Title: SIP Operation in the Public Internet
1SIP Operation in the Public Internet
- An Update on What Makes Running SIP a Challenge
and What it Takes To Deal With It - Jiri Kuthan, iptel.org
- sipjiri_at_iptel.org
2Outline
- Status update where iptel.orgs operational
experience comes from and what works today - Trouble-stack things which do not fly
- Operational Practices
- Conclusions
3Background
- iptel.org has been running SIP services on the
public Internet since 2001. Users are able to
pick an address username_at_iptel.org and a
numerical alias. - The infrastructure serves public subscribers as
well as internal users with additional privileges
(PSTN termination, voicemail). - Services powered by iptel.orgs open-source SIP
server, SER. - Increase in population size since introduction of
Windows Messenger.
4Good News
- Basic VoIP services work, so do complementary
integrated services such as instant messaging,
voicemail, etc. - Billing machinery works too Accounting easy,
though not standardized. Gateways with accounting
support exist today - Note gateways better place for PSTN accounting
than a proxy server they are best-aware of media
and PSTN events - Numbering plans easy to maintain and they
complement domain names well. - QoS mostly pleasant.
- Interoperation with other technologies works too
- Competition on the PSTN gateway market
established - Gateway to Jabber instant messaging up and
running - Commercial H.323 gateways exist
5Bad News
- Nightmare NATs ()
- Why My Wife Doesnt Use VoIP Reliability ()
- What Is It? Machines Do, Operators Dont
Scalability () - End-devices still expensive
- Future issues spam, denial of service attacks
6NAT Traversal
NAT Traversal
- NATs popular because they conserve IP address
space and help residential users to save money
charged for IP addresses. - Problem SIP does not work over NATs.
Peer-to-peer applications signaling gets broken
by NATs Receiver addresses announced in
signaling are invalid out of NATted networks. - Straight-forward solution IPv6 unclear when
deployed if ever. - There are many scenarios for which no single
solution exists - Are NATs operated by their users or by ISPs?
- Are used NATs application-aware?
- Are used NATs configurable?
- Do NATs support UPnP?
7Current NAT Traversal Practices
NAT Traversal
- Application Layer Gateways (ALGs) built-in
application awareness in NATs. - Requires ownership of specialized
software/hardware. Implementations exist
(Intertex, PIX). - Scalability possibly affected by
application-awareness. - Geeks choice Manual configuration of NAT
translations - Requires ability of NATs, phones, and humans to
configure static NAT translation. (Some have it.)
If a phone has no SIP/NAT configuration support,
an address-translator can be used. - UPnP Automatic NAT configuration
- Requires ownership of UPnP-enabled NATs and
phones.
8 Current NAT Traversal Practices
NAT Traversal
- STUN Automatic phone configuration
- Requires NAT-probing ability (STUN support) in
end-devices and a simple STUN server.
Implementations exist (snom, kphone). - Works only over some NAT types.
- Troubles if other party in other routing realm
than STUN server. - Works even if NAT device not under users
control. - Relay Establish communication with a
signaling/media relay - Introduces a single point of failure media relay
subject to serious scalability and reliability
issues - Works only with some phones
- Works over most NATs
9NAT Practices Overview
NAT Traversal
ALG STUN UPnP Manual Relay
Works over ISPs NATs? N/A Maybe () N/A N/A Maybe
Phone support needed? No Yes Yes Yes Yes
NAT support needed? Yes Ltd. () Yes Ltd. () No
Scalability Ltd. (o) Ok Ok Ok poor ?
User Effort Small Small Small Big ? Small
does not work for symmetric NATs port
translation must be configurable
o application-awareness affects scalability
10NAT Traversal Scenarios
NAT Traversal
- There is no one size fits it all solution. All
current practices suffer from many limitations. - iptel.org observations for residential users
behind NATs - SIP-aware users relying on public SIP server use
ALGs or STUN affordability of both solutions
wins. - Few SIP-geeks configure NAT traversal manually.
