Overview
One of the most common questions we are asked is whether we recommend IP Auth or SIP Registration. This article lays out our feelings on both technologies, and why we recommend IP Auth over SIP Registration in almost all cases.
TL:DR - Use IP Auth unless you have to use SIP Registration. We do not offer an SLA on SIP Registration, and we prioritize IP Auth in our DDOS prevention strategy. (Don't worry though - we do have a mitigation procedure in place for SIP Registration too :D)
Technical Overview
Before doing a deep dive on the benefits of one over the other, let's discuss how each protocol works first.
SIP Registration
More info here: https://support.skyetel.com/hc/en-us/articles/360056914834-SIP-Registration
SIP Registration works by allowing all traffic into our routers, and authenticating traffic by using an username and password. This authentication is done on regular intervals (usually about every 2 minutes)
Pros
- SIP Registration is usually easier for NAT Traversal.
- SIP Registration handles dynamic public IPs much better than IP Authentication
- Many older PBXs do not support IP Authentication, and only work using SIP Registration
- SIP Registration supports "dumber" devices like Desk Phones, ATAs, etc.
- SkyeFax solely uses SIP Registration for its T38 devices
Cons
- SIP Registration is fundamentally insecure. In cases where your credentials are stolen out of your PBX, they can be configured on dozens of fraudulent PBXs. This happens all the time, and when they are stolen you can wind up with a multi-thousand dollar bill.
- Because SIP Registration requires all traffic to be able to communicate with our routers, and use DNS, there are more attack vectors to use in a DDOS attack.
- SIP Registration relies on DNS entries (or BGP routing) for failover. Both of these are slow.
IP Authentication
More info here: https://support.skyetel.com/hc/en-us/articles/360040710674-IP-Authentication
IP Auth is a much simpler architecture. When you provide Skyetel your Public IP, we automatically authenticate all traffic that originate from it. There are no recurring authentication steps, and so long as your PBX has our IPs whitelisted, failover is instant.
Pros
- IP Auth does not have the same capacity limits that SIP Registration does. You can send us a bajillion-gazillion concurrent calls, and our network would politely pass it along to your destination.
- IP Auth is absurdly scalable. All carrier peers used by Skyetel only support IP Auth for this reason.
- IP Auth is exceptionally secure. Attackers need to gain access to the SIP layer of your PBX and use it as a proxy in order to create fraudulent traffic.
- IP Auth is fast. Once your PBX is online on all 4 regions, our network can route around any issues behind the scenes to deliver your calls to your PBX
- IP Auth is prioritized over SIP Registration in our DDOS mitigation strategy
Cons
- IP Auth requires a dedicated IP address.
- IP Auth is more tricky to configure; you need to make sure that you either port forward to your PBX, or establish a 1:1 NAT rule on your firewall. It also requires additional testing to make sure you do not have UDP timeouts, SIP ALG errors, etc.
- IP Auth requires your PBX to be more modern and support multiple hosts for the trunk configuration.
Conclusion
When you are comparing these two technologies, it is important to remember your use case.
- If your customer is a small office, with it's own PBX, it's often easier to use SIP Registration; especially if the end user has a dynamic IP Address.
- If you are hosting your PBX in a datacenter and providing services to your customer, then we recommend IP Authentication.