Building and Deploying Web-Scale Social Networking Applications ...
Deploying SIP on a Global Scale
description
Transcript of Deploying SIP on a Global Scale
January 23-26, 2007• Ft. Lauderdale, Florida
Deploying SIP on a Global Scale
Thom O’ConnorDirector, Product and Services
CommuniGate SystemsJanuary 25, 2007
January 23-26, 2007• Ft. Lauderdale, Florida
VoIP in the News
“We are in the midst of a VoIP communications revolution“ - Jeff Pulver
The use of IP PBXs is poised to soar, according to a study by In-Stat that predictssales of these devices will represent 51% of all PBX sales this year and grow to 91% worldwide by 2009. - Network World, August 2005
January 23-26, 2007• Ft. Lauderdale, Florida
Long-term Benefits of VoIP
• Sophisticated call management – presence, call forwarding/routing
• Integrated voice, video, file transfer, IM• (Arguably) communications at lower cost and with
richer media (although the cost benefits of are in transition and debatable)
• Consolidated identity management• Granular policy/compliance capabilities• ENUM for convergence of telephone numbers & IP
addresses• Mobility, access, flexibility
January 23-26, 2007• Ft. Lauderdale, Florida
Focusing on SIP-initiated VoIP
• VoIP is an ambiguous concept encompassing many protocols including H.323, MGCP, SIP, 3GPP/IMS
• VoIP provides the IP-based transfer of:– Audio & Video (multimedia)– Instant Messages– Client-driven application sharing & whiteboarding
• Session Initiation Protocol (RFC 3261): SIP provides for open and standards-based signaling
• SIP provides registration, authentication, and discovery - allows two or more clients to locate each other, select a media type & define media sockets using SDP
• RTP used for audio/video payload, and often times directly between end devices
January 23-26, 2007• Ft. Lauderdale, Florida
Diagram of SIP-initiated VoIP
January 23-26, 2007• Ft. Lauderdale, Florida
Network Models for IP Communications
1. Service-Provider Model
2. Internet SIP usage with basic SIP Proxies
3. Client-Server SIP model, trusted users only
4. P2P Model
5. Distributed SIP model
January 23-26, 2007• Ft. Lauderdale, Florida
Service-Provider ModelAdvantages• Easy to implement
and use for end users
• Theoretical possibility of security within each provider
• Standardization not required
Disadvantages• Proprietary, (often)
closed networks• Many non-interop
devices• Relatively few
providers, relatively little choice & potential for oligopoly
• Actual security of data and accounts is unknown
• Little/no policy control
January 23-26, 2007• Ft. Lauderdale, Florida
Internet SIP with basic SIP ProxiesAdvantages•Stateless proxies can achieve high performance, but often not usable or secureDisadvantages•Great difficulty in consistent signaling and media establishment with end users, especially those behind firewalls•Little or no gateway session control (may be most significant for enterprise users)•NAT traversal problems – STUN/TURN provides some NAT capabilities•Presence conflicts when more than one end-user agent per user
January 23-26, 2007• Ft. Lauderdale, Florida
Client-Server SIP model, trusted users only
Advantages• Tight authentication and REGISTER control• Little threat of Spam, Caller ID spoofing•Mostly-secure internal communications• “Near-end” and “Far-end” NAT traversal capable (if the SIP infrastructure is)Disadvantages• Not truly a Internet-wide distributed SIP infrastructure• All non-local sessions routed through PSTN or other public service providers (IM gateways, etc.)
January 23-26, 2007• Ft. Lauderdale, Florida
P2P Model
Ref: http://arxiv.org/ftp/cs/papers/0412/0412017.pdf
Advantages•True IP-to-IP (as well as potentially IP-to-PSTN connectivity)•Potentially free and unrestricted for IP-to-IP•CostDisadvantages•Not appropriate for Enterprises with controls on security/privacy•Implemented today as another closed network•Skype authentication network would appear to be a single point of failure•Current implementations are not open standards therefore restricted and unknown securityDepending on viewpoint…•Very difficult to block
January 23-26, 2007• Ft. Lauderdale, Florida
Distributed SIP Model
-> Begins to look a whole lot like email today
Advantages•True “Internet Communication”•Sophisticated SIP gateways with session control capabilities•Reliable media streams•Server-based presence agents•Session border control capabilities allow for content scanning, policy control (such as being able to enforce SIPS and SRTP)
Disadvantages•Predictable addressing leads to same problems of spam•Depending on your point of view, greater possibility of stream interception at gateway choke points (as compared to P2P
January 23-26, 2007• Ft. Lauderdale, Florida
Evolutionary Path for Internet Communications?
