Due to slides with Flash animation, please review in Slide Show Mode High Volume Applications SIP Trunking for the Contact Center Presented by Pete Sandstrom, CTO BandTel Janne Magnusson, Director Operations Ingate
Session Overview 1. Why have signaling 2. “Inside” SIP 3. SIP Enterprise Benefits 4. SIP Benefits For The Contact Center 5. The Role of the Internet Telephony Service Provider (ITSP) 6. Special ITSP Services 7. Call Center Architectures 8. SIP and the Future
1. Why Have Signaling • Signaling provides the mechanism to setup, route, monitor disconnect a call • Signaling provides a way to alert a station (i.e. ring the phone). • Signaling provides a way to meter the service (i.e. lets the carrier generate you a bill)
3. SIP Enterprise Benefits • Save Costs - SIP Trunking can reduce trunking costs by 40%. • Convergence of the enterprise network organization - the data group is becoming the data/telecom group. • Provisioning is simplified - increasing or decreasing capacity is now simply a keyboard stroke and management is simplified with SIP Trunking. • Fewer Carriers- having the IP pipe and voice service from one source improves operations, reduces billing errors, simplifies “finger-pointing” problems and offers better price/SLA negotiations.
4. SIP Contact Center Benefits • New Applications - SIP and IP “frees one from location” allowing amazing new inbound and outbound possibilities. • Virtual Trunking - SIP can enable new applications not possible in TDM space due to the nature of IP being un-tethered from a specific location. • Geographical Unification - SIP can unify may disperse enterprise offices into one virtual entity, and do so without any special leased circuit trunking facilities.
SIP Adds “Intelligent Signaling” The problem - calling client needs to talk to an agent that specializes in handling accounts receivable issues on a particle product for a particular company. The serving contact center enterprise has agents in one of it four locations that can service the clients needs. • Inbound Caller Needs - to get to contact center agent in a timely manner • Inbound Caller Needs - to get to the agent with the right expertise to handle their need • The Contact center needs - a virtual presence via virtual trunking • The Contact center needs - an unencumbered standard mechanism to terminate the caller to the right agent • The contact center needs - to do all of the above in an economical manner
Inbound Contact Center with “Intelligent Signaling” Intelligent CC Front end CC has no agents free CC has no qualified agents PSTN SIP ITSP CC has qualified agents free CC has no agents free
Outbound Contact Center Possibilities With SIP “Intelligent Signaling” • Outbound call centers generally dial out (auto dialers) at a rate that exceeds the number of physical agents that are sitting in the call center. • Only a fraction of the calls made get answered at the far end. • In order to keep the agent pool busy and talking at all times, a ratio of dialed calls to agents is maintained. Many times that ratio can be as high as 4, 5, or even 6 calls dialing for every agent present. • The result in TDM space is wasted bandwidth and wasted circuits Lots of calls “ringing”
Outbound Contact Center Possibilities with SIP “Intelligent Signaling” • With SIP, bandwidth used for “call progress” tones is eliminated. • Callers-talking/bandwidth ratio is increased radically (4 to 5 times in some cases).
5. The Role of the ITSP-Internet Telephony Service Provider • Getting to the ITSP - should be “seamless” to the customer. • Total Resiliency - in the event of an ITSP element failure (it will happen) real-time dynamic fault switchover must be in place. • Load to the ITSP - dynamic diverse routing to multiple call processing elements should be automatic and with “no downtime.” • Getting to the Public Switched Telephone Network (PSTN) - the ITSP client needs many paths to and from the PSTN for resiliency and guaranteed continuation of service.
