Newport Networks Blog

At the recent SofNet exhibition in London, Newport conducted a small, informal survey to sample what folks associated with the telecoms industry actually think and know about VoIP. Whilst the sample was just a few dozen delegates we did pick up on some interesting trends.

Biggest Obstacle: The first question was what was thought to be the biggest obstacle that VoIP services face. The result was an emphatic vote for Quality of Service, this beat security concerns into second place with worries over how to charge and bill in a lowly third place. In a way, this is no real surprise as VoIP services still are in the process of shedding the cheap and unreliable image (think how Skoda had to re-invent itself). Security? well I'll come to that in a moment. In last place billing - this is interesting, because in a recent interconnect conference in Amsterdam, the biggest debates were not around technical issues at all, they were around how on earth to you charge for these next gen services.

How Secure is VoIP: Second up was the big security question - how secure do you think voice over IP is? A surprising 60 percent of delegates believed that VoIP is ‘reasonably secure’ with 1 in 10 considering it to be secure with just 30 percent believing it to be insecure. This figures are interesting considering that the majority of SIP based VoIP services do not use encryption on signalling or media. Therefore, any reasonably well informed hacker can 'sniff' VoIP credentials from unsecured wireless networks, for example WiFi hotspots (see earlier post on that subject). Once they have your username and password they are free to use your service. I'm sorry, but that does not qualify as "reasonably secure" in my book.

Who is responsible for security: So on to the next question - who should be responsible for security?  A significant 60 percent of delegates surveyed believe that service providers should be responsible for security, followed by 35 per cent feeling that both the service provider and subscriber should be responsible. Absolutely agree on that one. I can take responsibility for securing my WiFi network at home, and my IT manager at work. But these precautions will not help me when I'm connected to an open, unsecured public network. The solution needed there is to encrypt both the media and the signalling.

What threats does VoIP face: Finally, we asked what were the biggest perceived threats to VoIP services. Nearly half of delegates named lack of quality (again), followed by identity theft (28 per cent), lack of interconnect between services (20 per cent), and denial of service attacks (9 per cent).

So what conclusions can we draw from these results. Well it is clear that service providers need to take action to address fundamental issues such as reliable quality of service and effective security to ensure they continue to retain or increase their market share. But also consumers need to be more aware of the security implications of using VoIP services, particularly when on the road where they are most useful. VoIP hacking may be in its infancy at present but you can be sure that hackers are taking the opportunity to "case the joint".  As consumers we can do our bit by securing our home WiFi, but ultimately it will come down to the service providers to offer a secure service.

DaveG

Following the short news item featured on the BBC web site's technology pages provocatively entitled Identity fraud hits net telephony, I though it would be worth filling in some of the background.

We have been looking at how easy or hard it is to capture Voice over IP account details. Now there are many ways in which this can be done, but we looked specifically at how an account can be 'sniffed'. This means access to a network and the ability to 'decode' the login.

First network access. Unauthorised access to traffic on a wired LAN is difficult (not impossible) so we looked at the easy option, unsecured wireless networks. These exist in two main places - First home Wireless networks that are run just as the are taken out of the box - no WEP or WPA. Secondly, wireless hotspots in public places. Whilst the first can be secured with little effort, the second is open for a reason - so you will log in and use it.

Open Public networks are a much more attractive proposition, easy access to lots of laptops.

So to the second requirement the ability to decode the login. The registration process requires your phone to send your username and password. This is not encrypted but uses a standard, and well known method to obscure the login details. This method allows the client to be very basically authenticated and also prevents replays (i.e. just capturing the login and playing it back to log in later), however if both the original challenge and reply are captured it is relatively straightforward to recover the username and password.

Combine these two weaknesses and we have an opportunity for fraud. So logging in to your VoIP account should really be treated with the same as care as providing your credit card details over the Internet. Users have been constantly reminded to look for "https://" and the little closed padlock. Same applies to VoIP - or should.

How can subscribers protect their accounts? At home make sure you've got WEP or better still WPA enabled. In public networks there is really only one solution - a secure service. This requires that the signalling is secured, not just the media. Most soft clients on the market today will support secure signalling however most service providers to not offer this service. In this case I believe it will have to be consumer pressure that pushes SPs to upgrade their services.

This type of fraud is still in its infancy, but that is no reason to ignore it. There is a black market out there trading VoIP account details. Jonathan Christensen, general manager of audio and video at Skype, also commented in the piece and questions how big a draw a free VoIP account would be for net criminals. However, I would like to point out they are not likely to steal "free" VoIP accounts, the VoIP market for 2007 in the US alone was estimated to be worth around $1.2 billion. For example, with your BT Broadband Talk details, calls to anywhere in the world could be made on your BT account - those are most definately not free.

