Hello fellow retronetworkers, In the USSE portion of this week's RetroNetCall (approximately 2 days ago, depending on how you look at time zones) I made some mentions about my SIP setup for interfacing with the outside world, and I got the impression that my attempts at explanation in that RetroNetCall weren't so great - so let me try explaining it better by way of the written word. Why connect to real PSTN? ------------------------- It appears that most retronetworkers other than me connect their retro phone systems to separate "not real" networks like C*NET, rather than real live PSTN. Why am I different in this regard? Answer: my main objective in this entire retronetworking venture is to use my choice of retro phone (in my case, GSM/2G) as my primary daily driver phone for real human communication. I know that other people somehow keep those sides of life separate, i.e., they will play with retronet toys for fun, but use some modern iPhone for everyday communication - but that is NOT me. I refuse to own or use or touch an iPhone, to the point that if I were to get into a horrible accident on a highway, I would rather bleed out to death on the side of the road than use an iPhone to call for help. Being able to use a retro GSM/2G phone as my main personal phone, and do so without depending on the fickle whim of T-Mobile, requires operating my own GSM network - that's what Osmocom CNI is for - and connecting said network to real live PSTN, as opposed to "toy" networks like C*NET. For my interconnection with real live PSTN in USA, I currently use the services of BulkVS and AnveoDirect, as well as Sopranica Telecom (jmp.chat) for SMS interconnection. More specifically, I rent real phone numbers from BulkVS, I receive all inbound calls to these numbers through BulkVS, and I use both BulkVS and Anveo as outbound routes. I use BulkVS as the outbound route for calls going to North America +1 destinations, and Anveo for calls going to any other country code destination. How inbound calls work ---------------------- I have a public-facing SIP server listening on standard port 5060; this server is located at DNS name sip-gw.sandiego2g.org. More specifically, on the time scale of years the actual IP address may change if I have to change ISPs or move the server from my home to some datacenter hosting when San Diego 2G Association expands (hopefully), but it will always be some static and public IP address (like it is now), and DNS will be updated in the case of any moves. (Right now I am hosting the server at my home on a business-grade Internet connection, but that's an implementation detail that can change without affecting the architecture or the public interface.) I have my BulkVS service configured to send inbound calls via SIP to this sip-gw.sandiego2g.org server, to the same IP to which this DNS name points. There is _no_ SIP registration or authentication or any of that complexity - instead BulkVS servers simply send a SIP INVITE to port 5060 at my static & public business IP address whenever an inbound call comes in to any of the phone numbers I rent from them. USA phone numbers cost only 6 cents per number per month with BulkVS, hence I have a bunch of them, many more than just my own personal phone number. However, my inbound SIP gateway (meaning themwi-sip-in process, all written by me, running on this sip-gw.sandiego2g.org server) is happy to accept inbound calls from anyone, not just from BulkVS servers. In other words, I fully support the principle of settlement-free peering in public phone interconnection. USA is a huge country, whereas the scope of San Diego 2G Association is explicitly limited to the named locality. Suppose someone else, somewhere else in USA, decides to mimic what we are doing and set up their own community-based GSM/2G network. Suppose that other community network (e.g., Keene NH) then wishes to peer with SD2G, such that SD2G routes calls to Keene-owned numbers directly to Free Keene network, and FKnet likewise routes calls to SD2G-owned numbers directly to SD2G, without paying BulkVS or Anveo or any other carrier to ferry those calls - from my side I will always warmly welcome any such peering arrangements! The technical implication of this "open arms" policy is that my public- facing SIP server is wide open to the world, receiving junk "probing" SIP packets from script kiddies 24x7x365. But all that junk is statelessly rejected without wasting server resources. In order for my gateway to do anything with an incoming SIP INVITE other than just toss it, that INVITE would have to be directed to one of NANP numbers that specifically belong to my network and not to someone else - and if someone is actually calling one of my numbers, then my gateway is happy to accept that call and route it to the respective GSM subscriber, no matter which IP or party or entity that SIP call came from. How outbound calls work ----------------------- My outbound gateway (themwi-sip-out) routes each outbound call to either BulkVS or Anveo, depending on E.164 destination country code - or more precisely, I can set up any number of routes, matching on any desired E.164 prefixes. But the mechanism is once again plain SIP INVITE packets only, no registration or