Time to Connect Over IP! Don’t we already? Prepared for: Summer VON Europe 2003 Industry Perspective By: Karl Erik Ståhl President Intertex Data AB Chairman Ingate Systems AB [email protected] © 2003 Intertex Data AB 1
Time to Connect Over IP!Don’t we already?
Prepared for: Summer VON Europe 2003Industry Perspective
By: Karl Erik Ståhl
President Intertex Data ABChairman Ingate Systems [email protected]
© 2003 Intertex Data AB 1
© 2003 Ingate Systems AB© 2003 Intertex Data AB 2
How do we connect?
PSTN
GSM
3G
Non Real Time OR Real Time
IP
XP
SERVER
© 2003 Ingate Systems AB© 2003 Intertex Data AB 3
VoIP as we have seen it…
Proprietary
H.323
MGCP
SIP
Proprietary
We’ve got all the protocols:
© 2003 Ingate Systems AB© 2003 Intertex Data AB 4
And all the VoIP islands…
PSTN
But no connectivity between the IP clouds!
Europe
IP
US
VPNTunnel
IP
Gateway
Gateway
Gateway
TollBypass
SOFTSWITCH
MGCP
© 2003 Ingate Systems AB© 2003 Intertex Data AB 5
Hmm, didn’t we pass this stage…
Paper was a very compatible media - So is POTS today…
But isn’t it time to move beyond?
PSTN
printer
fax
Organization 1Email system 1
Organization 2Email system 2
fax faxfax
© 2003 Ingate Systems AB© 2003 Intertex Data AB 6
We are rapidly moving towards “a single” protocol!
An Internet Standard
Used for real time person to person IP Communication VoIP, IP Telephony
Audio, Video, Data Collaboration
Presence, Instant Messaging
Lots of activity, ongoing work and development
“Everyone” is on the trainMCI/Worldcom, Microsoft, Nortel, AT&T, Alcatel, Siemens, Sprint…
SIP – Session Initiation Protocol
© 2003 Ingate Systems AB© 2003 Intertex Data AB 7
IP PhoneIP Phone
IP Phone
IP Phone
IP
SOHO LANEnterprise LAN
We have “a single” new network
XP
PIM
…but it is seldom used for person to person communication!
Everyone has a connection…
Operator Network
© 2003 Ingate Systems AB© 2003 Intertex Data AB 8
So there is a big potential!
HTTP created the Web
SMTP created Email
SIP can create universal IP Communication person to person!
© 2003 Ingate Systems AB© 2003 Intertex Data AB 9
The Next Big Usage of the Internet!
A. Go beyond replacing sections of the PSTN by IP! The PSTN is something to interwork with, not the core to build around!
B. Go beyond the “quality” and “services” of the PSTN! The mobile phone world has shown that there is more than “black telephony”! POTS is 50-100 years old!
C. Get connectivity out to the end users! Aren’t we there??? THE TICKING BOMB!
How do we get there?
Everyone has a connection IP PhoneIP Phone
IP Phone
IP Phone
PSTN
SIP/PSTNGateway
IP
SOHO LANBusiness LAN
SIPServer
IAP
XP
PIM
Firewall/NAT problems!
DSLCableMTU
Operator network with NAT
NATFirewall
NAT
So, why don’t we just connect?
SIP is the Protocol for IP Communication Person to Person,
BUT IT DOES NOT REACH THE EDGE!
SIP does not traverse common NATs and Firewalls! And they are still being installed…
© 2003 Ingate Systems AB© 2003 Intertex Data AB 11
What is the difference?
Typical Internet protocol (SMTP, HTTP…)
Internet
HOSTSERVER
SIP (and H.323…) connects person to person
Internet
PERSONPERSON
Locate the person - Set up a session - Open real time media streams
© 2003 Ingate Systems AB© 2003 Intertex Data AB 12
SIP Firewall Problems
Sessions initiated from outside the firewall
- OK, open port 5060, but…
Media streams on dynamically allocated port numbers
- Ooops… !
Even with public IP addresses inside
Firewall Problems:
© 2003 Ingate Systems AB© 2003 Intertex Data AB 13
SIP NAT/PAT Problems
Where is the device?
- Registration/location function
Private IP addresses and ports in SIP messages
- Rewrite with globally routable addresses
IP address and port of media stream has to be modified
- NAT engine has to be dynamically controlled
Worse with privateIP addresses inside
NAT & PAT Problems:
© 2003 Ingate Systems AB© 2003 Intertex Data AB 14
Suggested Solutions
Dynamically controlled Firewall/NATs
Midcom: By Firewall Control Proxy
UPnP: By the client (Windows)
SIP aware Firewall/NATs (SIP Proxy + Registrar)
General, handles complex scenarios
[Intertex (SOHO), Ingate (enterprise), …]
SIP aware Firewall/NATs (SIP ALG – non Proxy)
TLS not possible
STUN - Can cope with certain types existing NATs
SIP clients need to get STUN into their SIP stacks
Requires STUN servers on the net
Tunnelling - Brings the SIP-client to an operator or a corporate LAN
Requires ALG for each client on LAN with own address space
IPSec, Proprietary
© 2003 Ingate Systems AB© 2003 Intertex Data AB 15
Internet IP
Real and Complex Scenarios
SIP/PSTNGateway
Complications:
Tight firewalls?
