VoIP networks face security concerns. How best to address those concerns can be gleaned from experience with regular IP networks.

VoIP comes with all of the risks associated with IP traffic. There are standard IP protocol issues – denial of service problems, routers and switches carrying traffic need to be configured to industry standards, and the like. There are also privacy issues for users. These require rigorous QoS routing to ensure traffic terminates in the appropriate place. Strict separation of user traffic and data associated with callers is also important.

To address these risks, an infrastructure has to be built with security in mind from the get go. When connecting to partners, it is safer to use a DMZ* which faces into the partner’s network as a staging area to bring traffic onto one own network. This affords some protection from network-facing services like VoIP. There is also a need to regulate the type of traffic permitted, where it comes from and where it’s going through rules on routers and firewalls and switches. There is also a lot more logging of connections on these types of network segments. Firewalls, IDSs and IPSs** help identify problem traffic while it’s being attempted rather than after the fact.

Taken together these methods take the long view on VoIP security and help ensure solid protection from the ground up.

* “DMZ” refers to a de-militarized zone, a baston network that is exposed to the Internet. Typically your internet servers live there. You pay more attention to the DMZ and protect your internal network from it as well.
**“IDS” refers to intrusion detection system, which sniffs the wire looking for attack signatures, which it will alarm on if it finds one. “IPS” refers to intrusion prevention system. This device sits inline and can see and stop the attack.

Within the mobile world, data and voice services have traditionally been more closely intertwined than in the fixed world, because both voice and data services ran on the same radio access network. As a result, mobile operators face an even stronger incentive to migrate to IP. Not only can IP deliver efficiency gains in the core and at the endpoints, IP can also significantly simplify the radio access layer.

Once mobile phones reach the point of having as much bandwidth as a home cable modem, handsets that encode voice to IP directly at the handset level will be a strong driver for IP networks for MNOs.

However, two challenges that will need to be overcome are quality issues and capacity buildout. Because mobile customers pay a premium for voice services, that quality expectations rise as well. Meanwhile, mobile operators face the challenge of scaling up capacity at the sales side, while simultaneously enabling their core networks to carry increased IP traffic that strong demand for data services is generating.

In the end, as the popularity of data services grows, mobile operators may end up having much more in common with ISPs than with traditional voice providers when it comes to their business models.

Carriers concern themselves with IP security threats on their own networks, as well as along interfaces with their partner networks. How to manage these threats and limit exposure to your own network is a constant concern.

The core of the matter is enforcing best practices on your network at the physical, logical and management layers. The right people have to have access to the right equipment, deploying the proper configurations while also ensuring that unauthorized use is not exposing your network to compromise, is properly monitored and is not tolerated. Security best practices are certainly desirable on the partner side of the network, and it’s important to maintain protection for your network at the seams in agreements made with your interconnect partners. Some areas of focus include obscuring your network typology to protect your core and your customers, establishing overload protection to prevent system overloads to impact your core network and impact your customers performance, implementation or flexibility to allow for nat-traversal to limit exposure of public-private network interfaces, and installing and updating session-border controllers are constructive strategies to mitigate risks to your customers and core network systems.

Industry-wide security guidelines for partner networks are a work in progress and these guidelines will be evolving foundation principles geared to make managing partner relationships and securing VOIP inter carrier relationships. For example the GSMA has laid out a “security code of conduct” for mobile operators transitioning to IP networks for their voice and signaling traffic, and these principles need to translate not just to mobile partners but to other types of voice operators, as well. Even in the absence of such guidelines, it is important to note that security practices have continuously evolved over the years as new forms of communications and models are formed, for carrier partners, enterprises, as well as for end customers.

Educating the people within your organizations and continually evolving your policies leads to solidifying security not just for your network but also for your customers and partners.

In the wholesale environment, the majority of traffic is carrier-to-carrier. We manage today’s security challenges by learning from yesterday’s mistakes. Past issues have inspired us to create internal processes which ensure that our new customers join us in taking responsibility for network security.

Subnets owned by partners have raised security flags in the past. Now we have processes for carriers to assume responsibility for their subnets. Alternately, we work with the local ISP to ensure they assume responsibility.

As time goes on, more and more customers are insisting that we too demonstrate our commitment to responsibility in security. Many have their own standards they want us to meet or exceed. In addition, they want options in security, particularly those carriers who are involved with industry-wide security efforts like i3Forum.

Embracing evolution in responsibility for security on both sides of the table is an important part of today’s partnerships, and is the ultimate best practice in security.

An important meeting was held on July 21st in Delhi where the Indian Department of Telecommunications (DoT) issued guidelines for the IPv6 deployment in India based on a set of recommendations issued by TRAI, the Telecommunications Regulatory Authority. The meeting was organized by TEC, the Telecommunication Engineering Centre which is part of DoT.
The session included presentations by the Government and Telecommunication providers including Tata Communications and TTSL, the Tata Group Mobile operator.