authentication or any other complexity. Like every other reasonable wholesale SIP trunk provider, both BulkVS and Anveo support IP-based authentication: I simply go into my customer portal with each of these companies, and list in there that any SIP calls coming from my IP address are to be billed to my account. When I tried to explain this last part in RetroNetCall USSE, I was met with derision, people saying something about security holes etc. But I still stand by this architecture: we are NOT talking about a consumer or personal VoIP user connecting from their nomadic personal IP that will likely change all the time, this is a production deployment of SD2G (a long-term-established business entity) sending wholesale traffic to its contracted carriers. Whatever servers SD2G uses, these servers will always have static IP addresses - so what's wrong with simply whitelisting them? In that RetroNetCall USSE, I seem to have heard someone say something about IP spoofing - but how would such spoofing help any would-be attacker in my case? Suppose that someone wishes to impersonate SD2G, i.e., send a rogue call out to BulkVS or Anveo, but make it look like their call is coming from SD2G. A successful SIP call establishment requires a 3-way handshake: the caller sends INVITE to the callee, the callee responds with 200, and the caller follows up with ACK. Suppose an attacker sends a spoofed UDP packet to BulkVS or Anveo, with the source IP forged to indicate my SD2G server, and the packet content being a SIP INVITE which BulkVS/Anveo would accept as valid. The SIP carrier would then sends SIP responses to my IP address, hence those responses will go to my server and not to the attacker. The attacker will never learn the To tag assigned by BulkVS/Anveo to this call, and they will thus not be able to construct a valid ACK. And without that ACK, they won't get a successful call - so where is the problem? IP telephony carriers mucking with RTP -------------------------------------- I still don't understand why enterprise-oriented, business-serving (NOT consumer or end-user oriented) ITSPs modify SDP to make the RTP stream pass through their nodes, as opposed to letting it pass directly end to end. Suppose Alice Enterprises, a customer of ITSP-A, sends a SIP call to Bob Enterprises, a customer of ITSP-B. When BobEnterp receives the SIP INVITE addressed to them, they will see SDP pointing at some carrier nodes owned by unclear-whom (maybe ITSP-A, maybe ITSP-B, maybe some other "shared" party in that ecosystem), but not the original SDP from AliceEnterp pointing to AliceEnterp servers. Why??? In the RetroNetCall USSE I was told something about customer privacy, removing customer IP addresses. I totally understand doing that practice for consumer-oriented VoIP services, but why in the heck do they do it in the _wholesale_ SIP trunking business? It is my understanding that wholesale carriers like BulkVS work only with enterprise-level business entities - and surely a business entity of the latter type will have no need to hide their production servers? BulkVS say that they *don't* proxy RTP traffic, i.e., supposedly my RTP traffic does not pass through BulkVS servers, only SIP does. But then BulkVS is primarily a reseller of even bigger wholesale carriers like Bandwidth and/or Inteliquent, and it appears those parties then do proxy RTP, i.e., SDP blurbs I get from BulkVS (incoming INVITEs and answers to my outbound calls) are probably pointing to those carriers. I was also told in that RetroNetCall USSE that these carriers "don't want" to be transcoding my RTP traffic, at least domestically within USA, that doing so costs them CPU cycles etc. But who is then denying me the ability to talk AMR directly to the other party when calling or receiving a call from a VoLTE user on any of the 3 national carriers? All mobile phone users in USA, other than hard-core 2G holdouts like me, are on VoLTE: AT&T and Verizon only have VoLTE networks, they don't have any circuit-switched networks at all; T-Mobile has GSM only for "grandfathered" customers like me, and they push like hell to get these users to "upgrade" - hence mainstream, not hard-code-rebel T-Mobile users are also 100% VoLTE. And although I am no VoLTE expert, it is my understanding that VoLTE phones don't speak G.711 directly - instead they speak either AMR-WB (their preference) or AMR-NB as fallback. Yet whenever I receive a call from a VoLTE user, the SDP offer from BulkVS only lists PCMU, PCMA and G729 in this order - no AMR. In the other direction, if I send a call to BulkVS addressing the number of a VoLTE user, I can offer AMR and/or GSM codecs until I am blue, but only PCMU will be accepted in the answer - and if I send an offer that includes only AMR and/or GSM codecs, without PCMU, the call is rejected. Thus the result is that someone somewhere is transcoding between the PCMU they speak with me and the (presumed) AMR codec on the VoLTE leg. Who is doing this forced transcoding, and why? What is their perverse justification for denying non-transcoded AMR in outside calls to/from VoLTE carriers, and why is it so important to them to effect this denial that they gladly expend CPU cycles to do it? Still bewildered, Mother Mychaela