Time to Connect Over IP! Don’t we already? Prepared for:Summer VON Europe 2003 Industry Perspective By: Karl Erik Ståhl President Intertex Data AB Chairman

Time to Connect Over IP!Don’t we already?

Prepared for: Summer VON Europe 2003Industry Perspective

By: Karl Erik Ståhl

President Intertex Data ABChairman Ingate Systems [email protected]

© 2003 Intertex Data AB 1

© 2003 Ingate Systems AB© 2003 Intertex Data AB 2

How do we connect?

PSTN

GSM

3G

Non Real Time OR Real Time

IP

XP

SERVER


VoIP as we have seen it…

Proprietary

H.323

MGCP

SIP

Proprietary

We’ve got all the protocols:


And all the VoIP islands…

PSTN

But no connectivity between the IP clouds!

Europe

IP

US

VPNTunnel

IP

Gateway

Gateway

Gateway

TollBypass

SOFTSWITCH

MGCP


Hmm, didn’t we pass this stage…

Paper was a very compatible media - So is POTS today…

But isn’t it time to move beyond?

PSTN

email

printer

fax

Organization 1Email system 1

email

Organization 2Email system 2

fax faxfax


We are rapidly moving towards “a single” protocol!

An Internet Standard

Used for real time person to person IP Communication VoIP, IP Telephony

Audio, Video, Data Collaboration

Presence, Instant Messaging

Lots of activity, ongoing work and development

“Everyone” is on the trainMCI/Worldcom, Microsoft, Nortel, AT&T, Alcatel, Siemens, Sprint…

SIP – Session Initiation Protocol


IP PhoneIP Phone

IP Phone

IP Phone

IP

SOHO LANEnterprise LAN

We have “a single” new network

XP

PIM

…but it is seldom used for person to person communication!

Everyone has a connection…

Operator Network


So there is a big potential!

HTTP created the Web

SMTP created Email

SIP can create universal IP Communication person to person!


The Next Big Usage of the Internet!

A. Go beyond replacing sections of the PSTN by IP! The PSTN is something to interwork with, not the core to build around!

B. Go beyond the “quality” and “services” of the PSTN! The mobile phone world has shown that there is more than “black telephony”! POTS is 50-100 years old!

C. Get connectivity out to the end users! Aren’t we there??? THE TICKING BOMB!

How do we get there?

Everyone has a connection IP PhoneIP Phone

IP Phone

IP Phone

PSTN

SIP/PSTNGateway

IP

SOHO LANBusiness LAN

SIPServer

IAP

XP

PIM

Firewall/NAT problems!

DSLCableMTU

Operator network with NAT

NATFirewall

NAT

So, why don’t we just connect?

SIP is the Protocol for IP Communication Person to Person,

BUT IT DOES NOT REACH THE EDGE!

SIP does not traverse common NATs and Firewalls! And they are still being installed…


What is the difference?

Typical Internet protocol (SMTP, HTTP…)

Internet

HOSTSERVER

SIP (and H.323…) connects person to person

Internet

PERSONPERSON

Locate the person - Set up a session - Open real time media streams


SIP Firewall Problems

Sessions initiated from outside the firewall

- OK, open port 5060, but…

Media streams on dynamically allocated port numbers

- Ooops… !

Even with public IP addresses inside

Firewall Problems:


SIP NAT/PAT Problems

Where is the device?

- Registration/location function

Private IP addresses and ports in SIP messages

- Rewrite with globally routable addresses

IP address and port of media stream has to be modified

- NAT engine has to be dynamically controlled

Worse with privateIP addresses inside

NAT & PAT Problems:


Suggested Solutions

Dynamically controlled Firewall/NATs

Midcom: By Firewall Control Proxy

UPnP: By the client (Windows)

SIP aware Firewall/NATs (SIP Proxy + Registrar)

General, handles complex scenarios

[Intertex (SOHO), Ingate (enterprise), …]

SIP aware Firewall/NATs (SIP ALG – non Proxy)

TLS not possible

STUN - Can cope with certain types existing NATs

SIP clients need to get STUN into their SIP stacks

Requires STUN servers on the net

Tunnelling - Brings the SIP-client to an operator or a corporate LAN

Requires ALG for each client on LAN with own address space

IPSec, Proprietary


Internet IP

Real and Complex Scenarios

SIP/PSTNGateway

Complications:

Tight firewalls?

Call transfer?

SIP server on the LAN?

Trusted connections, TLS?

XP

SIPServer 2

SIPServer 3

SIPServer 4

LAN

Firewall/NAT

IP Phone

SIP

TLS

Sooner or later:

The NAT/Firewall problem needs to be solved

where it occurs!