QoS and the Internet: The Economics of peering and why it works in North America Bandwidth (BW) managed Zone: IP carrier peers watch and police each other IP NET - A IP NET - B IP NET - B BW limited Zone: BW limits strictly enforced by carrier • In North America, we see a great call: • Packet Delay: < 100 msecs • Packet loss < 4% • Jitter < less then 10 msecs
6. Special ITSP Services • Routing Plan Flexibility – QoS • Security – at the ITSP and Customer Premise • Special Services; i.e. Early Media (Silent Running) • Online Traffic Monitoring (TotalView) • Online Billing • Traffic Re-routing (Total Reroute)
Security: at the ITSP POP • Dynamic Authentication (Message Digest 5) - ITSP must watch for ID theft and flag. • IP authentication (static IP address) - virtually impossible to spoof if ITSP drops “source routed packets” at the border controller. • Split Paths - the ITSP should split media (conversations) and signaling to different redundant locations, making media/signaling taps virtually impossible at the Customer Premise Equipment (CPE) side. • Secure Borders - ITSP must save secure Points of Presence (POPs) that can restrict/deny all outside attacks such as: • DOS (Denial of Service) • IP Spoofing • SPIT (Spam over Internet Telephony) • VOMIT (Voice Over Mis-configured Internet Telephony)
Security: at the Customer Site • The CPE Border - SIP-Aware Firewall (SAFW) that allows L5 (Transport Layer 5) Security (i.e. no L2 (Datalink Layer 2) pinholes*) is a must have. • Authentication - must require ITSP Message Digest 5 (MD5) encryption or IP Authentication for Account Authorization. • Split Paths - the ITSP should split media (conversations) and signaling to different redundant locations, making media/signaling taps virtually impossible at the CPE side. • Security Inside - most fraud occurs from inside the CPE border. • Trojans - lurking on enterprise servers • Disgruntled or dishonest employees - past and present
7. Call Center Architectures - with Dedicated IP Pipes 1 - The IP pipe is dedicated to VoIP so no QoS arrangements are needed with the carrier. 2 - No firewall is needed as there are no LAN connections with other enterprise devices. 3 - This is a common architecture for dedicated media gateway deployments.
Call Center Architectures - with Shared IP Pipes 1 – VoIP and bulk enterprise share the same IP pipe. 2 – The SAFW-SIP-Aware Firewall handles all the QoS issues by prioritizing VoIP traffic over the bulk enterprise network. 3 – The SAFW handles all SIP addressing transformation issues between the LAN and WAM demarc. 4 – Architecture offers partial QoS for VoIP (no inbound UDP QoS). 5 – Excellent utilization of IP pipe resources.
8. SIP and the Future • Voice to packet is happening; its just better- packet networks (IP in particular) are easier to manage and provision. As such the transition form voice to packet is inevitable. • New Services - In IP space new possibilities arise due to the nature of the Technology. The media travels with its destination address inside, freeing it from circuits, and the inherent limitations of circuits. • New Choices - in packet space the end telecom user is empowered, and free to let the market work in their favor as alternate service providers are a keystroke away.
Summary • Successful ITSPs will be: • Resilient (fault tolerant) • Scalable • Secure and • Provider a network and customer premise architecture that offers QoS.
What is Required for SIP to Traverse? • Signaling between the SIP client and its SIP registrar • In both directions • May be on the same or on different sides of the firewall • Callers must be able to reach the SIP registrar • At all times if you want to receive calls • Problem if caller on the outside and SIP registrar on inside (e.g. an IP PBX or MS LCS) • Media (the voice or video packets) must flow end to end • In both directions • Must reach the correct end point, even on a network with private addresses • Pin holes must be opened and media routed (NATed) Who shall be in control of all of this?
Who Shall be in Charge of the Firewall? The firewall manager, the users or some service provider? • STUN, TURN, ICE: • The users are in control, for SIP and ANY OTHER USAGE • The firewall has to be sufficiently open to allow this • Still cannot handle when the SIP Server is on the inside (e.g. IP PBX or MS LCS) • Session Border Controllers with Far end NAT traversal: • The service provider is in control • The firewall has to be sufficiently open to allow this • UPnP: • The clients (most often Windows) controls the NAT/Firewall (for ANY USAGE) • Both the client and the firewall must implement UPnP • Clients still have to have open binding outside to SIP registrar • SIP capable firewall • The firewall manager has a possibility to be in charge
Two Types of SIP Capable Firewalls • SIP Proxy based SIP aware Firewall/NATs (Intertex, Ingate) • General, can handle complex call scenarios • Encryption (TLS and SRTP) • Authentication • Additional functionality possible (Remote SIP Connectivity, VoIP Survival, SIP server, PBX etc.) • Lower level ALG SIP aware Firewall/NATs • Difficult to handle more than basic scenarios • TLS not possible
