SIP comes to Hilton Head

 

 

Privacy Policy

 

 

This page uses style sheets created by Ruthsarian Labs

While not quite as newsworthy as the Philadelphia Eagles Cheerleaders visiting for their lingerie calendar photo shoot, I finally found time to install and use IP telephony in my office on Hilton Head Island. Sadly, no one from the Island Packet was interested in this technological breakthrough on the Least Coast.

I've installed a X-Lite SIP "softphone" from Xten on my laptop, and a Grandstream Budget-Tone IP Telephone. My SIP phone service and number are hosted by FreeWorld Dialup (FWD), which currently only supports SIP-to-SIP calls.

Expecting the worst (remember, I've configured ISDN and IPsec), I braced myself to deal with firewall and NAT issues. The only change I had to make to my firewall was to open the SIP Port (UDP 5060, incoming and outbound) to let me place and receive calls. SIP service can be run without NAT interference: with the FWD service, for example, you proxy to fwdnat.pulver.com:5082. I've tried both dynamic NAT (IP masquerading) and 1:1 (static) NAT through my firewall. Both work just fine.

The X-Lite software is free, and the self-configuring, branded version for FWD auto-registers you and provides you with a phone number and account. A $15 investment in a headset from Logitech and I was SIPping friends all over the country, for free. And you get free voicemail. What a country! I next purchased a Grandstream IP phone from FWD and it, too, came configured, with my existing FWD account. The Grandstream Budget-Tone 102 is dirt cheap compared to the rest of the IP phones I found googling. It's got a consumer look but has enough "business" features for a home office: caller ID, speed dialing, conferencing, speaker phone, transfer. I hardly use these on my business phone (which was more expensive). You can configure the phone using a browser. Unfortunately, the management interface doesn't use SSL, and the authentication challenge is only a password (not even a user ID), so you really ought to put the phone behind a firewall. You can also configure the phone using the fat-fingered keypad. This is as painful an experience as configuring fax machines, perhaps more so: if you choose to place direct phone calls to IP addresses on your own LAN (yeah, I had to try this), you must configure the dotted decimal IP address using the numeric keys. Trust me, it's not pretty.

I did run into a configuration mismatch between my firewall and the pre-configured Grandstream IP phone that took me some time and a wee bit of LAN traffic analysis to isolate. Thankfully, Ethereal parses everything. SIP makes use of real-time transport protocol (RTP), and the Grandstream phone came configured with the local RTP port set to 5004. Of course, my firewall was blocking inbound UDP traffic to ports other than 5060.

If you run into this situation, open UDP port 5004, or change your UDP policy to allow random UDP port assignment (1024-65535) for RTP. Once you have SIP and RTP running, go back to your firewall policies and restrict UDP to the IP addresses you've assigned to your SIP phone(s). Log UDP traffic (denies and allows) initially, until you have a good feel for how your firewall and SIP phones are interacting. You may want to refine your logging practice after a while, since voice over IP generates A Lot of packets.

For the moment, SIP is a learning experience. I'm investigating how SIP traffic patterns affect small and medium business firewalls. Lots and lots of small packets puts a heavier processing load on your firewall, and I'm curious to see whether your basic SOHO firewall can handle 8-10 simultaneous phone calls. I'm also curious to see how QoS handling in firewalls affects the call quality (which is generally good, though not quite the same as PSTN). Perhaps I'll put up a separate voice firewall. Oh, the things you can think...

Until I subscribe to or run a SIP-to-PSTN gateway, I only know a handful of people to call. Running my own SIP service would be a rip. I wonder if I could draw as many subscribers as the Palmetto Rural Telephone Cooperative?

Even if I don't become a SIPerator (SIPLEC?), I can already see a value in having a closed SIP user group. If the SIP phone rings, I know it's probably someone I want to speak with.

Dave Piscitello founded Core Competence, Inc. in 1993 and is now an occasional consultant for the company. He is currently ICANN's Senior Security Technologist and serves on the ICANN Security and Stability Advisory Committee (SSAC). A 30-year network, Internet and security veteran, Dave provides advisory and consulting services to security and broadband access companies, *SPs, and Fortune 100 companies. An enthusiastic writer, Dave has published hundreds of articles, product reviews, and editorials for print and online publications, including BCR, ENISA Journal, Infoworld, Information Security Magazine,LOOP, Network World, SecurityPipeline, USENIX ;login, and WatchGuard Technologies' Live Security. Dave maintains a security infoblog at securityskeptic.typepad.com

Posted 8/25/2004, Last updated 12/10/2009 © 2004-2009 David M. Piscitello