Adding General SIP Traversal to a Firewall

Important components:Firewall & NAT

Dynamic Firewall Engine

SIPProxy

SIP Proxy Server, controlling the firewall

UserLocation

SIP Registrar, user location information

FirewallControl

Protocol Communication between

SIP Proxy and firewall

In the Ingate and Intertex products:

You got a SIP server!Use it just for firewall traversalAND/OR as your- SIP Server - Outbound proxy- Inbound proxy

What have you got?

Firewall/NAT problems!

Firewall/NAT SIP transparency!

Office or home LAN

IP PhoneIP Phone

IP Phone

IP Phone

SIPServer PSTN

SIP/PSTNGateway

Operator network with NAT

Internet

NATFirewall

NAT

Enterprise LAN

DSLCableMTU

DMZinGateSIParator

SIP Enabling the Private Networks

inGateFirewall

IP Phone IP Phone

IP Phone

SELECT

SET ALT CFG E T 1

A I

R

U S B

E T 2

W A N

T X D

R X D

ADR CFG DHP RST LQ

TX RX

SC IX66

IAP

18

IP Communications Using IP NetworksIP Communications Using IP Networks

• Intranet IP VPN with IP communications• Domestic and global IP communications• PBX and PSTN – E.164 resolution

Customer Customer PremisesPremises

PBX PSTN Phone

ManagedServices

Router

Vmail OSS

SIP Phone

WorldComPSTN

DialingPlans

Network GWY

Conf

PSTN Phone

IM

IN

EnterpriseGateway

SIP Routing

Firewall

SIP Server

IP VPN

Global IP Comm

Intranet IP Comm

…other…

Many call routing options:• Private/Public IP address• DNS and DNS SRV records• SIP aware NAT/PAT servers

Henry Sinnreich 4/10/2002

WorldComPublic

IP Network

19

IP Communications Using IP NetworksIP Communications Using IP Networks

PBX PSTN Phone

ManagedServices

Router

Vmail OSS

SIP Phone

WorldComPSTN

DialingPlans

Network GWY

Conf

PSTN Phone

IM

IN

EnterpriseGateway

SIP Routing

Firewall

SIP Server

IP VPN

Global IP Comm

Intranet IP Comm

…other…

Integration with existing phones

SIP Capable FirewallIngate and IntertexFirst through SIT

Customer Customer PremisesPremises

No IP PBX Needed!

Enhanced Functionality

Enterprise LAN

WorldComPublic

IP Network

Firewall

PresenceIM

GreenwichEdge Proxy

DMZMicrosoft GreenwichHome Server:PresenceIMAudioVideoData Col.

TLS


Mixed Environments

SIP capable firewalls make the difference!

InternetJust Another Internet Service…

PSTNSIP/PSTNGateway

DNSSRV

DMZinGateSIParator

XP

Ingate Linköping LAN

IX66

Intertex Stockholm LAN

Sweden

IX66

FWD Booth #3

USASweden

IX66

Home Office Users

SOHO LAN

IX66

XP

London

Booth#1

Enterprise LAN

XP

inGateFirewall

Booth#2


Product Examples – Ingate Systems AB

Complete Firewalls Add-on to Existing Firewalls

Firewall & NAT/PAT SIP Proxy SIP Registrar

Enterprise Products

DMZ

Existing Firewall

SIParator


Product Examples – Intertex Data AB

IX66 Internet Gate with or withoutADSL modem built-in

OEM as: Telia SurfinBird Gate PowerBit SafeGateReview at: www.adslguide.org.uk/hardware/reviews/2002/q1/intertex_ix66-edflc.asp

SOHO Products


The Intertex IX66 Internet Gate

A closer look

Firewall & NAT/PAT Router SIP Proxy and Registrar DHCP Server and Client WEB Server for configuration Smart Card Reader for security applications Optional 802.11b Wireless Lan SIP Appliance Control, LAC via expansion port

SELECT

SET ALT CFG E T 1

A I

R

U S B

E T 2

W A N

T X D

R X D

ADR CFG DHP RST LQ

TX RX

SC

Optional ADSLand Splitter Built-in


SIP Capable Firewalls!

Ingate Systems ABwww.ingate.comBox 10013, Slakthusplan 4 SE-121 26 Stockholm, SwedenCEO Olle [email protected] Tel +46 8 6007750

Intertex Data ABwww.intertex.seRissneleden 45 SE-174 44 Sundbyberg, SwedenPresident Karl Erik Stå[email protected] Tel +46 8 6282828

See us in booth 1 & 2!

Documents

Time to Connect Over IP! Don’t we already? Prepared for:Summer VON Europe 2003 Industry Perspective By: Karl Erik Ståhl President Intertex Data AB Chairman