  with Incumbent Non-SIP-Aware Firewall, No DMZ
  Port and SIP-Aware Firewall
• Type 7 Merged IP Pipe with Incumbent
  Non-SIP-Aware Firewall with a DMZ Port
• Type 8 Merged IP Pipe with Incumbent
  Non-SIP-Aware Firewall

26
Type 1 Dedicated IP Pipe for VoIP
1- The IP pipe is dedicated to VoIP so no QoS
arrangements are needed with the carrier. 2 - No
firewall is needed as there are no LAN
connections with other enterprise devices. 3 -
This is a common architecture for dedicated media
gateway deployments.
27
Type 2 Merged MPLS-Pipe with LER Tagging VoIP
1 VoIP and enterprise data share the same IP
pipe. MPLS tags the VoIP as the highest
priority via the LER-Label Edge Router. 2 The
SAFW handles all SIP addressing transformation
issues between the LAN and WAM demarc. 3
Architecture offers full QoS for VoIP. 4
Excellent utilization of IP pipe resources.
28
Type 3 Merged IP pipe with SIP-aware Firewall
(SAFW)
1 VoIP and bulk enterprise share the same IP
pipe. 2 The SAFW-SIP-Aware Firewall handles all
the QoS issues by prioritizing VoIP traffic over
the bulk enterprise network. 3 The SAFW handles
all SIP addressing transformation issues between
the LAN and WAM demarc. 4 Architecture offers
partial QoS for VoIP (no inbound UDP QoS). 5
Excellent utilization of IP pipe resources.
29
Type 4 Separate IP Pipe for VoIP with Existing
Non-SIP Firewall and SIP-Only Firewall (SOFW)
1 A separate IP pipe deployed for VoIP traffic
only. 2 QoS for VoIP realized by separating
VoIP and bulk traffic to separate IP pipe. 3
The SIP-Aware Firewall (SAFW) handles all SIP
addressing transformation issues between the LAN
and WAN demarc. 4 The SAFE configuration is
untouched and handles no VoIP traffic. 5 No
utilization of existing IP pipe for VoIP.
30
Type 5 Merged IP Pipe with Incumbent
Non-SIP-Aware Firewall, No DMZ Port and SIP-Aware
Firewall
1 VoIP and bulk enterprise share the same IP
pipe. 2 QoS is not realized for VoIP as there
is no single point to control traffic.
Excessive bandwidth is needed for VoIP to
function. 3 The SAFW handles all SIP addressing
transformation issues between the LAN and WAM
demarc. 4 The SAFE configuration is untouched
and handles no VoIP traffic. 5 Full utilization
of incumbent IP pipe for VoIP realized.
31
Type 6 Looks like Type 5 but Merged IP Pipe
with Incumbent Non-SIP-Aware Firewall, No DMZ
Port and SIP-Aware Firewall
1 VoIP and bulk enterprise share the same IP
pipe. 2 QoS is realized for VoIP as there is a
single point to control traffic. 3 The SAFW
handles all SIP addressing transformation issues
between the LAN and WAM demarc. 4 The SAFE
configuration is untouched and handles no VoIP
traffic. 5 Full utilization of incumbent IP
pipe for VoIP realized.
32
Type 7 Merged IP Pipe with Incumbent
Non-SIP-Aware Firewall with a DMZ Port
1 VoIP and bulk enterprise share the same IP
pipe. 2 QoS is not realized for VoIP as there
is no single point to control traffic.
Excessive bandwidth is needed for VoIP to
function. 3 The SAFW handles all SIP addressing
transformation issues between the LAN and WAM
demarc. 4 The USAFW configuration is touched to
allow VoIP to utilize the SAFE DMZ resource. 5
Full utilization of incumbent IP pipe for VoIP
realized. 6 Works with the SAFW as SIP traffic
traverses twice.
33
Type 8 Merged IP Pipe with Incumbent
Non-SIP-Aware Firewall
1 VoIP and bulk enterprise share the same IP
pipe. 2 QoS is not realized for VoIP since
there is no QoS feature in the SAFE. 3 The UA
handles all SIP addressing transformation issues
between the LAN and WAN demarc via SIP NAT
transversal features and/or by using STUN-Simple
Transversal of User datagram protocol with an
external STUN server. 4 The SAFE security is
breached by having ports opened for SIP UDP
traffic. 5 Full utilization of incumbent IP
pipe for VoIP realized. 6 Architecture does not
scale well for anything beyond a few VoIP
calls. 7 This is architecture is suited only
for hosted VoIP services with a small number of
end-user stations in the LAN space.
34
??? About Architectures

• Type 1 Dedicated IP Pipe for VoIP
• Type 2 Merged MPLS-Pipe with LER Tagging VoIP
• Type 3 Merged IP pipe with SIP-Aware Firewall
  (SAFW)
• Type 4 Separate IP Pipe for VoIP with Existing
  Non-SIP Firewall and SIP-Aware Firewall (SOFW)
• Type 5 Merged IP Pipe with Incumbent
  Non-SIP-Aware Firewall, No DMZ Port and
  SIP-aware Firewall
• Type 6 Looks like Type 5 but Merged IP Pipe
  with Incumbent Non-SIP-Aware Firewall, No DMZ
  Port and SIP-Aware Firewall
• Type 7 Merged IP Pipe with Incumbent
  Non-SIP-Aware Firewall with a DMZ Port
• Type 8 Merged IP Pipe with Incumbent
  Non-SIP-Aware Firewall

