SIP Trunking - Benefits and Best Practices
Back in the days of wireline telephony, when all phone calls went over the Public Switched Telephony Network (PSTN), businesses would purchase “trunks” –dedicated lines or a bundle of circuits – from their service provider. Today the new model of “trunking” to IP-enabled enterprises can result in lower telephony costs and a rapid return on investment (ROI) plus the opportunity for enhanced communications within the
Back in the days of wireline telephony, when all phone calls went over the Public Switched Telephony Network (PSTN), businesses would purchase “trunks” –dedicated lines or a bundle of circuits – from their service provider. Today the new model of “trunking” to IP-enabled enterprises can result in lower telephony costs and a rapid return on investment (ROI) plus the opportunity for enhanced communications within the enterprise as well as with vendors, customers and partners.
A SIP trunk is a service offered by an Internet Telephony Service Provider (ITSP) that uses SIP to set up communications between an enterprise PBX and the ITSP. A trunk encompasses multiple voice sessions – as many as the enterprise needs. While some see SIP as just voice, SIP trunking can also serve as the starting point for the entire breadth of real-time communications possible with the protocol, including instant messaging, presence applications, whiteboarding or application sharing.
The possibility for a rapid return on investment is a key driver of SIP trunk deployments.
SIP trunking delivers the following benefits:
- Eliminates costly BRIs (Basic Rate Interfaces) and PRIs (Primary Rate Interfaces) services.
- Removes the need to invest in additional PSTN gateway capacity as you grow.
- Reduces capital expenditures: edge devices offer a lower investment path in adding new lines as they are typically cheaper per line than the corresponding PSTN gateway.
- Optimizes bandwidth utilization by delivering both data and voice via the same connection
- Maximizes flexibility in dimensioning and usage of lines as you avoid having to buy capacity in chunks of 23 (T1) or 30 (E1) lines
- Provides flexible termination of calls to preferred providers; calls to anywhere worldwide can be made for the cost of a local call.
- Enables redundancy with multiple service providers and links.
There are three components necessary to successfully deploy SIP trunks:
- IP-PBX with a SIP-enabled trunk interface.
- Enterprise edge device that supports SIP.
- Internet telephony or SIP trunking service provider (ITSP).
The productivity benefits that come with SIP and SIP trunking are also significant. By extending the SIP capabilities of the corporate network outside the LAN, satellite offices, remote workers and even customers can use VoIP and other forms of real-time communications applications to break down barriers of geography to share ideas and increase productivity.
Customer premises equipment (CPE) based on the SIP protocol – SIP phones, IP-PBXs, etc. – has been around for some time. Now that SIP trunks have gained momentum, it is important to ensure that equipment works together. It is for this reason that standards such as SIPconnect™ have become so critical. SIPconnect was developed by the SIP Forum as a set of best practices for interfacing an enterprise PBX implementation with an ITSP. It attempts to eliminate some of the unknowns and incompatibilities of mixing equipment from different vendors within a single environment.
Like any application that opens the private network to the Internet, there are ways to maximize enterprise security for SIP trunking deployments. One of the most effective techniques is to address SIP security the same way data security is addressed – at the enterprise edge. SIP servers and SIP proxy technologies offer maximum control over the flow of SIP traffic, enabling the administrator to ensure correct routing, apply verification and authentication policies and mitigate Denial-of-Service attacks.
Voice quality is not an issue with SIP trunking if proper Quality of Service (QoS) measures are applied, such as over provisioning of links, and prioritization of voice traffic. Reliability is also a moot point because SIP trunks can be more reliable than the traditional PSTN due to the failover solutions that can be implemented.
1. What is SIP trunking
Unlike traditional telephony, where bundles of physical wires were delivered from the service provider to a business, a SIP trunk allows a company to replace traditional fixed PSTN lines with PSTN connectivity via a SIP trunking service provider on an IP network like the Internet.
To take advantage of SIP trunking, the PBX must have a SIP-enabled trunking interface. As shown in Figure 1, it can be an IP-based PBX communicating to all endpoints over IP, but it may just as well be a traditional TDM PBX. The sole requirement is that an interface for SIP trunking connectivity is available.
Utilizing the Internet, the ITSP provides connectivity to the PSTN for communication from both mobile and landline phones.
The IP-PBX on the enterprise networks connects to the ITSP via an enterprise border element. The border element could be a SIP-capable firewall or a SIP-aware edge device, working alongside an existing enterprise data firewall (all these components are described in depth in section 3).
2. The benefits of SIP trunking
A large number of enterprises already use VoIP, however many are only using it for communication on the enterprise LAN. In this scenario, VoIP is being used solely as a direct replacement for traditional wire line telephony. For all calls made outside of the enterprise, a PSTN gateway at the enterprise edge is used. These businesses realize a solid return on investment (ROI) just by lowering administrative costs and the costs associated with calls made within the company.
With SIP trunking, the potential for ROI is even greater because SIP trunking takes the idea of VoIP a step further.. The full potential for IP communications can be realized when the communication is extended beyond the corporate LAN.
The cost effectiveness of a SIP trunk is such that by replacing an installation of a PSTN gateway/PRI with an edge device/SIP trunk, ROI may be achieved in a matter of months. For new installations a SIP capable edge device is most often lower in cost compared to the corresponding PSTN gateway functionality.