- SIP-unaware users keep asking our helpline why
things do not work. - Our plan hope for wider deployment of
- STUN and STUN-friendly NAT boxes
- ALGs
- UPnP-enabled phones and NATs
11Murphys Law Holds
Availability
Everything can go wrong.
- Servers
- software/configuration upgrades
- vulnerabilities
- both SIP and supporting servers subject to
failure DNS, IP routing daemons
- Hosts
- power failures
- hard-disk failures
- Networks
- line.
- IP access
12IP Availability SLAs
Availability
- Industry averages for Network Availability SLAs
are from 99.9 to 99.5 (an NRIC report) - SLAs mostly exclude regular maintenance and
always Acts of God - Residential IP access rarely with SLAs
Availability (percent) Actual Downtime (per year)
99.999 5 Minutes
99.9 9 Hours
99.5 1.8 Days
13matrix.nets Reachability Statistics
Availability
- Minimum 98.69
- Median 99.45
- Maximum 99.84
- Mean 99.40
14Fail-over Solution Space
Availability
- Whatever the reason for a failure is, signaling
needs to be available continuously. Most
important components are - Replication of user location information doable
using SIP, better than using back-end replication - SIP replication avoids all sorts of caching
troubles which possibly occur with back-end
database replication - Portable across multi-vendor SIP systems
- Digest authentication can be resolved with
special replication identity or with
predictive nonces - Making clients use backup infrastructure on
failure
15Back-end versus SIP Replication
Availability
SIP Replication
Back-end Replication
Back-end Databases
Back-end Databases
REGISTER sipiptel.org SIP/2.0 From
sipjiri_at_iptel.org To sipjiri_at_iptel.org Contact
ltsip195.37.78.173gt Expires 3600
REGISTER sipiptel.org SIP/2.0 From
sipjiri_at_iptel.org To sipjiri_at_iptel.org Contact
ltsip195.37.78.173gt Expires 3600
primary
backup
primary
backup
works regardless what backend system used
works easily if back-end database cached in SIP
server
16Making Clients Use Backup Server
Availability
- SIP-native alternative use DNS SRV in clients to
find a backup server - Features ability to spread servers geographically
- Problem We are aware of only one SIP phone that
implements DNS fail-over well - Until DNS fail-over widely implemented,
workarounds can be used
17Fail-over Workarounds and Limitations
Availability
- IP Address Take-over Make backup server grab
primarys IP address when a failure detected - Cannot be geographically dispersed
- Primary server needs to be disconnected
- DNS Update Update servers name with backups IP
Address - DNS propagation may take too long, even if TTL0
(which puts higher burden on clients) - Both methods rely on error detection which may be
tricky a pinging host may be distant from
another client and have a different experience
18Scalability Concerns
Deployability
- New applications, like presence, are very
talkative - Presence status update frequent
- Each update ventilated to multiple parties
- Broken or misconfigured devices account for a
fair part of load few of many real-world
observations - Broken digest clients resend wrong credentials in
an infinite loop ? heavy flood - Mis-configured password a phone attempted to
re-register every ten minutes (factor 6) ?2400
messages a day - Mis-configured Expires30 (factor 120)
- Replication, Boot avalanches
19Achievable Scalability
Deployability
- Good news well-designed SIP servers can cope
with load in terms of thousands of calls per
second (CPS) - Example lab-tuned version of SIP Express Router
able to process 5000 Calls Per Second to a static
destination statefuly on a dual-CPU PC capacity
needed by telephony signaling of Bay Area - Pending concern denial of service attacks
- Example hundreds of megabytes of RAM can be
exhausted in tens of seconds with statefull
processing
20Deployability
Deployability
- Devices can be made scale, administrators not
- Well-known burdens
- Many boxes deployed consume many administrators.
- Network-building practice Integrate signaling
logic in as few boxes as replication strategy
allows. - Phones are not yet plug-and-play, particularly if
behind NATs - It is still phone vendors turn.