• Current IM and “free VoIP” model is similar to that of the PSTN phone network – centralized services providing end-user accounts
• VoIP as a form of Internet Communications is far more powerful – distributed, open, interoperable with many servers/clients
• Ultimately – will look more like email does today?• Move from IP-to-PSTN/PSTN-to-IP to end-to-end, IP-to-IP• Trend towards distributed services out towards end-points
(domain/DNS-based, maybe true P2P)• WiFi/WiMAX phones may provide the last mile for end-to-end
Conclusion: SIP/RTP must be implemented via the standards and architectural best practices to be opened at the gateway
points
January 23-26, 2007• Ft. Lauderdale, Florida
Implications of Distributed VoIP
• Recipients must be given tools to manage accessibility and risks
• Strong requirements for user and domain-level authentication and ultimately, reputation services
• Requirements for relay protections, content filtering, gateway policies, anti-spoofing, lawful intercept
• Protection against DDoS, IP-based restrictions - RBLs, blacklists, whitelists
• User-based rules for protection• Requirements for HA, clustering, and QOS• Less reliance/dependence on service providers
(acting as oligopolies)• Policy management through sophisticated SIP
gateway controls
January 23-26, 2007• Ft. Lauderdale, Florida
Challenges of Implementing VoIP/SIP
• SIP protocol still in rolling development• Many vendors adding non-standard methods that don’t
always interop• QOS and bandwidth issues, lost/out-of-order packets• Power over Ethernet (PoE) not widespread• Each SIP end-user device may state its own presence• “Near-end” and “Far-end” NAT traversal• Little policy/compliance for end-to-end data transfer• Scalability & HA of VoIP infrastructure• Emergency procedures (911)• Security challenges (data capture, MITM, DDoS, virus?,
encryption not commonly used)• CALEA – capturing end-point data and media (though not
necessarily un-encrypted media)
January 23-26, 2007• Ft. Lauderdale, Florida
Dynamic Cluster with SIP Farm•Single-address for email, collaboration, and VoIP
•Email traffic can be separated from SIP Farm
•Consolidated Identity management but Frontends are “specialized”
•Protects voice QOS even in event of DDoS or spam
January 23-26, 2007• Ft. Lauderdale, Florida
Implications of Presence & Availability
• Far more invasive to be receiving voice calls unexpectedly than email/IM
• Requires assurance of identity in order to make presence and availability decisions
• Presence could reveal vulnerabilities, and must be granted granularly and selectively, especially outside the protected environment
January 23-26, 2007• Ft. Lauderdale, Florida
Total Converged Solution with CGP•Complete SIP-based infrastructure and applications•Personalized voice and data services for thousands of domains•All-Active Dynamic Cluster for 99.999% uptime for Messaging and Real-time traffic•CGP handles all SBC and NAT traversal functions
CommuniGate Pro
January 23-26, 2007• Ft. Lauderdale, Florida
Super Cluster• Cluster of Clusters
• Used for scaling when regions are desired or when limited by storage subsystem
• Capable of sharing mailboxes between Backend clusters
January 23-26, 2007• Ft. Lauderdale, Florida
CGP is not a Closed System•The closed-network model for VoIP will inevitably end•No one ever needs to ask whether their system can send an email to Yahoo•Insecure for business – relies on outside, often unknown vendors•Susceptible to cost hikes•Not based on standards•Not a true “end-to-end” model for direct connectivity•Not a real Internet model - based more on the PSTN of the past
January 23-26, 2007• Ft. Lauderdale, Florida
CGP Embraces Open Standards•Open, RFC-compliant standards ensure all users can communicate•The distributed Internet model has been proven with email, and is inevitable with voice•Businesses are empowered with the ability to define their security and privacy policies•Service Providers can offer security and encryption as well as perform Lawful Interception•All users can choose their own choice of client for email, collaboration, and voice and still interoperate with one another
January 23-26, 2007• Ft. Lauderdale, Florida
EdgeGate Services
•In a Dynamic Cluster, the CommuniGate Pro “Frontend Servers” handle most EdgeGate Services•In the Core Server, all functions handled on the same server•Built-in Connection flow control, SPF, Reverse Connect, and Session Border Control•Third-party plugins provided to complete the anti-spam/anti-virus defense:
- Mailshell SpamCatcher - Cloudmark Authority - McAfee VirusScan - Sophos Virus Scanner - Kaspersky Virus Scanner
January 23-26, 2007• Ft. Lauderdale, Florida
Massively Scalable Clustering for VoIP
Signaling Session Signaling
Session
MediaSession Media
SessionMedia Proxy
MediaSession
January 23-26, 2007• Ft. Lauderdale, Florida
HP-CommuniGate-Navtel VoIP Benchmark
January 23-26, 2007• Ft. Lauderdale, Florida
VoIP Benchmark Results - Navtel
January 23-26, 2007• Ft. Lauderdale, Florida
VoIP Benchmark Results - sipp
January 23-26, 2007• Ft. Lauderdale, Florida