Deploying SIP on a Global Scale

January 23-26, 2007• Ft. Lauderdale, Florida

Deploying SIP on a Global Scale

Thom O’ConnorDirector, Product and Services

CommuniGate SystemsJanuary 25, 2007


VoIP in the News

“We are in the midst of a VoIP communications revolution“ - Jeff Pulver

The use of IP PBXs is poised to soar, according to a study by In-Stat that predictssales of these devices will represent 51% of all PBX sales this year and grow to 91% worldwide by 2009. - Network World, August 2005


Long-term Benefits of VoIP

• Sophisticated call management – presence, call forwarding/routing

• Integrated voice, video, file transfer, IM• (Arguably) communications at lower cost and with

richer media (although the cost benefits of are in transition and debatable)

• Consolidated identity management• Granular policy/compliance capabilities• ENUM for convergence of telephone numbers & IP

addresses• Mobility, access, flexibility


Focusing on SIP-initiated VoIP

• VoIP is an ambiguous concept encompassing many protocols including H.323, MGCP, SIP, 3GPP/IMS

• VoIP provides the IP-based transfer of:– Audio & Video (multimedia)– Instant Messages– Client-driven application sharing & whiteboarding

• Session Initiation Protocol (RFC 3261): SIP provides for open and standards-based signaling

• SIP provides registration, authentication, and discovery - allows two or more clients to locate each other, select a media type & define media sockets using SDP

• RTP used for audio/video payload, and often times directly between end devices


Diagram of SIP-initiated VoIP


Network Models for IP Communications

1. Service-Provider Model

2. Internet SIP usage with basic SIP Proxies

3. Client-Server SIP model, trusted users only

4. P2P Model

5. Distributed SIP model


Service-Provider ModelAdvantages• Easy to implement

and use for end users

• Theoretical possibility of security within each provider

• Standardization not required

Disadvantages• Proprietary, (often)

closed networks• Many non-interop

devices• Relatively few

providers, relatively little choice & potential for oligopoly

• Actual security of data and accounts is unknown

• Little/no policy control


Internet SIP with basic SIP ProxiesAdvantages•Stateless proxies can achieve high performance, but often not usable or secureDisadvantages•Great difficulty in consistent signaling and media establishment with end users, especially those behind firewalls•Little or no gateway session control (may be most significant for enterprise users)•NAT traversal problems – STUN/TURN provides some NAT capabilities•Presence conflicts when more than one end-user agent per user


Client-Server SIP model, trusted users only

Advantages• Tight authentication and REGISTER control• Little threat of Spam, Caller ID spoofing•Mostly-secure internal communications• “Near-end” and “Far-end” NAT traversal capable (if the SIP infrastructure is)Disadvantages• Not truly a Internet-wide distributed SIP infrastructure• All non-local sessions routed through PSTN or other public service providers (IM gateways, etc.)


P2P Model

Ref: http://arxiv.org/ftp/cs/papers/0412/0412017.pdf

Advantages•True IP-to-IP (as well as potentially IP-to-PSTN connectivity)•Potentially free and unrestricted for IP-to-IP•CostDisadvantages•Not appropriate for Enterprises with controls on security/privacy•Implemented today as another closed network•Skype authentication network would appear to be a single point of failure•Current implementations are not open standards therefore restricted and unknown securityDepending on viewpoint…•Very difficult to block


Distributed SIP Model

-> Begins to look a whole lot like email today

Advantages•True “Internet Communication”•Sophisticated SIP gateways with session control capabilities•Reliable media streams•Server-based presence agents•Session border control capabilities allow for content scanning, policy control (such as being able to enforce SIPS and SRTP)

Disadvantages•Predictable addressing leads to same problems of spam•Depending on your point of view, greater possibility of stream interception at gateway choke points (as compared to P2P


Evolutionary Path for Internet Communications?