2.1 Calculating the investment ROI
It is almost impossible to calculate a “standard” ROI for a SIP trunking investment, as there are far too many service providers that offer services under widely differing terms and conditions. Additionally, voice calling rates are often bundled with other services making it more difficult to parse them out separately.
This section focuses on the fundamental parameters affecting the costs and the principles of how enterprises using an IP-PBX, moving from traditional TDM PRI connections to SIP trunks, can achieve a rapid return on investment.
One of the immediate ways SIP trunks reduce costs is by eliminating the need to purchase ISDN, BRIs, PRIs or local PSTN gateways or equivalent functionality. Since the voice traffic is now routed through the Internet connection to the ITSP, no local connection to the PSTN is necessary at the enterprise location except for possible a few backup trunks for emergency calling. The gateways needed to connect to the PSTN reside with the ITSP.
The devices required at the enterprise edge for SIP trunking are not only typically cheaper per line than an equivalent PSTN gateway, but they also enable the whole breadth of SIP-based real-time communication and therefore become a strategic device in the future of enterprise communication.
2.2 Bandwidth utilization
In many organizations, both telephony and data capacity is underutilized. Telephony usage patterns in many organizations are characterized by “busy” hours that see many calls all the way down to almost no calls (e.g. after business hours). Data or Internet traffic, on the other hand, is for the most part characterized by “bursts” of traffic happening throughout a business day.
If we plot the data using time periods with the highest usage at the left and then in descending order, it becomes evident how much of the total capacity is wasted.
In practice, when compared to real-time communications (such as voice), data traffic is usually not as time critical. Combining the two communication types on the same connection will give maximum use of capacity. By applying the correct Quality of Service (QoS) settings, critical voice communication can be prioritized over the data communication at all times.
With a SIP trunking solution, the capacity you need when you need it is always available. Instead of dimensioning the telephony capacity for peak usage, it may instead be dimensioned for average usage, allowing the dynamics of QoS to make sure that voice traffic always gets the capacity it needs. Voice traffic borrows bandwidth from data traffic during peak usage times.
2.3 Flexibility to change line capacity
The cost of adding lines with a SIP trunk connection follows a fairly linear pattern (i.e the cost is directly proportional to the number of lines).
When an enterprise using a TDM solution needs to increase its capacity, it generally happens in increments of 23 (T1) or 30 (E1) lines. Each additional E1 or T1 span requires:
- New PRI subscription.
- New PRI connection on the IPBX (PSTN gateway or similar resource).
When the capacity of the PSTN gateway resource and/or PRI connection is exceeded, it is necessary to invest in an additional PSTN gateway resource and/or PRI subscription. This is true even if you only need one more line. Going from one E1/T1 to two always requires additional hardware and they can generally only be bought in increments of 23/30 lines. Even if you move from an E1/T1 to a higher capacity standard bundle like STM-1, the termination hardware will need to be replaced. The SIP edge device does not have these scaling issues.
In a SIP trunk solution, the enterprise can increase capacity in increments of a single line by:
- Purchasing additional software licenses for the edge device.
- Allocating a greater percentage of the bandwidth for voice. Only if the total bandwidth capacity is used will the Internet data connection need to be upgraded.
The opposite is also true – if line capacity needs to be reduced due to seasonality in the business, it is just as easy to work with the service provider to turn off SIP trunks thereby saving money.
2.4 Least cost routing (LCR)
The use of IP makes it possible to cost efficiently use SIP trunks from multiple service providers, depending on optimal availability and the best rates (capitalizing on time zone differences, geography etc.). In essence, the enterprise can become its own “Master Service Provider” with subscriptions to service providers in countries where they have the highest calling volumes. By routing calls to the cheapest service provider based on country codes, for example, significant savings can be achieved.
These routing decisions can be made by the PBX or by the edge device. The fact that this ability can be built into the edge device means that low functionality PBXs can perform routing functionalities as well. By “outsourcing” this function to the edge device the PBX needs only to send the number as it is, and let the edge device act depending on destination etc.
Using multiple service providers provides a higher level of security and reliability:
- Failover to secondary Internet service provider.
- Failover to secondary service provider or back-up PSTN gateway.
2.5 Making IP-to-IP calls whenever possible
Today, calls that could be transferred over IP end-to-end are connected through TDM connections instead. These situations arise when calls are routed to a PSTN gateway. In essence, the true benefits of IP communications are not only unrealized, they are defeated as quality can suffer due to multiple conversions of voice signals between the analog and digital domains.
ENUM (Electronic Number Mapping System, also known as Telephone Number Mapping) is a standardized address translation technology adopted by the IETF (Internet Engineering Task Force) using DNS (Domain Name Service) to link a phone number to a specific SIP address. This feature is used to automatically look up phone numbers to determine if they match a known SIP address, allowing the call to be completed over the Internet (instead of transferring it to the PSTN). Since no traffic is placed on the PSTN, ENUM provides an additional means of cost savings for businesses that communicate with other enterprises also using SIP. If the number is not found in the ENUM database the edge device will route the call to the service provider for termination to the PSTN.
With the growing installed base of SIP-based IP-PBXs, the critical mass for widespread deployment of ENUM will soon be here. We expect that an increasing number of calls will be transferred directly via SIP over IP between the calling parties instead of going over the PSTN.
