What i s SIP Tr un k i n g?

eBook
A vast resource for information about all things SIP including SIP,
security, VoIP, SIP trunking and Unified Communications.
Edition 2 - November 2011
Table of Contents
3
4
5
6
7
8
9
10
11
NAT Traversal - Critical for Service Providers
Connecting to One of Many IP-PBXs
E-SBCs as the Demarcation Point
Microsoft OCS and SIP Trunking Troubleshooting
Connecting Remote Workers
The Role of an E-SBC
SIP Trunking with Legacy PBXs
Fax, Session Border Control and SIP Trunking, by Dialogic
SIP Trunking in Latin America and Europe, by Joel Maloff
Tabl e of Con t en t s
SIP trunking is becoming more of a focus for service providers. One key issue many service
providers face when deploying SIP trunks is NAT, or Network Address Translation, traversal.
When connecting enterprises to SIP trunks directly via the Internet, carriers must resolve issues
created by the enterprise firewall and traverse the NAT to connect to the customers Local Area
Network (LAN) while also maintaining security. Since carriers deploy SIP trunks on a mass scale, the
need to offer customers a guaranteed solutionthat works seamlessly, and is secure, is all the
more critical.
Traditional firewalls are designed to block unwanted, or unrecognized, traffic. When a traditional firewall
sees SIP communication voice, in the case of SIP trunking -- the firewall will not recognize that traffic
and, as a result, block it. In addition, NAT breaks SIP. SIP is an application layer protocol at layer 7 of
the OSI model, whereas NAT is created at the transport or layer 4 of the OSI model. Since the two are
in no way connected, NAT will always frustrate the introduction of SIP into a network.
When using SIP, it is necessary to employ an enterprise border element like the Ingate SIParator, that
can provide the necessary functionality to resolve these problems. A benefit of the Ingate is that it will
not only allow the SIP traffic through but will do so in a way that protects the network (the Ingate
Firewall) or just the SIP traffic itself (the SIParator). Either way, Ingate technology is the safest way to
enable a SIP trunk installation.
NAT Traversal - Critical for Service Providers
3
What i s SIP Tr un k i n g? eBook
One of the most compelling uses of an Ingate for service providers is the opportunity to build
business fast. Carriers are using SIP trunking as a simplified way to offer their customers VoIP
capability. Theres a strong demand, too, since their business customers can consolidate bills
and eliminate toll telephony costs with SIP trunks.
One of the problems for service providers is interoperability between their telephony switches
and the PBX at the customer premise. To be truly effective and secure every customers
IP-PBX must work seamlessly with the SIP trunk service. Achieving certification with every
vendor is a costly and time-consuming process, but very necessary.
The Solution: utilizing an Enterprise Session Border Controller (E-SBC) at the edge of the
network, which serves as a normalization engine or universal adapter -- connecting the
PBX to the SIP trunk and supporting requirements for authentication and signaling. With a
single E-SBC, the carrier is instantly, truly interoperable with the IP-PBX, offering their
customers the reliability of a proven interop solution. Massive interoperability testing is no
longer needed, further reducing costs for the service provider.
The E-SBC also provides other critical functions:
Demarcation point Many service providers want a clear hand-off point between their
network and the end customer. The E-SBC serves this important function, delivering health
and quality statistics while establishing a security boundary.
Security and NAT traversal: When connecting enterprises to SIP trunks directly via the
Internet, issues created by the enterprise firewall and the NAT must be resolved while also
maintaining security. An enterprise border element provides the necessary functionality to
resolve these problems.
Advanced Security: In addition to inspecting the SIP signaling and controlling the media ports, the
E-SBC can add encryption to signaling and media (using TLS and SRTP), creating greater privacy.
Connecting to One of Many IP-PBXs
What i s SIP Tr un k i n g? eBook
4
Enterprise Session Border Controllers (E-SBCs) like the Ingate Firewall and SIParator serve as a
demarcation point between the network and the customer. Many service providers want a clear
hand-off point between their network and the end customer.
Using an E-SBC as the demarcation point, the ITSP can see both the LAN and the WAN side of the
customers networks. This is a powerful troubleshooting tool as it aids in determining where messaging
and/or media is reaching. The E-SBC can also show detailed logging information, including debug
messages which can assist in troubleshooting issues throughout the enterprise network. In this way the
E-SBC can gather the statistics necessary to monitor service delivery to maintain Quality of Service.
Ingate products also have packet capture capabilities on all interfaces (LAN and WAN) in the
pcap-format for evaluation in programs such as Wireshark.
