[VoiceOps] Issues with ISPs blocking SIP 5060 - 5061

Ryan Delgrosso ryandelgrosso at gmail.com
Thu Nov 21 14:17:13 EST 2013


Ditto. We have gone down this path but a few things to be aware of we 
have learned.

1: When switching from UDP to TCP for sip you introduce a failure point 
on the access side (tcp session). Devices that are rebooted etc will 
begin a new TCP session and thus create a new registration. If you are 
using a forking proxy this will create an additional registration 
orphaning the previous. Depending on your network config rapid reboots 
of CPE can have subscribers hitting a cap on concurrent registrations 
where under UDP, after reboots they would have resumed the existing one 
since there wasnt session state to deal with.

2: You can almost as effectively hide the sip traffic by using different 
ports (this also prevents your endpoints from getting slammed regularly 
by sipvicious)

On 11/21/2013 10:15 AM, Paul Timmins wrote:
> I keep wanting to just deploy SIP/TLS and SRTP for this. You can't SIP 
> ALG what you can't see.
>
> On Thu, 11/21/2013 12:55 PM, Matt Yaklin <myaklin at g4.net> wrote:
>
>     On Thu, 21 Nov 2013, J. Oquendo wrote:
>
>     > On Thu, 21 Nov 2013, Matt Yaklin wrote:
>     >
>     >>
>     >>
>     >> Will tunneling the sip/rtp packets be more common in the near
>     future
>     >> for SIP phone providers?
>     >>
>     >> matt
>     >>
>     >
>     >> From the ITSP side (where we provide trunks). Tunnels would
>     > be a nightmare, so they are a no-no. Now you're throwing
>     > in too many variables (Aggressive, Main, set ups, different
>     > equipment). Not to mention the overhead it would add to an
>     > SBC.
>     >
>     >> From the Managed PBX side of the equation... NO, but before
>     > I ramble on, define tunneling. Tunneling as in VPN? If the
>
>
>
>     Yes, a VPN tunnel that the CPE/SBC would have to handle
>     and connect back to a centralized location that the SIP
>     provider controls. Every SIP device behind the CPE/SBC would
>     have to go through the CPE/SBC.
>
>     The reason I mention it was recent SBC installs I did at
>     customer sites had tunnel options but I am unsure at the moment
>     if it was for site to site (full mesh setup) connectivity for
>     security reasons or more for getting back to the provider
>     for alternative reasons.
>
>     But the more I think about it... it does add complexity
>     that we would all like to avoid.
>
>     matt
>
>
>
>     > concern is security, TLS is suitable from the managed PBX
>     > side as we can firewall trusted CIDRs on the firewall to
>     > prevent recording/tampering.
>     >
>     > If you meant VPN tunneling... Would only work on a softphone
>     > because I have YET to see any VoIP device (phone, ATA, FXO,
>     > FXS) have any parameters to set up a tunnel. So I am unsure
>     > how one would truly call a VoIP Tunnel in a VPN sense, any
>     > kind of true tunneling. (Tunnel in Tunnel maybe, been a
>     > while since I dove into CCIP/IE like material.
>     >
>     > --
>     > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>     > J. Oquendo
>     > SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
>     >
>     > "Where ignorance is our master, there is no possibility of
>     > real peace" - Dalai Lama
>     >
>     > 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
>     > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
>     >
>     _______________________________________________
>     VoiceOps mailing list
>     VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>
>     https://puck.nether.net/mailman/listinfo/voiceops
>
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20131121/92564c8f/attachment.html>


More information about the VoiceOps mailing list