2.6 SIP trunking – the stepping-stone to higher productivity
Although it is more difficult to quantify, the productivity gains that can be achieved by utilizing SIP trunking can be significant. Introducing SIP-based real-time communication has a tremendous impact on how people work, collaborate and communicate – now and in the future. SIP trunking is an important step in this direction as it is the feature that moves communication from the old PSTN connection to the Internet. Once that is done the field is open for adopting all of the productivity-enhancing features that SIP offers.
SIP has become the standard protocol for VoIP. However, it was originally designed to initiate all types of real-time communications over the Internet, not just voice.
These types of real-time communication include:
- Presence, to see who is currently online and available.
- Instant Messaging (IM), text messaging in real-time.
- File transfer.
- Application sharing, collaboration on a single document.
- Whiteboarding, writing and drawing on a common virtual whiteboard.
- Video conferencing.
- Machine-to-machine real-time communication.
- Distribution of alarm notifications.
A broad suite of rich communications options enables users to exchange ideas in the best possible way for their immediate situation. For instance, remote workers at a WiFi-enabled hotspot may prefer communicating with colleagues via IM, not VoIP.
The seamless enterprise – road warriors and home users
One of the key benefits of rich communication applications is the ability to make businesses run seamlessly. Business can be conducted from anywhere in the world – regardless of time zones or locations (such as in the case of remote workers) – so that customers can always reach and interact with your business. In addition, employees can access corporate resources from any location that makes them more productive; they can readily call in expertise from colleagues in other offices or even other countries, or use SIP to provide customers with the best service.
This same technology for remote connectivity can be used for all clients including PC-based softphones and IP phones connected to the Internet. This is an advantage of the SIP protocol: the ability to register multiple devices with the same address (i.e. a phone number). A user can then, for example, use an IP phone/softphone at their home office and an IP-only phone in the corporate office, both registered to the same number. One number reaches the employee in multiple locations.
Dual-mode handsets supporting voice over cellular and WiFi
The demand for mobile phones equipped with both cellular and WiFi capabilities is very strong – all smartphones sold today offer this capability. The potential cost savings for a person who frequently travels overseas, and is able to transform expensive cellular calls into near zero cost VoIP calls when connected to the Internet, is significant.
Mobility solutions that seamlessly switch between WiFi and cellular (3G) connections with no interruption in the call are available today and extend a rich set of capabilities to the mobile workforce.
3 SIP trunking infrastructure
This section will describe in detail the three components needed to set up a SIP trunking solution:
- Edge device that can handle the traversal of SIP traffic .
- SIP trunk from an ITSP.
3.1 The PBX component
This section will provide an overview of the different types of PBXs available on the market.
The traditional PBX
A PBX (Private Branch eXchange or Private Business eXchange) is a telephony exchange serving an enterprise or large branch location. It performs the basic function of routing calls to their destination as well as providing a large number of value-added features: call transfer, hold music, redirect when busy or no answer, etc. The traditional TDM PBX was connected to a dedicated premises network that only carried voice traffic.
The line-side IP-enabled PBX
The LAN for data traffic was a later addition to the enterprise and was deployed as a separate and parallel premises network. For many years these two networks coexisted, serving separate but related communications functions.
The first IP-based PBXs, or IP-PBXs, focused on making the line side of the PBX, (i.e. the side connecting to the telephones) run over IP. The first and very obvious advantage of doing this was that the two premises networks now could be converged into one common network – the LAN. By using of IP phones, these could be connected to the same physical networks as computers and servers. Having made this change to a common premises infrastructure, it also became possible to introduce PC-based soft phones instead of traditional telephone sets.
Some argue that voice and data traffic should not be mixed on the same LAN or at least should be run on separate virtual LANs (VLANs). The reason for this position is that voice traffic, due to its real-time nature, is sensitive to delays or lack of bandwidth in the infrastructure, which may result in poor voice quality. However, this issue is readily solved and should not stand in the way of realizing the benefits of converged communication as described in the previous section. The bandwidth available on most enterprise LANs, 100Mbit/s or 1Gbit/s, is more than sufficient for most typical enterprise applications. By using appropriate QoS techniques, enterprises can easily ensure that the voice traffic gets the appropriate priority to ensure voice quality.
As mentioned above, IP telephones connected through the corporate LAN have been around for quite a few years. However, whenever calls needed to flow outside the corporate LAN they had to be routed to a local PSTN gateway (or through a PSTN gateway function within the PBX) and converted to traditional TDM-based telephony. This often requires proprietary equipment, which can be expensive, especially as TDM capacity is added.
In a world where more and more endpoints are IP based, there is a risk of deteriorating sound quality due to repeated transcoding between IP and TDM as shown in figure 7 in section 2.5.
The next natural step in the evolution of IP based communications, is to use IP for the interface to the world outside the corporate LAN. This is done by IP-enabling the trunk interface on the PBX as well, thereby completing its full transformation into an end-to-end IP-PBX. In practice, this happens in one of two ways. For earlier TDM or IP-PBXs this can be achieved by placing an IP front-end on the trunk interface creating what is usually referred to as a hybrid IP-PBX. This PBX contains both legacy TDM and IP-enabled parts. Newer IP-PBXs, or systems that are designed from scratch, are usually built with IP technology from the ground up, without the legacy TDM part. For such systems any connection to the PSTN requires a distinct PSTN gateway resource.
There are a number of protocols available that could be used to IP-enable the trunk interface, including MGCP, H.323 and SIP. The use of an IP-based trunk interface provides all the benefits described in the previous chapter and addresses the issues of sound quality and cost.