The demarcation point can also serve as the first line of defense, as Ingate Firewalls and SIParators
are designed to secure applications based on SIP as well protect the network. They can inspect the
SIP signaling and control the media ports. They can also add encryption to signaling and media (using
TLS and SRTP), creating greater privacy.
Placed at the customer edge, Ingate provides a demarcation point, security protection and NAT
traversal solution all in one solution.
E-SBCs as the Demarcation Point
5
What i s SIP Tr un k i n g? eBook
We will be distributing the Ingate Knowledge Base on a biweekly basis beginning this week.
Last time the Knowledge Base covered the tremendous benefit to service providers that SIP trunks
offer: the ability to connect to one of many IP-PBXs. This capability allows them to ramp up business in
a very short amount of time.
This week we will address how Enterprise Session Border Controllers (E-SBCs) like the Ingate Firewall
and SIParator serve as a demarcation point between the delivery network and the customer.
Many service providers want a clear hand-off point between their network and the end customer.
Using an E-SBC as the demarcation point, the ITSP can see both the LAN and the WAN side of the
customers networks. This is a powerful troubleshooting tool as it aids in determining where messaging
and/or media is reaching. The E-SBC can also show detailed logging information, including debug
messages which can assist in troubleshooting issues throughout the enterprise network. In this way the
E-SBC can gather the statistics necessary to monitor service delivery to maintain Quality of Service.
Ingate products also have packet capture capabilities on all interfaces (LAN and WAN) in the
pcap-format for evaluation in programs such as Wireshark.
The demarcation point can also serve as the first line of defense, as Ingate Firewalls and SIParators
are designed to secure applications based on SIP as well protect the network. They can inspect the
SIP signaling and control the media ports. They can also add encryption to signaling and media (using
TLS and SRTP), creating greater privacy.
Placed at the customer edge, Ingate provides a demarcation point, security
protection and NAT traversal solution all in one solution.
Microsoft OCS and SIP Trunking Troubleshooting
6
What i s SIP Tr un k i n g? eBook
One of the many benefits of employing SIP with an Ingate device is using Remote SIP
Connectivity which allows employees to leverage the SIP capabilities of the corporate IP-PBX while
working from any remote location (home, satellite offices, etc.) as long as there is a connection to
the Internet.
This is possible without the need to upgrade the remote users network to support SIP, or to implement
VPN tunnels from the remote site to the central location of the company. Essentially the remote user
can be tied in to the SIP capabilities of the main network without having to purchase additional
hardware or software for the remote site.
With this feature, employees can use the company IP-PBX as if they were collocated with it. This means
remote workers can utilize SIP trunking or VoIP, IM, realtime videochatting and more for less cost than
using a cell phone or having a separate business line at their home office. There are also productivity
benefits to utilizing the many presence applications with SIP.
For example: an employee on the road can make phone calls to colleagues inside the LAN as well as
sales prospects outside the LAN by using SIP, instead of a cell phone. Remote SIP Connectivity can
also revitalize Internet-based support services with the immediacy of click to talk features.
Ingates Remote SIP Connectivity software module is installed on the centralized Ingate SIParator or
Firewall. The Ingate can support many remote users and as many remote sessions as is permitted by
the number of traversal licenses installed on the Ingate unit.
The Ingate resolves NAT traversal issues both at the enterprise edge and at the remote site. Resolution
of the problem at the remote site requires only that far-end NAT traversal be enabled on the Ingate.
Remote SIP Connectivity includes a STUN server to support STUN clients, if available. Far-end NAT
traversal is used when a STUN client is not available, or if the remote user is behind a symmetric NAT.
With Remote SIP Connectivity enabled, the Ingate unit negotiates through the far-end NAT device and
keeps a pinhole open as long as the client is registered. This controlled NAT traversal provides
superior security benefits to alternative solutions.
Connecting Remote Workers
7
What i s SIP Tr un k i n g? eBook
E-SBCs such as the Ingate SIParator sit at the edge of the network to provide control over the SIP traffic.
Traditionally they were seen as just providing firewalling protection the security for SIP-based voice
networks. Todays E-SBCs do indeed provide that security, which is absolutely a critical function, but
have evolved to serve as a crucial element in enabling SIP deployments.
An E-SBC will:
Normalize the SIP signaling so that the IP-PBX at the customer site and the service providers network
are fully compatible. While SIP is a standard, each implementation can be slightly different, and the
service providers may each require a different level of authentication from the business. With the Ingate
in place, these requirements can be met.
Additionally, normalization of the SIP signaling allows service providers to support more IP-PBXs, or
those IP-PBXs that are not yet certified by the ITSP. In this manner the ITSP can provide a wider array
of options for their customers and expand their business without the need for extensive interoperability
certification with each IP-PBX.