The agenda and copies of the various presentations can be found at http://www.tec.gov.in/seminar.html

What follows is a synopsis of the status of the Indian Telecom sector and the Government recommendations as well as an overview of IPv6 deployment in the Tata Communications Indian domestic IP network AS4755 and its international IPv6 connectivity through Tata Communications Global IP network AS6453. The Tata Communications IP networks already respond to most if not all of the DoT recommendations making it number one in terms of IPv6 deployment and coverage in India.

1. Indian telecom sector

• Total subscriber base of of 452.91 million as of May 2009
• year over year growth rate of 42.99% during 2008-2009
• second biggest network in the world
• teledensity of 37.94 per 100
• adding about 11 million telephone subscribers per month (May 2009)
• 13.64 million internet subscribers, 6.4 million BB customers (May 2009)
• 59.48% growth in BB during 2008-2009

2. Internet growth

Source: DoT

• total of 270 ISP licenses in the country
• 281 telecom access service providers in 22 service areas; the scope of access services includes internet, broadband and unrestricted internet telephony since 2004.

3. India’s insufficient IP address space

• the current pool of Indian IPv4 addresses is around 19 million
• based on most recent statistics, India’s consumption of unique IP4 addresses has grown 52 %
• India is number 20 in the world in address consumption
• Transition to IPv6 is the only viable medium term answer to satisfy anticipated demand for unique IP addresses.

4. Regulatory environment

• In 2004 then Minister Of Communications Hon. Mister Maran set up a 10 point agenda for the modernization of telecommunications in India. The ten points included broadband, introduction of 3G in telephony and the transition to IPv6
• Consultations on IPv6 were held with the industry in following years and position papers prepared by TRAI (Telecommunication Regulatory Authority of India).
• The introduction of Wimax and 3G will further accelerate the observed DSL based growth of BB. Use of USOF (Universal Service) funds will accelerate broadband penetration in rural areas.
• As this acceleration will exacerbate the shortage of IP addresses, the DoT (Department of Telecommunications) decided to promulgate an IPv6 adoption and migration strategy which was first announced in June.

5. The Department of Telecommunications IPv4 to IPv6 transition strategy finalized in June 2009

The Government took the decision to act on the TRAI recommendations for IPv4 to IPv6 transition

Highlights

• Migration through encouragement rather than through mandate
• Increase awareness of IPv6 deployment through workshops and seminars organized through all relevant agencies including TEC (Telecom Engineering Centre which is part of DoT) through private and public partnership programs.
• Creation of a NIR in India (so far India has no national registry for internet addresses: IP addresses are obtained directly from APNIC, the regional internet registry for Asia).
• Government’s procurement of IT systems and networks are to be IPv6 compatible.
  DoT encourages and supports setting up testbeds by different entities including one by TEC which is already a certifying agency.
• The international gateways are to be upgraded to support IPv6. Note that the three Tata Communications international IP gateways which are provided through AS6453 (Mumbai, Cochin, Chennai) are completely dual stack IPv4/IPv6
• IPv4 and IPv6 equipment will coexist for quite some time but all new equipment deployed by end 2010 must support IPv6
• Telecom equipment manufacturers should make an effort for indigenous production and development of IPv6 compliant equipment

The objective is for the Indian Telecom Industry to use the IPv6 migration/transition for competitive advantage developing innovative IPv6 based applications and to provide full featured value added services on IPv6.

6. Status of IPv6 deployment in India today

Only 22 entities (ISP’S and R&E) have obtained IPv6 address blocks from APNIC, only four of which have deployed and announce their IPv6 routes: Ernet (India’s R&E network, equivalent of Canarie), Sify, HNS and Tata Communications.

Note that on its domestic Indian IP network (AS4755), Tata Communications provides the most extensive IPv6 support in India using 6PE technology for access and an MPLS core. IPv6 access is available in all 16 cities depicted in tier 1 and tier 2 (two inner circles) and will be expanded to tier 3 based on demand.

• AS 4755: 117 locations across India
• 3-tier Hierarchical topology
• IPv6 dual stack edge 6PE with MPLS core
• 9 Big Tier 1 cities including 4 metros
• 7 Major Tier 2 cities
• 101 Tier 3 cities

India still has a long way to go in its development including the telecommunications sector where the size of the market and the anticipated continuation of very rapid growth has attracted investments and participation by a number of foreign telecommunications companies. These include AT&T, BT, C&W, FT Orange, Verizon etc, all encouraged by an attractive liberalization policy by the Federal Government. NTT Docomo of Japan, for example bought for US$2.7 billion, a 26% stake in TTSL, Tata Teleservices Ltd, the Group’s mobile telephony operator in India. It should also be kept in mind that Indian software development departments of some major telecomm equipment manufacturers and software houses have participated actively in the development and testing of IPv6 features and functionalities creating a growing pool of home-grown IPv6 expertise.