Benefits of IP-based PBXs over legacy systems
In the following section further advantages of IP-based PBXs, in addition to the benefits of SIP trunking, are highlighted.
Connect multi-vendor end points
There is a trend in the PBX market to allow equipment from different vendors to coexist within the same PBX system. This will allow the enterprise to preserve investments made in phone endpoints even if the central PBX equipment is replaced. This allows the user to select phones, media servers and switches from their preferred vendor. PBX vendors that choose to allow this believe that the customer will be more likely to swap to their system if they can keep their existing phones. Some vendors, however, continue to lock their customers in to their own end equipment by making various proprietary extensions to the system.
One of the most obvious advantages of an IP-based PBX system is increased manageability:
- By using the existing data network the need for separate wirings for a telephony system is eliminated.
- The phone becomes a kind of computer that allows the administrator to easily make upgrades and force policies to each phone from a central management system.
- The ID and configuration of the phone will follow the phone, regardless of where it is connected to the network.
- Users may log in to the phone when they arrive at a new desk; user profiles and information will automatically be loaded into the phone allowing greater flexibility.
Integration with other IP-based applications
The SIP IP-PBX serves as the primary registrar of SIP users and utilizes this information for routing purposes. But the fact that the PBX is now IP-based also means that it can be integrated with other communications applications running on servers on the LAN. One of the best examples of this is converged communications soft clients that can integrate voice capabilities with applications such as video conferencing, presence, instant messaging, file transfer, white boarding, etc. Through such integration the PBX becomes part of a greater converged communication system that enables the enterprise to benefit from productivity enhancing communications applications.
3.2 The enterprise edge component
The enterprise edge component can either be an existing firewall with comprehensive support for SIP or an edge device connected to the firewall, handling the traversal of the SIP traffic.
When moving to VoIP, the telephones are IP enabled and connected to the data network. It is imperative to safeguard the system from attacks and other unwanted access. A data firewall protects the network by rejecting attacks and illegal data packets, allowing only approved traffic. On a local area network, where several PCs or other equipment are connected, it is common to have private IP addresses on the LAN and a single common public IP address to the Internet. Data that flows between the private and public networks has to pass through a NAT (Network Address Translation) function, which is usually integrated into the firewall.
Firewalls and NAT routers are designed for data traffic that is initiated from the inside of the private network. Because malicious attacks on the network frequently originate from outside of the private network, firewalls and NAT routers protect the enterprise by blocking this kind of traffic. Often inbound SIP traffic is not recognized by traditional enterprise firewalls or NAT routers and can be rejected as unwanted traffic.
The biggest hurdle for IT managers looking to SIP-enable their network is architecting the system to handle the traversal of SIP traffic across the firewall. The majority of current firewalls and NAT-routers are still not designed to handle full end-to-end communication, and inbound voice traffic will not reach users on the LANs unless the enterprise firewall has specific SIP support. SIP traversal of firewalls and NATs is becoming a commodity in the sense that most vendors advertise support for the protocol. However, the basic SIP support offered by most of these vendors does not have the richness of features to fulfill the needs of a complex enterprise environment. It is critical that IT managers evaluate their current firewall solution to ensure there is proper SIP support when new firewalls and NAT routers are installed.
One problem is that the media streams (e.g. voice) are transferred over dynamically assigned UDP ports that are generally closed. The firewall must be able to dynamically open and close ports based on the negotiation that happens via SIP signaling when a call is set up. Another problem is that the endpoints inside the firewall cannot be reached by IP addresses since these are generally private and local to the LAN. Communication simply cannot happen, unless there is specific SIP support in the firewall.
Several methods have been suggested to resolve the issue of reaching endpoints on the LAN. One such method solves the problem where it occurs – within the firewall itself. Firewalls that have a SIP server, with SIP proxy, SIP registrar and possible B2BUA (Back to Back User Agent), which dynamically control the firewall have been available for many years. This solution provides optimal flexibility as SIP signaling can be rewritten and processed in a very flexible way ensuring correct routing and interoperability with other systems built to RFC 3261 and related standards.
Several firewall vendors develop models with SIP ALG (Application Layer Gateway). ALGs usually work at a lower level than a proxy, adjusting the data packets “on the fly.” Major vendors have developed firewalls with ALGs that also handle incoming calls to multiple users, while more simple implementations may only support a single user on the LAN. One limitation of the ALG architecture is that it cannot handle secure SIP signaling via TLS (Transport Layer Security). This architecture also lacks the ability to rewrite SIP signaling in several ITSP scenarios.
Mediation between PBX and service provider equipment
Most basic call scenarios in a SIP trunking solution, using equipment from different vendors, work well. However, when more advanced features such as call transfer are used, problems occur when vendors do not strictly adhere to the standard. In addition, SIP is a flexible standard that leaves some room for vendor interpretations. This means that, at times, two entities can have difficulties talking to each other even though none of them directly violate the standard.
To make the situation even more complex, some ITSPs and PBX vendors only implement parts of the standard. Or, they add vendor-specific extensions to the standard.
While performing traversal and security, these SIP-capable edge devices can also mediate between the PBX and service provider, offering an important function. They can process the SIP signaling and media in a way that is understood and expected by both the ITSP and the PBX.
