January 23-26, 2007 Ft. Lauderdale, Florida SIP Trunking for the Intermediate/Advanced Reseller The SIP Connection From A to Z Presented by Pete Sandstrom, CTO BandTel Janne Magnusson, Director Operations Ingate

January 23-26, 2007 Ft. Lauderdale, Florida Advanced SIP Session Overview 1. Open Systems Interconnection Model (OSI) is more than a model Real-Time Protocol (RTP Real-Time Control Protocol (RTCP) 2. Quality of Service (QoS) IP – Multi-Protocol Label Switching (MPLS) Peering for Performance 3. SIP Applications – the reason for doing anything 4. SIP Security – protecting what we have 5. SIP trunking CPE Architectures 6. The role of the ITSP – provider performance

January 23-26, 2007 Ft. Lauderdale, Florida 1. Open Systems Interconnection (OSI) Understanding Where You Are

January 23-26, 2007 Ft. Lauderdale, Florida SIP is a Fully-Featured Protocol

January 23-26, 2007 Ft. Lauderdale, Florida RTP Carries SIP over UDP/IP/etc.

January 23-26, 2007 Ft. Lauderdale, Florida RTCP Reports on Traffic Conditions Real-Time Control Protocol (RTCP) packets are used to provide QoS measurement reports and other information. The VoIP RTCP Extended Reports (XR) Metrics Report Block (MRB) provides measurements (metrics) for monitoring quality of VoIP calls and conversations. These measurements include packet loss and discard metrics, delay metrics, analog metrics, and voice quality metrics.

January 23-26, 2007 Ft. Lauderdale, Florida 2. QoS and the Internet The Economics of peering and why it works in North America Tier I/II space- It is over provisioned and it is Managed

January 23-26, 2007 Ft. Lauderdale, Florida QoS and the Internet: The Economics of peering and why it works in North America IP NET NET A drops packets making the other to retransmit, and lowers his overall throughput. That’s lost revenue for B.

January 23-26, 2007 Ft. Lauderdale, Florida QoS and the Internet: It is over provisioned and managed MPLS INTERNET

January 23-26, 2007 Ft. Lauderdale, Florida VoIP in Private and Public IP Space Local and remote phone stations in private space SIP trunking POPs in public space If MPLS then equipment costs are radically lowered.

January 23-26, 2007 Ft. Lauderdale, Florida IP-PBXs Migrate PBXs – ITSPs Emerge ITSP PTSN IP PBX SIP Services GW SAFW SIP-Aware FireWall (SAFW)

January 23-26, 2007 Ft. Lauderdale, Florida IP by Itself has No QoS

January 23-26, 2007 Ft. Lauderdale, Florida MPLS was Created to Provide QoS

January 23-26, 2007 Ft. Lauderdale, Florida 3. SIP Trunking Basic Features SIP Trunking Applications: Competes with and beats T1 trunking “Event notification” - disaster recovery options Add Bandwidth QoS and security provided via SAFW and or MPLS On demand N-way conferencing 411 Directory Assistance Enhanced 911 services Access Directory Listing Local and Inbound Calling Platform for personalized applications and rich media services

January 23-26, 2007 Ft. Lauderdale, Florida SIP Trunking Competes VoIP to compete economically, and beat, T1 trunking to a TDM PBX. Hosted can’t scale well and doesn’t fit needs of the enterprise SIP trunking means X voice paths to Y stations where Y/X > 1; generally the ratio would be 4 trunks to 10 stations

January 23-26, 2007 Ft. Lauderdale, Florida SIP Trunking Feature - Conferencing On demand business meetings, training, broadcast announcements, call-to-meeting notifications, even reverse 911 are enhanced with SIP trunking.

January 23-26, 2007 Ft. Lauderdale, Florida 4. SIP Security & Firewalls Before we explore viable architectures for SIP systems, let’s understand one more critical concept. While SIP brings advancement in VoIP call connections, SIP faces the same security attacks as other IP protocols such as HTTP and SMTP such as malformed message attacks, SPIT-SPam over Internet Telephony, buffer overflow attacks, DOS-Denial-of Service attacks, eavesdropping, hijacking, injection of malicious RTP packets into existing RTP flows and other known and yet to be created attacks. In other words, special SIP firewall and other protection systems are recommended.