I've been emailing with Sandro Gauci who edits the SIPVicious Blog if you want to read more on SIP security take a look. Sandro points out there are many ways of collecting VoIP credentials and is interested to here your opinions on the biggest vulnerabilities.

DaveG

Well I'm back from the SofNet exhibition which has been on for the last two days, the conference actually finishes today. The traffic on the show floor was pretty good on Tuesday but Wednesday was somewhat disappointing. Whilst the show generated a number of good leads I think we should expect more from a widely advertised event supported by BT.  I can only think that the intended audience was confused by the fact that the show is how on its third name in as many years - from 21C to C5 to SofNet. There was some talk that the IEC may co-locate the show next year with the Broadband World Forum event. To me that makes a lot of sense for both exhibitors and attendees.  There is a place in the calendar for a top European telecoms show that covers new and emerging technologies, convergence, IMS, Web 2.0 under one roof. This is even more the case given the current uncertain state of the VON shows.

If you exhibited or attended SofNet I'd be interested to hear you thoughts of the show and on its future.

DaveG

The SofNet conference and exhibition is only a week away now, if you are planning to attend then drop by stand 8005 and have a chat with us. If you have not already registered for the exhibition or the conference then why not take advantage of a free exhibition pass or 30% discount on the full conference pass compliment of Newport Networks.

We are holding a prize draw on the stand with a Nintendo Wii as the prize, so drop by with your business card, take part in out VoIP survey and enter the prize draw.

You will also have an opportunity to learn about Newports Call Routing Engine which is a complete end-to-end solution enabling carriers, ITSPs and ISPs to peer with other operators for wholesale call termination and origination.

See you at SofNet

DaveG

I was recently asked about QoS - Quality of Service - and what it means. The interesting thing is Quality of Service can mean a whole lot of different things to different people. If you ask a telecoms techy QoS will mean things like MOS scores - the actual quality of the voice, how compressed is it? What is the Jitter and Latency like.  However, if you are the subscriber sitting on the end of the phone quality of service can mean something completely different.  Take for example the user experience using a mobile phone - the voice quality is not as good as a land-line, however, we accept it, our calls often drop out as we go into buildings or our train goes through a tunnel. But whilst we would not accept these on our land-line, we forgive all of these things on a mobile because it's usefulness is its mobility.

Now we are standing on the edge of a mobile communications revolution... actually no... a communication mobility revolution, our experience will soon encompass voice, video, IM, Web Browsing, email and so on - all on the move. So what does quality mean for each of these? Well accessibility, continuity and reach are crucial.

Once we start using these services we will expect to be able to access them wherever we are. Now the average consumer is unlikely to know the difference between a dual-mode 3G/WiFi handset and a 3G handset used with a femtocell. As far as they are concerned there is a handset and there is a service and the former accesses the latter - don't care how.

This leads on to point number two - continuity.  I really don't want to access my services in an different way depending on where I am - I need uniformity of experience, so single network access or proper seamless converged access.

And finally, a key factor which governs the success and growth of these new services is REACH. Today we take it for granted that we can phone anyone on any network anywhere - it just works.  However, it only works because of the myriad of interconnects that exist between telephony operators today.  This did not happen over night, the standards which help connect our phone calls all over the world were over a decade in the making, and consider this - they were only connecting voice.  Now the consumer is expecting to enjoy the same reach with text messages, IM, Video, gaming and who knows how many more services.  But even connecting plain old voice in our new Next Generation Network World is fraught with problems, the power has moved from the core of the service provider network towards the consumer device. These devices are smart and they often decide on how they will encode the voice and where they will send it.

The world will need to interconnect all the emerging NGNs to ensure global service reach, and often neighbouring networks don't even talk the same dialect.  Mediation at the network border is set to be a key driver in the quest for global reach.

So what will QoS mean in NGN terms? A lot more that just jitter and latency - it means consistent global service delivery across multiple networks - Service sans Frontiers.

DaveG

Newport Networks' CEO John Everard has authored an article for Connect World Magazine.  The Article entitled "Networks for the social communications revolution" examines how our online activities are determined by our online access and how in turn the activities drive network evolution which in turn drives new online experiences.  Here is the abstract...

