Background

Since 2002, Packet Clearing House, with the support of Cisco, has operated a global hotline phone system which directly interconnects the Network Operations Centers and Security Incident Response Teams of Internet infrastructure providers, operators of Internet exchanges, critical individuals within the Internet security, policy, emergency-response, and governance community, and equipment vendors' support personnel. The principal purpose of the system is to provide a direct and immediate communications channel for operations information and incident response, but the system also functions as a global-scale testbed for Voice-over-IP (VoIP) development and deployment, and supports informal and non-emergency communications between members of the operations community.

The system utilizes the IETF-standard SIP protocol, which is non-propietary and enjoys functionally universal support among Voice-over-IP telephone vendors. Thus any SIP-compliant phone will work on the INOC-DBA network. The most commonly used phones on the system are the "hard phones" manufactured by Cisco and Grandstream, and the "soft-phone" from Xten, but many others are available and being successfully used on the system. The IPTel open-source project maintains more complete lists of hard and soft phones. For those interested in the underlying technology, more pointers can be found at http://www.cs.columbia.edu/sip/.

The phones utilize an Ethernet connection to the Internet, and intercommunicate directly with one another, rather than through a PBX or a PSTN phone switch. Unlike PSTN dial-plans, we dial by using already-assigned Autonomous System Numbers, followed by optional three-digit extension numbers. Thus the project name, INOC-DBA, or "Inter-NOC Dial-By-ASN".

This project is not a commercial service. There are no fees or charges associated with participation, nor are there any service guarantees. PCH provides registry, proxy, and directory infrastructure, as well as an operator service to assist with phone provisioning and the dial-plan.

Practical Details

The SIP protocol, which handles call-setup, uses UDP or TCP port 5060, while the RTP protocol, which carries the stream of voice data, uses configurable pairs of UDP ports above 1023, and in our case these are configured as 16384 through 16484. Thus if you want to connect a phone behind a firewall, the firewall must pass TCP/5060, UDP/5060, and UDP/16384 through UDP/16484 from the outside to the phone on the inside. This is usually a trouble-free procedure.

If the phone is to be connected behind a NAT, the outside IP address of the NAT must be static and entered into our provisioning system, and the ports mentioned above must be port-mapped through to the phone on the inside. A very few NATs, particularly PIX version 6.2 and IOS 12.2(8)T and later, are "SIP-aware" and have special understanding of SIP and RTP and provision for transporting them. We strongly recommended that you avoid NAT if at all possible. NAT is inherently problematic, and there continue to be unresolved problems, particularly when two parties behind the same NAT wish to talk to each other; they may not be able to hear each other at all.

Your simplest option, often best for bringing the phone up initially, or debugging firewall or NAT problems, is to simply put the phone on a network segment which is outside the firewall or NAT. Even if a phone were to be compromised somehow, there's no particular consequent risk or danger, and we have yet to experience any real-world security issues with unprotected phones.

Any phone which we have provided or which is booting from a configuration provided by our provisioning system will pick up an IP address from a DHCP server. If you do not have or wish to use a DHCP server to give the phone its IP address, you can unlock the phone's configuration and statically assign an IP address. If you have difficulty doing so, please contact us, and we can walk you through the process.

Once a phone has an IP address, it will register itself with our SIP registry, which works together with the SIP proxy and the DNS system to direct incoming calls to your phone. The INOC-DBA network uses SIP Express Router, or SER, as both registry and proxy. Other commonly-used proxies are Asterisk and Cisco SIP Proxy Server, or CSPS. Both SER and Asterisk are open-source, while CSPS is commercial. SER is the most commonly-used SIP proxy in service-provider production networks, while Asterisk provides the PBX-replacement features needed within enterprise sites.

As we move toward a mandatory authentication regime, it becomes increasingly important that all telephones using the system be represented by a database entry in our provisioning system. The directory is generated dynamically from the provisioning system every five minutes, so no telephone which isn't in the provisioning system can appear in the directory. As we add services like conference-bridging, authentication will become mandatory in order to assure participants that there are no unidentified listeners.

How do I use the system?

While the principal motivation for building this system is to provide a channel for operational communications, we recognize that any successful telephone network will also carry business and social traffic. One of the benefits of this network which is most frequently cited by its users is the fact that callers are pre-screened for clue. Calls cannot enter the network from the outside PSTN. We would like to maintain that high ratio of signal to noise in order to keep the utility of the network as high as possible for its users.

Once your telephone has successfully booted up, you'll notice a column of numbers along the right hand side of the screen. These are the phone numbers which people can dial to reach you. To find the numbers of other participants who've asked to be publicly listed, you can consult the directory available on the PCH web
site:

https://www.pch.net/inoc-dba/console.cgi?op=show_pubdir&list=user

In order to ring all of the phones within an organization, simply dial the organization's Autonomous System Number (ASN) and press "send" or the pound key to initiate the call. If you wish to call a specific person's phone, dial the ASN, the star or asterisk key (*), and their three-digit extension number. For instance, to reach anyone within PCH, you would simply dial 3856#. In order to reach Bill Woodcock specifically, you'd dial 3856*WEW# (3856*939#). If you wish to use a native SIP addresses rather than dialing numbers, that would be 3856*WEW@inoc-dba.pch.net.

How else can I use this phone?

Some SIP phones, particularly the Cisco 7960s which are in most common use, can support several different dial-plans and register with many different VoIP networks simultaneously. Thus many of the INOC-DBA users are also simultaneously using the same phone on their internal corporate network, for PSTN calls via a commercial service provider like Vonage or Net2Phone, and for personal networks of friends and family.

Something that bears remembering is that these phones and this network are different from the traditional telephone network in nearly every way; they have extraordinarily different strengths and weaknesses. It may help to think of them as a sort of open-source alternative to the TDM public telephone network. The cost of operation is free or nearly so; the connection quality is much more variable, but is on average spectacularly better; flexibility and capacity for features are limited only by the creativity and imagination of programmers who choose to work in this area. On the other hand, there's no voice directory assistance or E911, nor anyone to come fix site-specific problems for you. Fundamentally, you're responsible for maintaining IP connectivity between the phone and the nearest Internet exchange where we operate a SIP registry.

Beta testing

The INOC-DBA system is being continuously developed, and a small subset of the users choose to participate in the testing process, using features which have not yet reached a state of stability appropriate to general release. Bearing in mind that the beta features are unstable and change frequently, if you have a strong interest in assisting us with pre-release testing, please contact us.

As the project develops, we'll put additional tutorials and documents in the http://www.pch.net/inoc-dba/docs/index.html directory.