January 23-26, 2007 Ft. Lauderdale, Florida SIP Trunking Security and Reliability Need to Ensure Enterprise LAN is Correctly Designed for VoIP (i.e. a SIP-Aware Firewall Needs to be in Place) CPE Protection: SIP-Aware Firewall that allows L5 Security (i.e. no L2 pinholes) Require ITSP MD5 or IP Authentication for Account Authorization ITSP Should Split Media and Signaling to Different Redundant Locations, Making Taps Virtually Impossible ITSP Must Have Secure POPs That Can Fend Off all Outside Attacks: - DOS (Denial of Service) - IP Spoofing - SPIT (Spam over Internet Telephony)

January 23-26, 2007 Ft. Lauderdale, Florida SIP Trunking Security and Reliability MPLS INTERNET HOT SPOTS DSL-CABLE MODEMS

January 23-26, 2007 Ft. Lauderdale, Florida Let’s take a break to understand how your customer may see the “project.”

January 23-26, 2007 Ft. Lauderdale, Florida

Now back to getting serious 5. SIP trunking CPE Architectures Type 1 – Dedicated IP Pipe for VoIP Type 2 – Merged MPLS-Pipe with LER Tagging VoIP Type 3 – Merged IP pipe with SIP-Aware Firewall (SAFW) Type 4 – Separate IP Pipe for VoIP with Existing Non-SIP Firewall and SIP-Aware Firewall (SOFW) Type 5 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall, No DMZ Port and SIP-aware Firewall Type 6 – Looks like Type 5 but Merged IP Pipe with Incumbent Non-SIP-Aware Firewall, No DMZ Port and SIP-Aware Firewall Type 7 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall with a DMZ Port Type 8 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall

January 23-26, 2007 Ft. Lauderdale, Florida Type 1 – Dedicated IP Pipe for VoIP 1- The IP pipe is dedicated to VoIP so no QoS arrangements are needed with the carrier. 2 - No firewall is needed as there are no LAN connections with other enterprise devices. 3 - This is a common architecture for dedicated media gateway deployments.

January 23-26, 2007 Ft. Lauderdale, Florida Type 2 – Merged MPLS-Pipe with LER Tagging VoIP 1 – VoIP and enterprise data share the same IP pipe. MPLS tags the VoIP as the highest priority via the LER-Label Edge Router. 2 – The SAFW handles all SIP addressing transformation issues between the LAN and WAM demarc. 3 – Architecture offers full QoS for VoIP. 4 – Excellent utilization of IP pipe resources.

January 23-26, 2007 Ft. Lauderdale, Florida Type 3 – Merged IP pipe with SIP-aware Firewall (SAFW) 1 – VoIP and bulk enterprise share the same IP pipe. 2 – The SAFW-SIP-Aware Firewall handles all the QoS issues by prioritizing VoIP traffic over the bulk enterprise network. 3 – The SAFW handles all SIP addressing transformation issues between the LAN and WAM demarc. 4 – Architecture offers partial QoS for VoIP (no inbound UDP QoS). 5 – Excellent utilization of IP pipe resources.

January 23-26, 2007 Ft. Lauderdale, Florida Type 4 – Separate IP Pipe for VoIP with Existing Non- SIP Firewall and SIP-Only Firewall (SOFW) 1 – A separate IP pipe deployed for VoIP traffic only. 2 – QoS for VoIP realized by separating VoIP and bulk traffic to separate IP pipe. 3 – The SIP-Aware Firewall (SAFW) handles all SIP addressing transformation issues between the LAN and WAN demarc. 4 – The SAFE configuration is untouched and handles no VoIP traffic. 5 – No utilization of existing IP pipe for VoIP.