The Internet has become a social network, an entertainment network, a business tool and, often, a telephony substitute. Operators are migrating to converged IP networks to lower costs and provide a wider range of services - many in real time. WebPages and email do not require realtime availability, but VoIP and IPTV do. The broadband networks that the Internet uses will have to be upgraded to provide quality of service similar to what we have become accustomed to with telephony.

Read the complete article online.

In January I spoke with Internet Telephony Magazine's Rich Tehrani about Session Border Controllers and IMS. You can read the interview in full here in the January edition of the online version of the magazine.

Here are the questions we coverered:

• How will SBCs impact the IMS space?
• There’s no SBC element in the IMS specifications; does that mean IMS needs them?
• Does IMS cover all the functions required to deliver reliable multimedia services?How are you seeing your customers’ networks developing?
• Is IMS relevant to all service providers?
• Who is leading the charge?
• Is the market changing?

DaveG

Is Your VoIP Network Well Connected? that is the question that I was asked to answer in a Webinar recently hosted by TMCnet. The Webinar entitled Inter-network mediation in multimedia networks looked at how our traditional TDM networks are evolving to Next Generation Networks (NGNs), and how these will be interconnected.  I looked at the different types and tiers of operators and how the services they offer will be connected to their peer service providers, whether it be ad-hoc connections or regulated national interconnects. Finally, the challenges and opportunities that face the operators as they interconnect.  An interesting observation is that most technical issues that govern interconnect can be solved today, whether they be networks level SIP interoperability, or media codec negotiation, and they can be solved on the scale need to interconnect whole networks.

The Webinar presentation is archived and if you have some time you can view it for free here - there is a registration process.

The interesting observation that I brought away from a recent Interconnect conference in Amsterdam, is that it is the commercial issues that are the biggest challenge today. How to you cost the interconnect when it delivers so many different types of service? NGNs fall somewhere between the Internet model and the Telephony model and the charging mechanisms for these are completely different.

The issue of who pays for what was highlighted by the BBC's iPlayer when is recently hit the headlines (Well the Blogosphere at least) for creating an massive increase in bandwidth demand on ISPs - up to 200% in the first month (see also this post). So who pays for the additional bandwidth? This is an interesting meeting of content and access networks.  Clearly the additional pipes that the ISPs will have to buy will have to be paid for by someone, and at present the only option is probably to pass the cost on to the consumer through higher connection charges.  Wouldn't it be interesting if the Beeb had to pay for the right to deliver over the ISPs network - a sort of Internet road tax. There's a thought.

DaveG

We've had a log of conversations with folks recently about security of VoIP and what it really means to the user. But amidst all of this we're probably forgetting a the importance of security for the Service Providers themselves. A relatively new site covering security issues SecurityExtra.com has recently added a short article from yours truly. The piece called Taking a stance on VoIP security takes a look at a some of the issues, I believe that one of the important issues for the service provider is going to be providing the consumer with the confidence that their part of the equation is secure. Think of it like buying a car, these days cars have independent safety ratings, woudn't it be great if you could get the same infomation about the VoIP services offered?

DaveG

Many consumers will welcome the recent Ofcom decision to make it mandatory for VoIP service providers who connect calls to the Public Switched Telephone Network to support emergency calls. However, according an Ofcom survey 78% of them thought they already could!

It's 70 years since 999 emergency calling was introduced in the UK back in 1937. In 1986 it was introduced for mobile networks. At present 64% of consumer VoIP service do not offer emergency calling, but as of September 8th 2008 these will all have to offer 999/112 service.

There have been concerns in the past that VoIP based phones do not offer the reliability of a hard line, however, Ofcom recognises that seconds count when calling in an emergency and consumers should expect to use any phone to make the call. Another concern has been the mobility of VoIP services, the physical device you call from could be located anywhere.

The technology is available to address many of these issues, in fact we wrote a White Paper on Emergency Call Handling in VoIP Networks some time ago highlighting some of the issues and solutions. When the paper was written in 2006 the FCC in the US had mandated the support of emergency calls in VoIP networks, now that the UK and also Australia is following suit I'll have to update that paper!

Many of the service providers in the UK will have already planned for this move and will simply have to 'switch on' the facility.  VoIP is growing up fast, we're heading out of the wilful teenage tantrums to a responsible young adult. According to the Ofcom figures the number of UK households using VoIP grew from 5% in 2005 to 10% in 2006. With 30 million emergency calls being handled each year in the UK means VoIP providers must expect a significant number of calls to be placed from their services.

I'd be interested to hear if anyone has actually used their VoIP service to make an emergency call - and did it work?

DaveG