FAO: Telco, Can we trust a CPE?

Q Did you say the TOQrouter is located at the subscriber’s location?

In the fixed network it is. The telco delivers the access and service to the private LAN where the users are. (Before the TOQrouter, that was a huge issue for any VoIP service and required an E-SBC or some workaround method. Volume VoIP deployments have therefore ended up on RJ11 ports at IAD/CPEs, not being able to deliver anything more than the old POTS service.)  With the TOQrouters, the LAN users get SIP-connected.

In the mobile networks, the TOQrouter is located at the telco’s premise, where the telco today has the firewall for the Internet channel to the smartphones.

These are the important locations where the TOQrouter can perform the required functions. Actually, most of these functions can only be successfully performed between the service provider’s domain and the subscribers domain – at that demarcation point.

Q So we telcos can save having a specific network and don’t even have to roll out costly MPLS lines to enterprise customers?

Yes! Putting required functions at the wrong location in the network only complicates things and destroys the idea and benefits of a cloud! That is one reason why current VoIP networks don’t do more than POTS and are costly.

With the Internet+ model, you don’t have to pull a customer’s LAN into the center, AND do required functions in massive (single point of failure) and inflexible network elements. The TOQrouter CAN include all the E-SBC functions to do e.g. SIP trunking.

Q But can I trust a subscriber-located device, like the TOQrouter in the fixed network case? I know the electricity meter is at my house, but with Internet+ the TOQrouter does even more things at the edge.

Yes, the telco is in full control of the TOQrouter!

The TOQrouter is trusted to communicate with the SIP network by using Mutual TLS signaling while the service provider supplies certificates signed by a common root CA for all telephony service providers. The TOQrouter also authenticates users, or simply allows anyone on the private domain to use the SIP services.

The same certificate and PKI can also be used for:

• Connection of the TOQrouter to its management system (e.g. the now widely used, secure and scalable TR-069).

• Checking presence of the TOQrouter, its identity and the metering functions. This is preferably checked and authenticated via the management system.

• Delivery of the CDRs for billing. They can very efficiently be sent to the TR-069 management server and end up in an SQL database for further processing. On a private network, e.g. in the mobile operator case, simple Radius deliver can be used.

• Allowing only telco controlled access to the database for E.164 numbers to SIP addresses.

TR-069 is fully secure by using SOAP over HTTPS to transport its data. The CPE is always the HTTPS client, so TR-069 management can be as scalable as Google’s search engine reacting immediately on each key stroke from the world’s users.

Q That sounds even better than telcos current volume VoIP accesses, where we use CPEs with RJ11 telephone ports and provision the password to the CPE where no one can access it, doesn’t it? That is secure and working well for the telcos.

Yes, it does! There are some 100 million such CPEs or IADs deployed yearly. Nowadays they are most often provisioned and managed using the TR-069 protocol.

Actually, service providers usually trust those CPEs with their whole VoIP capacity, since the only limitation in how many simultaneous calls you can place over such access, only is in the CPE.

With the Internet+, we both use the password and the certificate. The certificate is issued (signed) by the service provider and can be revoked in case of misuse.

All telco certificates have a common root CA, so all TOQrouters can trust all other TOQrouters when communicating over the common IP network. That is how the Internetcloud idea and benefits can be used in a secure and controlled environment.

The signaling is always secure, using mutual TLS on the global (or public) side. Such security and control is not used in today’s VoIP networks, since the massive central equipment don’t have capacity for it. With the TOQrouter, enterprise subscribers can even select to have all their media encrypted. 

FAQ Article Listing