January 23-26, 2007 Ft. Lauderdale, Florida Type 5 – Merged IP Pipe with Incumbent Non-SIP- Aware Firewall, No DMZ Port and SIP-Aware Firewall 1 – VoIP and bulk enterprise share the same IP pipe. 2 – QoS is not realized for VoIP as there is no single point to control traffic. Excessive bandwidth is needed for VoIP to function. 3 – The SAFW handles all SIP addressing transformation issues between the LAN and WAM demarc. 4 – The SAFE configuration is untouched and handles no VoIP traffic. 5 – Full utilization of incumbent IP pipe for VoIP realized.

January 23-26, 2007 Ft. Lauderdale, Florida 1 – VoIP and bulk enterprise share the same IP pipe. 2 – QoS is realized for VoIP as there is a single point to control traffic. 3 – The SAFW handles all SIP addressing transformation issues between the LAN and WAM demarc. 4 – The SAFE configuration is untouched and handles no VoIP traffic. 5 – Full utilization of incumbent IP pipe for VoIP realized. Type 6 – Looks like Type 5 but Merged IP Pipe with Incumbent Non-SIP-Aware Firewall, No DMZ Port and SIP- Aware Firewall

January 23-26, 2007 Ft. Lauderdale, Florida Type 7 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall with a DMZ Port 1 – VoIP and bulk enterprise share the same IP pipe. 2 – QoS is not realized for VoIP as there is no single point to control traffic. Excessive bandwidth is needed for VoIP to function. 3 – The SAFW handles all SIP addressing transformation issues between the LAN and WAM demarc. 4 – The USAFW configuration is touched to allow VoIP to utilize the SAFE DMZ resource. 5 – Full utilization of incumbent IP pipe for VoIP realized. 6 – Works with the SAFW as SIP traffic traverses twice.

January 23-26, 2007 Ft. Lauderdale, Florida Type 8 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall 1 – VoIP and bulk enterprise share the same IP pipe. 2 – QoS is not realized for VoIP since there is no QoS feature in the SAFE. 3 – The UA handles all SIP addressing transformation issues between the LAN and WAN demarc via SIP NAT transversal features and/or by using STUN- Simple Transversal of User datagram protocol with an external STUN server. 4 – The SAFE security is breached by having ports opened for SIP UDP traffic. 5 – Full utilization of incumbent IP pipe for VoIP realized. 6 – Architecture does not scale well for anything beyond a few VoIP calls. 7 – This is architecture is suited only for hosted VoIP services with a small number of end-user stations in the LAN space.

January 23-26, 2007 Ft. Lauderdale, Florida ??? About Architectures Type 1 – Dedicated IP Pipe for VoIP Type 2 – Merged MPLS-Pipe with LER Tagging VoIP Type 3 – Merged IP pipe with SIP-Aware Firewall (SAFW) Type 4 – Separate IP Pipe for VoIP with Existing Non-SIP Firewall and SIP-Aware Firewall (SOFW) Type 5 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall, No DMZ Port and SIP-aware Firewall Type 6 – Looks like Type 5 but Merged IP Pipe with Incumbent Non-SIP-Aware Firewall, No DMZ Port and SIP-Aware Firewall Type 7 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall with a DMZ Port Type 8 – Merged IP Pipe with Incumbent Non-SIP-Aware Firewall

January 23-26, 2007 Ft. Lauderdale, Florida 6. The ITSP behind the SIP Trunk Getting to the ITSP proxy Resiliency in the event of failure Load to the ITSP proxy (dynamic routing to) When an ITSP element fails (real-time dynamic fault switchover) Getting to the PSTN- PSTN carrier options

January 23-26, 2007 Ft. Lauderdale, Florida ITSPs “Peer” For Customer Performance

January 23-26, 2007 Ft. Lauderdale, Florida VoIP Network – N-Plus™

January 23-26, 2007 Ft. Lauderdale, Florida Special ITSP Services for SIP Trunkers Online Traffic monitoring (TotalView) Online Billing Traffic re-routing (Total Reroute) Silent Running – Bandwidth Conservation