Security from the edge device
SIP-enabling edge devices can also add a layer of security to enterprise communications, specifically in securing SIP media. Most security administrators will have serious concerns connecting a PBX system directly to the public Internet without any SIP-aware firewall in front of it. Like any server on the LAN, it needs to be protected by a firewall. A PBX is not built to withstand or recover from denial-of-service attacks and, in most cases, does not have filtering capabilities available to reduce traffic (requiring processing power to only the appropriate traffic). The enterprise edge device can secure the SIP media as well as data traffic.
The edge device can also protect the network from eavesdropping. Solutions for encryption of media and signaling using IETF proposed standards are recommended. These solutions include TLS (similar to SSL used for https) for signaling and SRTP (Secure Real Time Protocol) for media. Both are recommended in the SIP connect initiative.
Branch office interconnect
When the PBX is IP-based, a whole host of new possibilities open up since communication between the PBX and other devices (including phones) are using a protocol (SIP) that works just as well over the Internet as on the corporate LAN. This means it is now possible to connect with other offices within the same organization or with partners and customers via IP – without the need to traverse the PSTN network and without the need for dedicated circuits. This actually enables an entire, multi-site enterprise to use one centrally located IP-PBX instead of installing separate PBXs at each site.
When doing branch office interconnect of SIP-based systems, the same problems of traversing the corporate firewalls and NATs as with SIP trunking itself will occur. A SIP capable enterprise edge device will solve this problem as for SIP trunking. Some people even refer to such an inter-office connection within an enterprise as a SIP trunk.
3.3 The service provider component
A traditional voice telephony service provider typically offers one or more T1/E1 trunks to the enterprise for fulfilling its needs for voice communication outside its own premises. The service provider is then connected to what is sometimes referred to as “the world’s biggest machine”: the worldwide PSTN. Connectivity among the networks of the different service providers that constitute this “machine” is achieved by bilateral interconnect agreements between the various service providers. There are also wholesale service providers that aggregate the traffic from several local service providers and make the interconnect agreements for all of them collectively.
The SIP trunk offering is just another way of connecting the enterprise subscriber to the network. The interconnect and wholesale aspects remain the same. In a SIP trunk, the traditional T1/E1 interface (“trunk”) is replaced by a SIP-based connection that runs over the Internet connection to the enterprise. Nowadays, most enterprises already have such a connection for their data traffic. As SIP trunks are software and IP based, they are easier to manage remotely and therefore cheaper for the service provider to maintain. It also typically does not require the service provider to deliver and take responsibility for any additional customer premises-based equipment. That too adds to the simplicity and cost effectiveness of SIP trunks as a means of delivering PSTN connectivity.
Different types of SIP trunking service providers
Long gone are the days when there was only one carrier available to offer telephony services. These “old” incumbents are, however, still there and they do offer SIP trunking services. These service providers typically have their own facilities all the way down to the subscriber, which means that they have greater control over the quality of the service delivered. However, as discussed in the quality-of-service section that is by no means the only way to ensure that voice quality is maintained in a VoIP network.
Among the newer entrants to the voice market, offering SIP trunking and other VoIP services, are facilities-based and facilities-less providers. Generally there are only a few major companies that have their own network infrastructure while others are reselling traffic that will travel on another party’s (be it a “new” IP wholesaler or an incumbent) network. The number of such VoIP resellers is increasing rapidly because in the IP environment delivering such a service is relatively simple, at least in comparison to the old TDM world. With this arrangement the customer gets the best of all worlds: the facilities-based operator can focus on operating a high-volume large network in the most efficient way while the reseller can focus on customer support, billing simplicity and other customer-related features of the service.
The move to IP also enables service providers to create bundled offers. There are several cases where an Internet Service Provider (ISP) adds a telephony service to its offering. Such an Internet Telephony Service Provider (ITSP) can create attractive bundles of data and voice capacity making use of the bandwidth utilization benefits.
A SIP trunking service provider aggregates the traffic from many enterprise customers. The traffic passed to the PSTN is of much larger volume than the traffic from any individual enterprise. This means that the SIP trunking service provider can acquire the call minutes from the PSTN service providers at a lower rate than the individual enterprise. The network charge for the IP part of the call is typically not traffic-dependent so there are significant gains to be made here.
The use of the IP networks for certain sections of the call means that a service provider with several points of presence around the world, or that has agreements with other service providers to exchange traffic with, can allow the call to stay on the IP network for as long as possible. The call is transferred to the PSTN at the point of presence closest to the destination of the call. This process, sometimes referred to as “local breakout,” allows the service provider to make maximum use of local PSTN call rates rather than paying international or long distance charges. This contributes to making SIP trunking a very cost-effective solution for the enterprise as well as for the SIP trunking service provider.
3.4 Trunk centralization and virtualization
State of the art SIP trunking deployments commonly centralize trunking to the enterprise. This means that a geographically distributed enterprise will terminate the majority of its trunking, via SIP, at a central or headquarter location and calls are then distributed to other locations via the corporately owned and managed WAN. This eliminates the need for maintaining services with multiple service providers in different geographies and allows the enterprise to cost optimize its trunking by negotiating with a single ITSP, thereby leveraging economies of scale.
By virtualizing the SIP edge device, even further cost savings are possible. The edge device would be deployed as a virtual machine and can leverage existing investments in server host capacities.