168.x.xx 10.x.xx The Function of a SIP Capable Firewall • Check the SIP signaling • Rewrite for the different address spaces • Forward the signaling to the correct SIP proxy or client • -For inbound calls – need to know location of each SIP user (unless registrar is on the inside) • Open pinholes in the firewall for the media • -Only for the duration of the call • -Only between the exact endpoints • Media flows through the pinhole (UDP/TCP) • Close pinholes after the call SIP capable Firewall SIP Proxy/Registrar SIP Signaling Media
The Ingate Solution….Fully SIP-Capable Firewalls Normal Firewalls Ingate Firewall® With SIP-Proxy and -Registrar SIP TLS SIP SIP
You Don’t Need to Replace your Firewall! SIP Normal Firewalls Ingate SIParator® DMZ SIP-enables any firewall SIP SIP
Pass through TLS TLS SRTP Transcoding TLS In the clear MS Encryption SRTP Termination TLS In the clear SRTP RTP IP-Phone IP-PBX / SIP Server Ingate Firewall or SIParator Encryption • Encrypted SIP-signaling • Support for TLS encryption. • Encrypted media • Support for RTP media streams created by Microsoft Windows Messenger. • Support for SRTP (Sdescriptions)
Authentication • SIP Digest authentication • Equivalent to http Digest. • Each user has a username and password. • Servers can verify that users are who they really claim to be. • Can be selected for different SIP methods. • TLS authentication • Clients can verify that theServer is what it claim to be. • Hop-by-Hop • Encryption between each SIP device. • TLS can be used in only parts of the signaling path. • Gives encrypted Instant Messaging • Support for Mutual TLS (MTLS) • Local and external (RADIUS) user database supported
SIP Filtering • IP addresses and/or networks filtering • The unit can be configured to allow SIP traffic from only certainIP addresses and/or networks • SIP To and From header filtering • Filters can be applied both on user and domain level. • Filtering on SIP header examples: • firstname.lastname@example.org can call email@example.com but not the other way around. • *@spam.org can not call *@ingate.com • SIP content (MIME type) filtering • Filtering on specific SIP content types e.g. Message (IM), Precense etc • Can only be applied on “overall” level not per user or domain • One application could be to e.g. prevent the use of IM. • Class 1xx message processing filtering • Select if status messages about the negotiation process will be forwarded to the client or stay in the server.
DoS Attack Prevention • Ingate has experience of DoS attacks in normal data firewall environments but we have not yet seen any SIP specific attacks outside our own lab • Available today • Ability to black list on IP address / Domain • SIP message loop detection • Maximum/guaranteed bandwidth (QoS) settings ensure that VoIP traffic is maintained in certain scenarios • Ingate architecture ensures that existing media sessions are unaffected by an overloading attack against the SIP stack • Management access is also isolated from SIP attacks allowing remedial action to be taken • Blocking of SIP packets on kernel level
Logging • Extensive SIP logging • All SIP packets can be logged in a readable format in the log • Detailed debug logging to understand Ingate behavior • Flexible log monitoring • Log information can be stored locally or sent via syslog and e-mail. • Status monitoring • SNMP supported • All register users displayed • All active session displayed including session status (state, used ports and detection of one-way media) • Call data records • Accounting information can be sent to a RADIUS server according to RFC 2866.
About BandTel • Headquartered in Newport Beach, California, BandTel is a leading worldwide provider of SIP Trunking services. The company is dedicated to ensuring its customers and partners alike have access to the most reliable, end-to-end VoIP service available on the market today. • Its N-Plus™ network architecture is designed to solve the throughput and redundancy problems on high-capacity SIP-based networks and eliminate any single point of failure. • BandTel continues to develop strong partnerships with leading carriers and telecommunications companies, including Global Crossing, XO Communications, Level 3, Qwest Communications, Verizon Business, and Primus.
About Ingate • Formed 2001 • Firewall technology from Cendio Systems • Appliance firewalls since 1994 • Capital and SIP technology from Intertex Data AB • Began SIP development in 1998 • Released the worlds first SIP capable Firewall in 2001 • Located in Stockholm and Linköping, Sweden with a subsidiary, Ingate Systems Inc., based in Hollis, NH. • Confirmed IP-PBX interoperability:3Com, Asterisk, Avaya, Broadsoft, Cisco Call Manager, Ericsson MX-One, Mitel, Pingtel, SER, Shoretel, Sphere, Swyx, Zultys • Confirmed carrier interoperability: Bandtel, Broadband.com, Cbeyond, Global Crossing, IP-Only, O1, RNKTel, Tele2, VoEx
For More Information About SIP Trunking Visit BandTel’s New SIP Trunking Resource Center www.BandTel.com/siptrunking2.asp