References
1) http://www.trai.gov.in/Default.asp
2) http://www.mit.gov.in/
3) http://www.dot.gov.in/
4) http://www.tec.gov.in/
5) http://www.tataindicom.com/t-aboutus-ttsl-organization.aspx
6) http://www.tatacommunications.com/

Mobile operators have built a strong – and still growing – business around delivering voice and messaging traffic. However, with the rising popularity of 3G data services and smartphones, mobile operators are seeing traditional revenue streams come under competition from similar data services delivered over the Internet, and within an IP ecosystem.

For MNOs, the potential for competition in these core services, whether from IM applications that replace text messaging, or VoIP applications that can even turn traditional voice calls into data streamed over a WiFi or 3G connection, could revolutionize their business. As a result, mobile operators tend to have difficult questions about the potential loss of revenue and loss of control they face with IP services.

Nevertheless, as the popularity of the application store grows, and consumers continue to show strong demand for phones such as the iPhone and Blackberry that offer a more open and customizable experience, MNOs see as well a strong revenue potential in becoming primarily an IP and data delivery platform. Data services are currently priced at a premium, and access speeds are increasing exponentially.

For MNOs, success in an IP world will require the ability to work with content and application providers to collaboratively deliver a differentiated user experience. With the right services, mobile operators could face an even brighter IP-enabled future.

In India we saw the Department of Telecommunications take action. Late June the Telecom Engineering Centre organized a seminar where the recommendations for IPv4 to IPv6 transition put forward by the regulator (TRAI) were adopted.

The highlights of the plan reflect a traditional Indian non-aggressive but nonetheless forceful persuasion.

• Migration through encouragement rather than through mandate
• Increase awareness of IPv6 deployment through workshops and seminars organized through all relevant agencies through private and public partnership programs.
• Creation of a National Internet Registry in India.
• Government’s procurement of IT systems and networks are to be IPv6 compatible.
• DoT encourages and supports setting up testbeds including one by TEC which is already a certifying agency.
• The international gateways are to be upgraded to support IPv6; IPv4 and IPv6 equipment will coexist for quite some time but all new equipment deployed by end 2010 must support IPv6
• Telecom Equipment manufacturers should make an effort for indigenous production and development of IPv6 compliant equipment.
• The objective is for the Indian Telecom Industry to use the IPv6 migration/transition for competitive advantage developing innovative IPv6 based applications and to provide full featured value added services on IPv6.

New Zealand chose a similar approach: The Government will act by example, not regulation as they said at a recent series of conferences. And in the United States we saw NIST issue the latest version of the IPv6 test program while the Department of Defense issued an update on its IPv6 Standard Profile requirements. The OECD, in the meantime, published its Communications Outlook 2009 with its heavy complement of statistics including the IP address situation.

July saw IETF75 meet in Stockholm and the adequately named ‘Behave Working Group’ spent considerable time on translation between future IPv6 only, dual stack and old IPv4 only devices and networks. Experts also continued to be knotted in NATland where one can even find a NAT66. Will we see a NAT666 one day? Vade retro Natanas!

Enforcing security best practices is a multi-faceted effort. Let’s investigate carrier-side issues first.

The initial step is to identify the types of threats faced. There are several potential security risks that IP administrators and service providers have to look at in VoIP. There are threats against availability, confidentiality, data integrity, social context. Some of these threats show themselves in DOS attacks, eavesdropping, viruses, malware, spitting, toll fraud, protocol vulnerability, or vulnerabilities in soft-phone applications.

Safeguarding against risk means having proper prevention, detection and mitigation measures in place. Harden your equipment. Install the latest patches, as firmware and software upgrades will allow you to benefit from already-exposed and corrected vulnerabilities. Ensure you have the right perimeter defense. Deploy proper solutions at the edges to allow traffic between trusted and untrusted solutions. Proper planning and execution allow the proper ports and protocols to provide communication required, and having the appropriate authentication for your users – whether they are individual users or carriers coming on to your network are ideal best practices. If viable, run traffic over VPNs to minimize eavesdropping. Segment your VoIP traffic via VLANs and isolate or segment it from data traffic. Encryption can also be deployed, but it has to be at a measured level so you don’t encounter service quality issues.

By using common sense, appropriate security devices and exercising best practices, VoIP security issues can be addressed. Partner networks raise other security issues, which we will also investigate.