Open standards are the key to success of voice over IP adoption. Back in the mid-1990s both email and Web browsing became ubiquitous practically overnight, driving the majority of people in the industrialized world to connect to the Internet. Many different organizations, companies, universities and individuals contributed to the exponential growth. With all these different stakeholders, the success we see in this area would not have been possible without the adoption of open standard protocols like SMTP and HTTP – both developed by the IETF.
As mentioned before, the open standard for VoIP is the IETF standard, SIP. SIP-based real-time communication over the Internet will be one of the drivers for another wave of Internet growth.
4.1 SIP standards
SIP stands for Session Initiation Protocol; the name describes well what it does. It is used for setting up sessions between endpoints. Endpoints are often end-user devices or servers. SIP differs from the signaling protocol of the PSTN domain in that it allows for locating much more intelligence in the endpoints rather then in centralized network elements.
SIP is specified in a growing number of IETF RFCs. In order to aid the reader navigating through the various RFCs a “hitchhiker’s guide” to SIP has been created by the IETF. That guide, and an extensive list of references, can be found at the end of this white paper.
Different groups with varied interests have taken part in adapting these standards. Some are PSTN operators who (in some cases) try to redesign the PSTN world on top of SIP. Mobile operators, 3GPP, IMS, as well as companies focused on data communication or IT, push for support of features like IM, presence, file sharing, video etc.
As the SIP standard is comprised of a large number of specifications, most vendors do not implement all of them. SIP connect is an example of how a specific subset of these specifications can be used for defining a limited feature set (in this case, SIP trunking).
Even though the SIP standard is written with interoperability in mind, integrating SIP equipment from different vendors always takes time because, all too frequently, there are minor inconsistencies with regard to how the different vendors interpret the SIP specifications.
With regard to SIP trunking, different operators will utilize equipment from many gateway vendors who have varied requirements when it comes to the authentication of the SIP trunk user. If a company is looking to use SIP trunks from more than one vendor, (e.g. in order to implement least-cost routing) they would normally have to deal with the complexities of interoperability among several SIP trunks that each behave in different ways.
As mentioned above, enterprise edge devices can mitigate these issues by addressing the complexities of interoperability. The device handles these details and the different ways to handle authorization for the SIP trunks. From the inside, the edge device will appear as one SIP trunk, even though it will then distribute traffic to several SIP trunks from different vendors on the outside. As the customer device that is located closest to the operator, an edge device is well placed to handle this type of operation.
Another interoperability problem common with SIP trunking is when one endpoint is located behind a SIP-unaware NAT box (home user, hotel, etc.). When the edge device is the first point of contact for such an endpoint, remote connectivity technology can enable such users to participate in both outbound and inbound calls even though they are behind a SIP-unaware NAT.
Call transfer represents another interoperability problem. Some operators do not support this feature, and some SIP user agents do not support it either. Additionally, a user who has a phone that can support call transfer cannot detect if the phone on the other end does so as well. If a call transfer attempt is made and fails, the call is often dropped.
Edge devices can detect when a call is being made to or from an endpoint that does not support call transfer. If someone still attempts to transfer a call to or from that endpoint, the device can perform the transfer itself, in lieu of the endpoint that is not able to. The call will be transferred, and the edge device makes sure that the media is sent to another destination. By using B2BUA in the device the party that does not support call transfer will still think that they called the intended person.
5 Security considerations for SIP trunking
Connecting a device to the Internet exposes the entire network to many types of threats. One example is a brute force attack where the intruder tries to log into a service using a user/password database trying a huge number of username and password combinations until the intruder finally succeeds in finding the right one. Once access has been granted the intruder may be able to launch other types of attacks based on known vulnerabilities to the service in question and in this way get access to other services or data.
Another example of a threat would be Denial of Service (DoS) attack where the attacker uses many different hosts or bots to send a large number of packets to make the host drown or crash due to the vast amount of traffic.
The above are two examples of traditional data communication attacks. These and many others can easily be transformed into attacks on VoIP equipment. The VoIP Security Alliance or VOIP-SA has categorized possible attacks and threats on a VoIP system and made this information publicly available. This document is a resource for understanding what threats needs to be taken into account when it comes to securing VoIP in SIP trunking scenarios.
5.2 Importance of a stable platform
Firewall vendors have developed significant expertise in securing data communication. They know how to design stable systems that are locked down to only admit services that have been configured to pass. Firewalls inspect and log traffic and, if intelligent enough, they can even block suspected attacks including traffic from known bad sources.
Firewalls alone cannot prevent Denial of Service (DoS) attacks, but they can be built to withstand attacks, making them harder to occur. Firewalls can also lay the foundation for a swift recovery. More importantly, they can be built to protect the enterprise LAN from being reached by the DoS attack.
5.3 SIP signaling
Firewalls with a SIP server and full SIP proxy play a critical role in maintaining enterprise security, and securing SIP trunks. They can rewrite SIP signaling and process in a very flexible way, ensuring correct routing and interoperability with other systems built to RFC 3261 and related standards.
One important part of the SIP proxy is the SIP parser. The SIP parser verifies that the SIP message is valid and that it may be forwarded to the local LAN. Malformed SIP messages are discarded. The SIP parser must be robust enough to withstand any types of malformed SIP messages without crashing. Also, to mitigate DoS attacks, the parser should be able to process a very large number of packets.