January 23-26, 2007 Ft. Lauderdale, Florida Completed Call Percentages

January 23-26, 2007 Ft. Lauderdale, Florida Real-Time Call Activity

January 23-26, 2007 Ft. Lauderdale, Florida Accounting History

January 23-26, 2007 Ft. Lauderdale, Florida 101 Summary SIP trunking competes- and beats T1 Trunking on price and features QoS- SAFW and or MPLS needed for bandwidth QoS SIP Security – private or public, it can be made secure SIP CPE Architecture- critical for creating a secure clear call The ITSP behind the SIP Trunk

January 23-26, 2007 Ft. Lauderdale, Florida

Important to have a reliable and well dimensioned network –Consider delay and QoS As secure as the corporate network for etc. Possible to increase security by implementation of encrypted SIP signaling (TLS) and media (SRTP) Communication on the LAN

January 23-26, 2007 Ft. Lauderdale, Florida Without Support for OP With Support for OP Default Gwy: Outb. Proxy: - Default Gwy: Outb. Proxy: - Default Gwy: Outb. Proxy: Many IP-PBXs can’t handle outbound Proxy SIP-unaware Firewall IP-PBX Ingate SIParator ® IP Outbound Proxy IP IP IP DMZ Default Gateway IP with IP-packets to destinations outside the logical network is sent to the Default Gateway for routing. Outbound Proxy is the equivalence to Default Gateway, but for SIP SIP Trunking Module Configure IP-PBX to ”pretend” that Ingate is the Service Provider Rewrites the domain part

January 23-26, 2007 Ft. Lauderdale, Florida Important to have a reliable and high quality Internet connection –Consider delay to ITSP –Of your connection QoS (voice should have priority) Voice travels over public Internet (as ) Possible to increase security by implementation of encrypted SIP signaling (TLS) and media (SRTP) Communications outside the LAN

January 23-26, 2007 Ft. Lauderdale, Florida Ingate SIP Trunking module solves this problem ! What if the Service Provider can’t handle domains ? Many Service Providers can’t handle domain names IP-PBX Ingate SIParator ® IP IP IP DMZ IP with SIP Trunking Module SIP-unaware Firewall With domain name, no problem ! Can only address the known public IP-address of the SIParator. Rewrites the domain part DNS record pbx.ingate.com resolves to IP DNS override pbx.ingate.com 

January 23-26, 2007 Ft. Lauderdale, Florida

Questions?

January 23-26, 2007 Ft. Lauderdale, Florida About BandTel Headquartered in Newport Beach, California, BandTel is a leading worldwide provider of SIP Trunking services. The company is dedicated to ensuring its customers and partners alike have access to the most reliable, end-to-end VoIP service available on the market today. Its N-Plus™ network architecture is designed to solve the throughput and redundancy problems on high-capacity SIP-based networks and eliminate any single point of failure. BandTel continues to develop strong partnerships with leading carriers and telecommunications companies, including Global Crossing, XO Communications, Level 3, Qwest Communications, Verizon Business, and Primus.

January 23-26, 2007 Ft. Lauderdale, Florida About Ingate Formed 2001 –Firewall technology from Cendio Systems Appliance firewalls since 1994 –Capital and SIP technology from Intertex Data AB Began SIP development in 1998 Released the worlds first SIP capable Firewall in 2001 Located in Stockholm and Linköping, Sweden with a subsidiary, Ingate Systems Inc., based in Hollis, NH. Confirmed IP-PBX interoperability: 3Com, Asterisk, Avaya, Broadsoft, Cisco Call Manager, Ericsson MX-One, Mitel, Pingtel, SER, Shoretel, Sphere, Swyx, Zultys Confirmed carrier interoperability: Bandtel, Broadband.com, Cbeyond, Global Crossing, IP-Only, O1, RNKTel, Tele2, VoEx

January 23-26, 2007 Ft. Lauderdale, Florida For More Information About SIP Trunking Visit BandTel’s New SIP Trunking Resource Center