35
6. The ITSP behind the SIP Trunk

• Getting to the ITSP proxy
• Resiliency in the event of failure
• Load to the ITSP proxy (dynamic routing to)
• When an ITSP element fails (real-time dynamic
  fault switchover)
• Getting to the PSTN- PSTN carrier options

36
ITSPs Peer For Customer Performance
37
VoIP Network N-Plus
38
Special ITSP Services for SIP Trunkers

• Online Traffic monitoring (TotalView)
• Online Billing
• Traffic re-routing (Total Reroute)
• Silent Running Bandwidth Conservation

39
Completed Call Percentages
40
Real-Time Call Activity
41
Accounting History
42
101 Summary

• SIP trunking competes- and beats T1 Trunking on
  price and features
• QoS- SAFW and or MPLS needed for bandwidth QoS
• SIP Security private or public, it can be made
  secure
• SIP CPE Architecture- critical for creating a
  secure clear call
• The ITSP behind the SIP Trunk

43
(No Transcript)
44
(No Transcript)
45
(No Transcript)
46
(No Transcript)
47
(No Transcript)
48
(No Transcript)
49
Communication on the LAN

• Important to have a reliable and well dimensioned
  network
• Consider delay and QoS
• As secure as the corporate network for e-mail
  etc.
• Possible to increase security by implementation
  of encrypted SIP signaling (TLS) and media (SRTP)

50
Many IP-PBXs cant handle outbound Proxy
IP-packets to destinations outside the logical
network is sent to the Default Gateway for
routing.
Configure IP-PBX to pretend that Ingate is the
Service Provider
SIP-unaware Firewall
9726780464_at_10.500.10.13 Default Gwy
10.500.10.11 Outb. Proxy -
9726780464_at_168.203.30.11 Default Gwy
10.500.10.11 Outb. Proxy 10.500.10.13
9726780464_at_168.203.30.11 Default Gwy
10.500.10.11 Outb. Proxy -
IP-PBX
Rewrites the domain part
Default GatewayIP 10.200.10.11
IP 10.200.10.16
DMZ
IP 168.203.30.11
Outbound Proxy IP 10.500.10.13
IP 168.105.45.19
Outbound Proxy is the equivalence to Default
Gateway, but for SIP.
168.203.30.11
Ingate SIParator
with
9726780464_at_10.500.10.13
51
Communications outside the LAN

• Important to have a reliable and high quality
  Internet connection
• Consider delay to ITSP
• Of your connection QoS (voice should have
  priority)
• Voice travels over public Internet (as e-mail)
• Possible to increase security by implementation
  of encrypted SIP signaling (TLS) and media (SRTP)

52
Many Service Providers cant handle domain names
With domain name, no problem !
What if the Service Provider cant handle domains
?
Ingate SIP Trunking module solves this problem !
SIP-unaware Firewall
IP-PBX
6038836569_at_168.105.45.19
6038836569_at_pbx.ingate.com
Rewrites the domain part
IP 10.200.10.16
IP 168.203.30.11
DMZ
IP 10.500.10.13
IP 168.105.45.19
Ingate SIParator
with
6038836569_at_168.105.45.19
10.200.10.16
53
(No Transcript)
54
Questions?
55
About BandTel

• Headquartered in Newport Beach, California,
  BandTel is a leading worldwide provider of SIP
  Trunking services. The company is dedicated to
  ensuring its customers and partners alike have
  access to the most reliable, end-to-end VoIP
  service available on the market today.
• Its N-Plus network architecture is designed to
  solve the throughput and redundancy problems on
  high-capacity SIP-based networks and eliminate
  any single point of failure.
• BandTel continues to develop strong partnerships
  with leading carriers and telecommunications
  companies, including Global Crossing, XO
  Communications, Level 3, Qwest Communications,
  Verizon Business, and Primus.

56
About Ingate

• Formed 2001
• Firewall technology from Cendio Systems
• Appliance firewalls since 1994
• Capital and SIP technology from Intertex Data AB
• Began SIP development in 1998
• Released the worlds first SIP capable Firewall in
  2001
• Located in Stockholm and Linköping, Sweden with a
  subsidiary, Ingate Systems Inc., based in Hollis,
  NH.
• Confirmed IP-PBX interoperability3Com,
  Asterisk, Avaya, Broadsoft, Cisco Call Manager,
  Ericsson MX-One, Mitel, Pingtel, SER, Shoretel,
  Sphere, Swyx, Zultys
• Confirmed carrier interoperability
• Bandtel, Broadband.com, Cbeyond, Global
  Crossing, IP-Only, O1, RNKTel, Tele2, VoEx

57
For More Information About SIP Trunking

• Visit BandTels New SIP Trunking Resource Center
• www.BandTel.com/siptrunking2.asp