Resolve NAT traversal issues to enable the adoption of SIP, SIP trunking and full Unified
Communications by securely permitting SIP signaling and related media to traverse the firewall.
Without this function, most companies will have one-way audio only.
Provide security through deep packet inspection (DPI). DPI is a powerful way to protect not just SIP
traffic, but also the network. It is a form of computer network packet filtering that examines the data
(or datagram) and UDP/TCP header part of a packet as it passes through an Ingate SIParator or Firewall.
DPI can be effective against buffer overflow attacks, denial of service (DoS) attacks, sophisticated
intrusions, and a small percentage of worms that fit within a single packet.
Provide control through authentication Many service providers require authentication of the user with
their network. Some IP-PBXs do not support this function. With the Ingate in place the service providers
requirement can be met regardless of which IP-PBX is used.
The Role of an E-SBC
8
What i s SIP Tr un k i n g? eBook
SIP Trunking has been a hot topic for a while now. Many analysts are predicting rapid growth over
the next several years. At a recent industry event there was an entire panel discussion on SIP Trunking.
In talking with other attendees, delegates and customers it appears that SIP Trunking is moving beyond
analyst projections and into actual deployments. Most of the SIP Trunking focus to this point has been
on connecting the SIP Trunks to on-premise SIP equipment. While this is the most logical deployment
scenario from a compatibility point of view, a high percentage of the installed base does not have SIP
trunk-ready communications architecture. The majority of premises have legacy PBXs with traditional
TDM or hybrid-IP architectures, and given the state of the economy, these companies are not likely to
throw away equipment that is in fine working order.
So how does a company take advantage of the benefits of SIP Trunking without an expensive PBX
replacement or upgrade? The answer is a gateway function is required to convert the SIP stream from
the SIP Trunk to a TDM stream for connection to the legacy PBX. Specifically, the gateway needs to c
onvert the packet based VoIP media stream to traditional TDM circuit switched channels. The gateway
also needs to convert the SIP signaling to a TDM protocol which is compatible with the PBX; therefore,
a wide variety of protocol support is desirable to achieve interoperability with the widest variety of
installed PBXs.
In addition to the gateway function, it is highly desirable to have SBC functionality to secure the
enterprise edge for the connection of the SIP Trunk. Ideally these two functions, the gateway function
and the SBC function, are delivered in a single easy to deploy package.
There are many devices that provide these two functions in a single box; unfortunately, in most cases
these devices provide very good functionality in one area and only limited functionality in the other area.
For example, an enterprise gateway is enhanced with some security features or a session border
controller is enhanced with some gateway features.
What is required is a full enterprise gateway function and a full enterprise session border control function.
Dialogic is in the process of developing just the product to meet these needs. Dialogic has been selling enterprise
media gateways for a number of years. Dialogic has recently licensed enterprise session border control
functionality from Ingate, and Dialogic is in the final phase of development of a new enterprise border element
product that combines the full functionality of the Dialogic enterprise media gateways and the Ingate enterprise
session border controllers. This new product will allow companies to realize the benefits of SIP Trunking without
the cost of replacing or upgrading their existing PBX.
SIP Trunking with Legacy PBXs
9
What i s SIP Tr un k i n g? eBook
Often overlooked in an enterprise transition to VoIP services and solutions, is the fax machine and the
fax server. Wait - do enterprises still use fax machines regularly? Dialogic, as the company that owns
the venerable Brooktrout fax server technology brand on which the greatest percentage of fax servers
are deployed worldwide, can assure you that fax is not only alive and well in 2010, it actually remains
a communications cornerstone for core business processes in many industries. In contract work alone,
it remains the leading document transmission technology as legal proof of signatory approval.
Unfortunately, fax is often overlooked during a TDM to IP migration, or expected just to work across
VoIP infrastructure. In short, fax does not work well if treated as a voice call over IP networks. The highly
reliable PSTN fax protocol known as T.30 becomes quite unreliable when exposed to the VoIP
vagrancies of jitter, latency and packet loss. In fact, research shows that each individual fax page sent
has only an 80% chance of success, even when T.30 fax aware pass-through techniques are employed.
And this failure rate is cumulative to the point where a 50 page fax document has about a zero percent
chance of being successfully transmitted in T.30 pass-through mode.