The SIP proxy should include support for the optional loop detection mechanism defined in the SIP specification. This mechanism discerns whether a SIP message is looping (sending the SIP message to itself) and, if so, aborts this behavior. This detection mechanism also protects against DoS attacks where a SIP message is constructed to create loops and thus keep the SIP proxy too busy to engage in useful processing.
SIP signaling consists of messages in ASCII text (plain text), and are therefore easy to read and manipulate. It is strongly recommended to encrypt and authenticate SIP signaling. This is normally achieved by supporting TLS or MTLS. MTLS is the most secure method as both server and client mutually authenticate each other using CA-signed certificates or certificate chains.
In order to provide greater and more flexible protection mechanisms, filters are useful features. A typical filter would include the following:
- SIP methods allowed or prohibited on the network.
- Authentication enabled or disabled per network and SIP method.
- SIP messages filtered based on content type.
- Incoming callers can be restricted to a white list; this list can be individually enabled/ disabled per user.
- From/to header may be used to allow or disallow processing.
5.4 Controlling media
SIP proxy technology is an excellent way to add a level of control to the flow of SIP media. This control offers tremendous advantages with regard to security.
The main purpose of SIP is to set up a media session between clients. Media is handled by other protocols (often RTP). For media to traverse the enterprise edge, the SIP proxy must dynamically open the media ports for media to flow during the duration of the call. As soon as the call is completed the media ports are closed. This behavior is much more secure than solutions with non–SIP-aware firewalls/border elements where a media port range constantly needs to be open. In general the SIP proxy approach is more secure than the IETF specified STUN/Turn/ICE methods, which requires that ports are left open from the inside of the firewall to allow media port negotiation to succeed.
In addition to the dynamic opening and closing of media ports, the edge device should only accept incoming media from the endpoint that receives media from the edge device. This protects against hackers trying to inject media from other endpoints or devices.
To protect media from being overheard by unauthorized persons, media encryption comes into play. The industry seems to have chosen SRTP using descriptors for key exchange as the de facto standard for media encryption. Using SRTP to encrypt media traversing the Internet effectively stops eavesdropping. The integrity of the call is much stronger than ever possible on PSTN.
6 Quality and reliability issues
One of the main concerns about VoIP and SIP trunking is with regard to Quality of Service and reliability. Will voice quality be good enough? Will the telephony service be available when I need it? The answer to both questions is a definitive yes. In fact, many people who use traditional PBXs are using VoIP without knowing it, as many service providers use IP in their backbone networks.
Clearly, IP is not the issue. How the network is managed and planned is what makes the difference.
6.1 QoS – Different service provider approaches
The bottleneck on the Internet is often the last mile connection to the enterprise premises. There are two methods used by service providers to deliver adequate Quality of Service. In theory only the service provider controlling the link the entire way would be able to guarantee an adequate level of Quality of Service. However, in practice, the service provider relying on the over-provisioning of links will also be able to offer excellent quality.
Service provider controlling the connection all the way
In this case, the service provider owns the connection and can control the equipment all the way from the enterprise to their SIP trunking PSTN termination point. This makes it possible to prioritize the voice traffic over data and also to give different Service Level Agreements (SLA) for different customers.
Over-provisioning of links
Here, the SIP trunking service provider facilitates the connection all the way to the subscriber. Any Internet connection is possible as long as there is enough bandwidth. Good voice quality is achieved by over-provisioning of the link so that the last mile never becomes a problem.
6.2 Prioritization of voice traffic
To maximize the utilization of a given capacity, both data and voice should be delivered in the same connection. However, this makes prioritization of the voice traffic necessary.
Prioritization, which can take place in the firewall or edge device, can be based on:
- Services (protocol and port).
- Packet size.
- SIP traffic.
- IP-address and segments.
This prioritization should be possible for both outbound and inbound traffic. It should also be dynamic so that bandwidth dedicated for voice can automatically be used for data when it is available.
The setting of Type of Service (TOS) and/or DiffServ bits on packet level will make it possible for routers on the Internet to make prioritizations. There is no guarantee, however, that all pieces of equipment on the Internet are using these settings for prioritization. In this case it will, of course, help if the service provider controls the communication all the way out to the customer premises.
6.3 Call admission control
Call admission control, also implemented in the edge device, ensures it is not possible to initiate more calls than what should fit into the link. The administrator defines the amount of bandwidth that is dedicated for voice and the bandwidth per call based on the codec used for voice. The edge device then keeps track of all calls and when the dedicated bandwidth is used no additional calls can be made or received. The response from the edge device in this case will be “service unavailable.” It is important to reserve call slot(s) for emergency calls.
6.4 Poor voice quality can be a endpoint problem, or based on the internal LAN
Another overlooked factor is QoS on the internal LAN. If the LAN is the bottleneck, the voice quality will be poor no matter how good the quality of the Internet connection may be. It is highly recommended that customers work with their vendors and complete a thorough network assessment prior to deploying their IP Telephony system.
Many operators offer MPLS as a means of delivering QoS in a VoIP service. The MPLS network is a service provider-managed VPN. However, it is as easy to achieve good Quality of Service in an open standards-based SIP trunking connection as with MPLS. One of the most important factors is whether the service provider controls the links all the way from the enterprise to the PSTN termination or not, not which protocol is used.
Also, SIP trunks are sometimes delivered over an MPLS connection for voice only. This means there is no support for global SIP connectivity over the Internet and the solution can never be more than just a one-to-one replacement of the traditional TDM lines.