- SIP routing good but not easy ()
21SIP Routing
Deployability
- One of primary benefits of SIP Ability to link
various service components speaking SIP together. - The glue are signaling servers. Their primary
capability is routing requests to appropriate
services. - Issues
- Routing flexibility how to determine right
destination for a request - Troubleshooting when routing failures occur
SMS Gateway
PSTN Gateway
Applications
SIP proxy
IP Phone Pool
Other domains
22Routing Policy
Deployability
- Processing of each SIP request varies.
- PSTN destinations may require record-routing
(whereas others not) - Callers from other domains dont need to
authenticate, locals do - Other differences appending header fields,
authorization, routing - SIP request-routing decision can depend on a
variety of factors. Iptel.org example - Uri-based routing requests to numeric
destination are forwarded to PSTN gateway - Policy-based processing calls to international
PSTN requests require authentication and
privileges - Method-based routing requests to numerical
destinations are split by method between SMS and
PSTN gateway - Further factors include requests transport
origin, address claimed in From header field,
content of Contact, etc. - Operational observation mighty tools for
specification of routing policy are needed.
23Routing Language
Deployability
- Our answer routing language
- Features conditional expressions may depend on
any of previously mentioned factors example
/ free destinations, like Jiris mobile phone
listed in an SQL table, or any local PBX
numbers require no authentication / if (
is_user_in("Request-URI", "free-pstn")
uri"sip790-90-90-9_at_. ) log
(free call) / no admission control let
anyone call / else / all other
destinations require proper credentials / if
(!proxy_authorize("iptel.org" / realm
/,"subscriber" / table name )
proxy_challenge(iptel.org, 0) break
/ detailed admission control long
distance versus international, etc/ if
(uri"sip01-90-9_at_.") if
(!is_in_group("local"))
sl_send_reply("403", Forbidden...") ...
24SIP Routing Troubleshooting
Deployability
- SIP request can be routed along arbitrarily
complex path - Failures in numbering plans and SIP-routing in
general difficult to locate without knowledge of - Which Request URI caused an error
- At which spiral iteration an error occurred
- Who was the pre-last hop
- Who was the next-hop when forwarding failed
- Trouble-factor server causing an error located
on CP or belonging to a different administrative
domain
----- REQ a -------- REQ branch0 ----
UAC --------gt ...... -------------gtUAS1 ----
- lt--- 500 ---------
proxy1 REQ branch1
--------
--------------------------gt proxy2 --
REQ 1.2.1 ----
-------- -gt ......
----------gtUAS2
-------- ----
v
REQ br1.2
----------------------lt--------------------------
--
25Troubleshooting Proposal
Deployability
- Let be UAS talkative and disclose what they
know in SIP replies knowledge of request error
circumstances will propagate along the whole
request path - Incoming request URI
- Number of Via header fields in request
- Transport address of previous hop
- SIP Address of next hop if forwarding failed
- Already deployed at iptel.org, automated
troubleshooting would take standardization
SIP/2.0 500 Really Bad Error Via SIP/2.0/UDP
61.15.105.2535060branchz9hG4bK87454300fc.0 Via
SIP/2.0/UDP 192.168.0.125060branchz9hG4bK14f5
4300fc.0 From sip21004041_at_iptel.orgtag123 To
sip21004041_at_iptel.orgtag456 Call-ID
415392_at_61.15.105.253 CSeq 2 REGISTER Server
Sip EXpress router (0.8.8 (i386/linux)) Content-L
ength 0 Warning 392 195.37.77.101 "downstream
ICMP failure" Debug req_src_ip61.15.105.253
in_urisipfoobar out_urisip195.37.77.101 vi
a_cnt2"
26Concluding Observations
- Basic VoIP complementary services up and
running. - Performance essential to survival of critical
situations such as mis-configured networks and to
avoidance of too many servers. Denial of Service
still a pending challenge. - Request-routing flexibility in servers essential
to building services, but it takes
troubleshooting facilities. - Improvement place for phone implementations still
exists NAT traversal support, plug-and-play
configuration, DNS fail-over.
27Information Resources
- Email jiri_at_iptel.org
- IP Telephony Information http//www.iptel.org/inf
o/ - SIP Services http//www.iptel.org/user/
- SIP Express Router http//www.iptel.org/ser/