Enter the T.38 protocol. This ITU protocol was designed specifically for fax over IP or FoIP. Its reliability
rivals traditional T.30 over PSTN networks, and also consumes much less bandwidth on the IP network
versus T.30 pass-through techniques. As it applies to SIP trunking and enterprise SBCs, the own-ness
is really on the SIP trunk service provider to deliver end-to-end T.38 where ever the fax rides on their IP
network. In truth, this is not something that many ITSPs can promise or deliver today. At Dialogic, the
interoperability team for our FoIP software platform, Dialogic Brooktrout SR140 Fax Software, has
validated a few ITSPs for reliable FoIP T.38 support, but generally it is a capability that the network
service providers are still developing. The SIP Forum and i3 Forum have made a joint announcement
recently to establish an international test program for FoIP. This is good news for developing more
reliable fax over SIP trunking should help accelerate the adoption and deployment of T.38 within
the ITSP networks.
As for fax and the session border controller, T.38 does use SIP signaling, and the benefits of the SBC at the
network edge apply to FoIP as well, but only to enable it to pass securely from the enterprise network to the
ITSP network. It does not contribute otherwise to the successful transmission of the fax content. It does however
apply to an SBC edge device with an integrated gateway subsystem such as the newly announced Dialogic
BorderNet 500 Gateways. If routing fax over SIP trunking service provider is a priority for an enterprise,
the gateway subsystem can be equipped to support T.30 to T.38 conversion, even running at the highest fax
transmission rate known as v.34.
Fax, Session Border Control and SIP Trunking
By Bud Walder, Solution Marketing Director, Dialogic
10
What i s SIP Tr un k i n g? eBook
The North American VoIP access and SIP trunking services market grew by 40.1% in user base and
22.3% in revenues in 2009, according to a report published by Frost and Sullivan. They also indicated
that VoIP access and SIP trunking services generated revenues of $717.3m in 2009 that are estimated
to reach $3.9 billion in 2016. Because of such gaudy reports, there is a tendency to extrapolate this to
all regions of the world.
Nothing could be further from the truth!
SIP trunking WILL grow internationally but there are various factors that will impact how quickly and to
what extent. For example, the driver behind the growth of SIP trunking in the US has been reduction of
cost for telecommunications operating expenses. Off-the-wall estimates often assert savings of 35% to
70%! This is based on the ability to reduce fixed costs from PRIs, the reduction of usage sensitive costs
from toll calls, and the ability to reduce telecommunications carriers fees such as EUCL and RCRF.
These are US-centric issues that are not always the same internationally. In addition, the availability of
broadband Internet access in the US is now almost taken for granted. A recent estimate indicated that
more than 65% of American adults have access to broadband. That is not true elsewhere in the world.
In Latin America, for example, the highest percentage for broadband availability is in Chile with 17%
with other major economic powers well behind that! If you do not have access to broadband Internet,
SIP trunking is going to be a problem. Conditions are changing however. Broadband penetration will
nearly double across Latin America, increasing from 7 percent in 2010 to 12 percent by 2015. (Research
and Markets, January 2011). As a result, Internet Telephony Service Providers (ITSPs) in Chile are
expecting the demand for SIP trunks to double in 2011.
Beyond broadband Internet availability, there are still other issues that make the US model different from
elsewhere. Regulators in each country have been slow to address the evolution of Internet telephony
and they retain archaic rules that inhibit or prevent the use of these services. For example, in Argentina,
you can have a softphone on your laptop with a Buenos Aires telephone number, but it is technically
illegal to use it anywhere other than in Buenos Aires! Regulations are going to change but it will be
years, and this also will slow the growth of SIP trunking.
Cost savings that have been seen in the US may not be available internationally. In some cases,
the major telecommunications companies require businesses to have a minimum charge
service agreement.
SIP Trunking in Latin America and Europe
By Joel Maloff, Maloff NetResults/Phone.com
11
What i s SIP Tr un k i n g? eBook
Case Study
The ROI on SIP Trunking
Secure VoIP Technology Cuts Phone Costs Forty Percent for Kool Smiles
Case Study -- Kool Smiles
- a childrens dental management practice in the U.S
Kool Smiles, a childrens dental management practice in the U.S., was an
early adopter of SIP trunking technology. SIP trunks have become a
simple, cost-effective way for businesses to transition from traditional
telephony to Voice-over-IP (or VoIP), which essentially shifts all phone
calls to the Internet.
UC: A lifeline for doctors in Haiti
Establishing communications was a primary goal for a group of American
doctors who rushed to Haiti to aid victims of the catastrophic 7.0 magnitude
earthquake of 2010. Wireline telephony and cellular communications had all
been disrupted and the likelihood for a fast resolution was slim.
www.ingate.com
Case Study
Case Study -- Haiti
- Unified Communications: A Lifeline for Doctors in Haiti
Edition 2 - November 2011