6.6 Reliability of SIP trunks
Another argument commonly heard is that a SIP trunking connection is not as reliable as the traditional TDM. It is true that Internet connections are more dependent on electrical power, and TDM lines may have a slightly better average uptime in many parts of the world. However, many enterprise telephony systems also rely on electrical power, so a policy with uninterruptible power supply (UPS) that corresponds to the desired uptime is a must. Furthermore a TDM line, when down, is truly dead. With SIP trunks alternative backup solutions are available.
The migration to SIP trunks will not happen gradually, so the enterprise might optionally choose to keep some traditional TDM/PSTN gateway capacity for backup and/or emergency calling purposes.
With the right choice of redundancy features and service provider, SIP trunking may even offer higher reliability than many TDM-based networks.
6.7 SIP Trunking may be more reliable
Due to the inflexibility in the TDM in terms of number of lines, it is tempting to have a common PRI pool of lines at the headquarters also serving the branch offices with PSTN connectivity.
Many IP-PBX installations look like the left side of the figure above.
This will provide a single point of failure combined with an unnecessary high load at the headquarters. The SIP trunking scenario on the right offers higher reliability (here, with the different sites independently connected to the SIP trunking provider).
In many cases a SIP trunking connection may be more reliable than the traditional TDM in itself. It offers more backup alternatives including the ones described in the following sections.
Failover to secondary SIP trunking provider
With SIP trunking it is possible to utilize multiple service providers for PSTN termination. The edge device handling the SIP trunking connection should be able to automatically failover to a secondary (or tertiary, and so on) SIP trunking provider if the connection to the primary service provider fails.
In addition, to make the switch triggered by a failed call, the device should be able to monitor the primary service provider by periodically sending SIP option messages and make the switch if the service provider fails to answer.
Failover to secondary Internet service provider
The edge device should also be able to failover to a secondary Internet service provider if the primary goes down. It is important to be able to automatically switch back to the primary once it is operational again. This will make it possible to have a cheaper backup Internet service provider.
It should be noted that many service providers share the last mile, so there is really no point in having multiple service providers if they all use the same equipment.
Ideally, the different connections should be divided (e.g. the primary Internet connection delivered with an optical fiber and the secondary as an xDSL line).
Failover to secondary edge equipment
Finally, it should be possible to install the edge device in failover pair so it can failover to a secondary unit if the primary experiences a hardware error. The type of failover capability depends on the individual needs of the enterprise and can be divided into three levels:
- Plain hardware failover where both registrations and on-going calls are lost.
- Failover with registrations maintained.
- Failover with both registrations and ongoing calls maintained.
To make it meaningful to have a failover unit in a SIP trunking scenario, the unit should at least have failover with registrations maintained, since with level one (above) it may take time for the phones to realize that they need to re-register and thus it will take time to become operational again. It might be acceptable losing the ongoing call in the case of a hardware failure, but it must be possible to redial again immediately when the failover unit is activated.
7 Implementing SIP trunking with ShoreTel
ShoreTel’s IP Telephony solutions provide robust and flexible deployment options for SIP trunking. By partnering with Ingate Systems as a provider of Session Border Controllers (edge device), ShoreTel customers can count on highly secure SIP trunking, which is validated with a growing list of Internet Service Providers (ITSPs) for feature compatibility and interoperability.
ShoreTel and Ingate’s goal is to provide the customer peace of mind that the solution has been tested and will be straightforward to deploy and maintain.
In the end, it all boils down to this: is SIP trunking ready for prime time? The answer is yes. Indeed we can trust SIP trunking and its applications as long as we employ the right measures to secure media, ensure interoperability/future proof the network with standards-based equipment, and are smart about the way SIP trunks are deployed. By including a SIP-capable edge device as part of the deployment, security, QoS and interoperability issues can be reduced significantly. This translates into excellent voice quality, an easier deployment and seamless interoperability –a better overall experience.
We see SIP trunks as paving the way to an all IP, all SIP world where businesses can work without geographical constraints, employees can contribute equally regardless of location, and everyone is reachable anywhere and anytime as long as there is access to an Internet connection. This is the vision the IETF had when they first introduced the SIP protocol, the idea of true global connectivity. SIP trunking extends the notion of seamless connectivity within a business to customers, remote employees, anyone working outside the corporate network. This is the next evolution of telecommunications – we look forward to sharing it with you.
IETF SIP Specifications
There are numerous IETF RFCs and drafts that together define the SIP standard. Rather than listing
them all here we have chosen to point to an excellent summary , provided by the IETF, called,
“A Hitchhikers Guide to SIP.”
This summary can be found here:
The SIP Connect Spec
ShoreTel. Brilliantly simple business communications.
ShoreTel, Inc. (NASDAQ: SHOR) is a leading provider of brilliantly simple IP phone systems and unified communications solutions powering today’s always-on workforce. Its flexible communications solutions for on-premises, cloud and hybrid environments eliminate complexity, reduce costs and improve productivity.
IETF SIP Specifications
There are numerous IETF RFCs and drafts that together define the SIP standard. Rather than listing them all here we have chosen to point to an excellent summary , provided by the IETF, called, “A Hitchhikers Guide to SIP.”
The SIP Connect Spec
SIP connect related specifications: sf-draft-twg-IP_PBX_SP_ Interop-sibley-sipconnect