SIP ChallengesSIP Challenges

Henning SchulzrinneColumbia University

SIP Summit, Austin, TXSept. 2001

OverviewOverview

SIP CW watch SIP performance SIP security challenges SIP deployment challenges

Dog food SIP standardization

SIP CW watchSIP CW watch IM & presence as new application Voice-over-DSL Voice-over-cable Internet PBX

Primarily large businesses Proprietary systems still dominate

3G WAPv2 is not the differentiator

SIP CW watchSIP CW watch PC-to-PC

Free calls disappearing Carrier backbones ? Tie lines

H.323 most common – simple, so anything works

Multimedia conferencing H.323 dominates Windows XP?

SIP (& VoIP) road blocksSIP (& VoIP) road blocks

Value Per-seat costs similar to PBX Incremental costs larger as long as

capacity Green field, capacity upgrades (but $

for UE!) QoS (perception) problems in WAN

Getting SIP servicesGetting SIP services Services constrained by least

common (PSTN) denominator No point waiting for killer application,

but enabling vertical applications Develop phones that allow services Revisit old CTI idea, but with easier

control? Deploy SIP services alongside PSTN:

IM for conferences (“Alice speaking”) Presence for call management

SIP performanceSIP performance For small systems (< 1000 lines?),

SIP performance is not likely to be an issue

But matters for carriers and large PBX: 20,000 users generate 5.5

registrations/second During busy hour, 60,000 calls 16/s BSC may host 1 million customers

SIP performance metricsSIP performance metrics Much harder than PSTN switch busy

hour call attempt (BHCA): Server may run on different hardware

and OS Backend database matters Variation in services – simple forwarding

to complex sip-cgi or CPL script Logging, network management Registrar and proxy on same host?

SIPstone = first attempt at measuring proxy, redirect and registrar performance

A@B@C@

SUT

• Useful for comparison & dimensioning

Typical load behavior hard to estimate capacity precisely, but want useful capacity

0

0.5

1

1.5

2

2.5

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9

resp

onse

tim

e

load/capacity

SIPstone composite metricSIPstone composite metric

UDP TCP

Registration with authentication

0.2 0.05

Outbound proxy 0.1 0.05

Redirect server 0.1 0.05

Proxy 480 (no answer) 0.1 0.05

Proxy 200 (OK) 0.2 0.10

SIPstoneSIPstone Many different operating

environments and traffic mixes: Enterprise LAN 3G proxies (I/P/S-CSCF) Carrier entry point (aol.com)

Thus, report both composite and individual metrics

Simplify: no retransmissions 1xx delay limited to 2s

SIPstone futureSIPstone future

Find set of representative metrics – no value in having lots of metrics that have strong correlation

Additional weightings for specific uses?

Service scripts (servlets, cgi, CPL)? See http://www.sipstone.org

Security challengesSecurity challenges Denial-of-Service (DOS) attacks

Most common security challenge can bring whole server down, not just annoy one user

Prevent state establishment if IP address is bogus

Use of NULL authentication to challenge Authentication

Email experience (S/MIME, PGP) What does authenticating spamrus@hotmail.com mean?

“same person that called me yesterday” A caller known to call from sip:columbia.edu

Security challengesSecurity challenges Transport protection

IPsec is interoperability-challenged, hard to configure

TLS with server certificates easy to deploy

TLS client certificates less useful SIP request integrity

Digest (and Basic) authentication don’t protect headers against modification add digest across selected headers, using same shared secret

SIP deployment challengesSIP deployment challenges NATs and firewalls stream-oriented

setup, “tell me my external address” Large-scale configuration

Web-browser-based config doesn’t scale Tftp

User management should derive from existing sources (LDAP, corporate DB)

SIP deployment challenge: SIP deployment challenge: 911911

SIP 911SIP 911 Easier add & moves harder to

know where phone is Ideally, Ethernet jack identifies itself

“hi, I’m jack in office 815 CEPSR” Short term, force user to enter

location when plugging in phone IETF geopriv working group is

addressing general location services & privacy issues

A call for helpA call for help

With help from dynamicsoft, Yale, Nortel, Clarent, we set up emergency phone bank at Columbia after WTC

Better: have network of gateways in place in case of natural disaster

Will coordinate through SIP Forum

SIP standardizationSIP standardization

Roughly, in order of maturity DHCP outbound proxy Resource reservation SIP REFER for call transfer SIMPLE: message sessions? RFC2543bis: rewrite for clarity in

progress 3G: loose service routing SDPng

SIP longer-term issuesSIP longer-term issues

What is conference control? H.323 model is one approach Can leverage SIP events for state

changes REFER for muting bridge participant?

ConclusionsConclusions

Some SIP applications slower than expected, but IM as dark horse

Motivation: avoid PSTNv3 Technology: need simpler QOS Standardization: finish services Deployment: make it scale