• Current IM and “free VoIP” model is similar to that of the PSTN phone network – centralized services providing end-user accounts

• VoIP as a form of Internet Communications is far more powerful – distributed, open, interoperable with many servers/clients

• Ultimately – will look more like email does today?• Move from IP-to-PSTN/PSTN-to-IP to end-to-end, IP-to-IP• Trend towards distributed services out towards end-points

(domain/DNS-based, maybe true P2P)• WiFi/WiMAX phones may provide the last mile for end-to-end

Conclusion: SIP/RTP must be implemented via the standards and architectural best practices to be opened at the gateway

points


Implications of Distributed VoIP

• Recipients must be given tools to manage accessibility and risks

• Strong requirements for user and domain-level authentication and ultimately, reputation services

• Requirements for relay protections, content filtering, gateway policies, anti-spoofing, lawful intercept

• Protection against DDoS, IP-based restrictions - RBLs, blacklists, whitelists

• User-based rules for protection• Requirements for HA, clustering, and QOS• Less reliance/dependence on service providers

(acting as oligopolies)• Policy management through sophisticated SIP

gateway controls


Challenges of Implementing VoIP/SIP

• SIP protocol still in rolling development• Many vendors adding non-standard methods that don’t

always interop• QOS and bandwidth issues, lost/out-of-order packets• Power over Ethernet (PoE) not widespread• Each SIP end-user device may state its own presence• “Near-end” and “Far-end” NAT traversal• Little policy/compliance for end-to-end data transfer• Scalability & HA of VoIP infrastructure• Emergency procedures (911)• Security challenges (data capture, MITM, DDoS, virus?,

encryption not commonly used)• CALEA – capturing end-point data and media (though not

necessarily un-encrypted media)


Dynamic Cluster with SIP Farm•Single-address for email, collaboration, and VoIP

•Email traffic can be separated from SIP Farm

•Consolidated Identity management but Frontends are “specialized”

•Protects voice QOS even in event of DDoS or spam


Implications of Presence & Availability

• Far more invasive to be receiving voice calls unexpectedly than email/IM

• Requires assurance of identity in order to make presence and availability decisions

• Presence could reveal vulnerabilities, and must be granted granularly and selectively, especially outside the protected environment


Total Converged Solution with CGP•Complete SIP-based infrastructure and applications•Personalized voice and data services for thousands of domains•All-Active Dynamic Cluster for 99.999% uptime for Messaging and Real-time traffic•CGP handles all SBC and NAT traversal functions

CommuniGate Pro


Super Cluster• Cluster of Clusters

• Used for scaling when regions are desired or when limited by storage subsystem

• Capable of sharing mailboxes between Backend clusters


CGP is not a Closed System•The closed-network model for VoIP will inevitably end•No one ever needs to ask whether their system can send an email to Yahoo•Insecure for business – relies on outside, often unknown vendors•Susceptible to cost hikes•Not based on standards•Not a true “end-to-end” model for direct connectivity•Not a real Internet model - based more on the PSTN of the past


CGP Embraces Open Standards•Open, RFC-compliant standards ensure all users can communicate•The distributed Internet model has been proven with email, and is inevitable with voice•Businesses are empowered with the ability to define their security and privacy policies•Service Providers can offer security and encryption as well as perform Lawful Interception•All users can choose their own choice of client for email, collaboration, and voice and still interoperate with one another


EdgeGate Services

•In a Dynamic Cluster, the CommuniGate Pro “Frontend Servers” handle most EdgeGate Services•In the Core Server, all functions handled on the same server•Built-in Connection flow control, SPF, Reverse Connect, and Session Border Control•Third-party plugins provided to complete the anti-spam/anti-virus defense:

- Mailshell SpamCatcher - Cloudmark Authority - McAfee VirusScan - Sophos Virus Scanner - Kaspersky Virus Scanner


Massively Scalable Clustering for VoIP

Signaling Session Signaling

Session

MediaSession Media

SessionMedia Proxy

MediaSession


HP-CommuniGate-Navtel VoIP Benchmark


VoIP Benchmark Results - Navtel


VoIP Benchmark Results - sipp


Documents

Deploying SIP on a Global Scale