Call transfer?
SIP server on the LAN?
Trusted connections, TLS?
XP
SIPServer 2
SIPServer 3
SIPServer 4
LAN
Firewall/NAT
IP Phone
SIP
TLS
Sooner or later:
The NAT/Firewall problem needs to be solved
where it occurs!
© 2003 Ingate Systems AB© 2003 Intertex Data AB 16
Adding General SIP Traversal to a Firewall
Important components:Firewall & NAT
Dynamic Firewall Engine
SIPProxy
SIP Proxy Server, controlling the firewall
UserLocation
SIP Registrar, user location information
FirewallControl
Protocol Communication between
SIP Proxy and firewall
In the Ingate and Intertex products:
You got a SIP server!Use it just for firewall traversalAND/OR as your- SIP Server - Outbound proxy- Inbound proxy
What have you got?
Firewall/NAT problems!
Firewall/NAT SIP transparency!
Office or home LAN
IP PhoneIP Phone
IP Phone
IP Phone
SIPServer PSTN
SIP/PSTNGateway
Operator network with NAT
Internet
NATFirewall
NAT
Enterprise LAN
DSLCableMTU
DMZinGateSIParator
SIP Enabling the Private Networks
inGateFirewall
IP Phone IP Phone
IP Phone
SELECT
SET ALT CFG E T 1
A I
R
U S B
E T 2
W A N
T X D
R X D
ADR CFG DHP RST LQ
TX RX
SC IX66
IAP
18
IP Communications Using IP NetworksIP Communications Using IP Networks
• Intranet IP VPN with IP communications• Domestic and global IP communications• PBX and PSTN – E.164 resolution
Customer Customer PremisesPremises
PBX PSTN Phone
ManagedServices
Router
Vmail OSS
SIP Phone
WorldComPSTN
DialingPlans
Network GWY
Conf
PSTN Phone
IM
IN
EnterpriseGateway
SIP Routing
Firewall
SIP Server
IP VPN
Global IP Comm
Intranet IP Comm
…other…
Many call routing options:• Private/Public IP address• DNS and DNS SRV records• SIP aware NAT/PAT servers
Henry Sinnreich 4/10/2002
WorldComPublic
IP Network
19
IP Communications Using IP NetworksIP Communications Using IP Networks
PBX PSTN Phone
ManagedServices
Router
Vmail OSS
SIP Phone
WorldComPSTN
DialingPlans
Network GWY
Conf
PSTN Phone
IM
IN
EnterpriseGateway
SIP Routing
Firewall
SIP Server
IP VPN
Global IP Comm
Intranet IP Comm
…other…
Integration with existing phones
SIP Capable FirewallIngate and IntertexFirst through SIT
Customer Customer PremisesPremises
No IP PBX Needed!
Enhanced Functionality
Enterprise LAN
WorldComPublic
IP Network
Firewall
PresenceIM
GreenwichEdge Proxy
DMZMicrosoft GreenwichHome Server:PresenceIMAudioVideoData Col.
TLS
© 2003 Ingate Systems AB© 2003 Intertex Data AB 21
Mixed Environments
SIP capable firewalls make the difference!
InternetJust Another Internet Service…
PSTNSIP/PSTNGateway
DNSSRV
DMZinGateSIParator
XP
Ingate Linköping LAN
IX66
Intertex Stockholm LAN
Sweden
IX66
FWD Booth #3
USASweden
IX66
Home Office Users
SOHO LAN
IX66
XP
London
Booth#1
Enterprise LAN
XP
inGateFirewall
Booth#2
© 2003 Ingate Systems AB© 2003 Intertex Data AB 23
Product Examples – Ingate Systems AB
Complete Firewalls Add-on to Existing Firewalls
Firewall & NAT/PAT SIP Proxy SIP Registrar
Enterprise Products
DMZ
Existing Firewall
SIParator
© 2003 Ingate Systems AB© 2003 Intertex Data AB 24
Product Examples – Intertex Data AB
IX66 Internet Gate with or withoutADSL modem built-in
OEM as: Telia SurfinBird Gate PowerBit SafeGateReview at: www.adslguide.org.uk/hardware/reviews/2002/q1/intertex_ix66-edflc.asp
SOHO Products
© 2003 Ingate Systems AB© 2003 Intertex Data AB 25
The Intertex IX66 Internet Gate
A closer look
Firewall & NAT/PAT Router SIP Proxy and Registrar DHCP Server and Client WEB Server for configuration Smart Card Reader for security applications Optional 802.11b Wireless Lan SIP Appliance Control, LAC via expansion port
SELECT
SET ALT CFG E T 1
A I
R
U S B
E T 2
W A N
T X D
R X D
ADR CFG DHP RST LQ
TX RX
SC
Optional ADSLand Splitter Built-in
© 2003 Ingate Systems AB© 2003 Intertex Data AB 26
SIP Capable Firewalls!
Ingate Systems ABwww.ingate.comBox 10013, Slakthusplan 4 SE-121 26 Stockholm, SwedenCEO Olle [email protected] Tel +46 8 6007750
Intertex Data ABwww.intertex.seRissneleden 45 SE-174 44 Sundbyberg, SwedenPresident Karl Erik Stå[email protected] Tel +46 8 6282828
See us in booth 1 & 2!