Over the last decade, the telecom industry initiated an intense migration from legacy networks to Voice Over IP (VoIP). VoIP brings numerous benefits such as reducing communication costs for end users, reducing operation and maintenance costs for carriers, and introducing a large variety of new applications such as instant messaging, file sharing, video conference and much more.
With a large variety of functions, different Customer Premise Equipment (CPE) are used by providers to deliver telecom services to residential and enterprise subscribers. CPEs represent a significant component into the network to secure communications between parties and ensure quality of service. CPEs also permit adapting the connection between legacy and IP based systems, and fulfill advanced features in compliance with the evolving environment of modern communications. For service providers, CPEs represent an important element of the capital and operation expenditures. It becomes of major concern for CPE vendors selecting a product design that will offer a competitive pricing structure, but also efficient management tools that will facilitate enabling new services. The following sections provide an overview of Mediatrix Product Line benefits and advantages for VoIP services deployments
The Technical Report 069 (TR-069), also known as CWMP, is a Broadband Forum technical specification. This protocol can be used to monitor and update the Mediatrix unit configurations and firmware. In other words, when using TR-069, the Mediatrix unit can get in contact with an Auto Configuration Server (ACS) to initiate a configuration script transfer/execution and a firmware upgrade.
The first time the Mediatrix unit is connected to the network, it will attempt to contact the Auto Configuration Server (ACS), which is the entry point for the administrator. The Mediatrix unit will obtain the URL of the ACS using either the DHCP server with option 43 or by retrieving the information directly from the Customer's Profile. Therefore, upon start-up, the Mediatrix unit will contact the ACS, which in return will send the required configuration files and initiate, if necessary, a firmware update. This automated sequence is what is referred to as zero-touch, as the Mediatrix unit is automatically configured by the ACS according to the instructions given by the administrator without manual intervention on the unit.
The administrator can determine a schedule for the Mediatrix unit to periodically contact the ACS. These contacts will allow the Mediatrix unit to:
Monitoring is achieved by regularly sending notifications to the ACS, through the mean of "Inform" requests, which can be:
Furthermore, the administrator can initiate a connection to the Mediatrix unit to perform immediate maintenance or monitoring. This will only be possible if the NAT firewall has been configured to allow communications initiated by the ACS.
The TR-069 protocol can be activated on units that are already deployed with a licence key (For more details on licences refer to the Technical Bulletin - How to activate a licence on a Mediatrix unit published on the Media5 documentation portal at https://documentation.media5corp.com/ ). However, it can be enabled/disabled for a specific configuration via the Management interface.
TR-069 methods supported by the Mediatrix unit include:
The Simple Network Management Protocol (SNMP) can be used to configure all the parameters available in the Mediatrix CPE, to perform firmware updates, to import a configuration and to monitor the Mediatrix CPE.
To configure the Mediatrix CPE parameters with the SNMP, a secure SNMPv3 or a non-secure SNMPv1 connexion can be used. The CPE does not grant an SNMPv3 access without authentication and privacy. Because the connexion is initiated by the Management Server, the communication is usually unable to go through the NAT Firewall.
Unit monitoring is possible with SNMP because it provides access to all the status parameters of the CPE. Furthermore, the CPE can send notifications, called traps, to the Management Server, that will allow the administrator to monitor specific events. Because it is the CPE that sends the notifications, the communication is usually able to go through the NAT Firewall however the SNMP protocol, based on UDP, does not insure reliable delivery of notifications.
The Mediatrix CPE supports the following SNMP methods:
The following Management Servers are certified to be used with our Mediatrix units:
The Command Line Interface (CLI) provides an access to interactively configure all the Mediatrix unit parameters.
The CLI is accessed through either a secure SSH session (default) or an unsecure TELNET session. When using a secure SSH session, all communications between Client and server are encrypted before being sent over the network, thus packet sniffers are unable to extract user names, passwords, and other potentially sensitive data. This is the default and recommended way to access the Command Line Interface.
The command interpreter interface of the CLI allows the user to browse the unit parameters, write the command lines, and display the system's notification log.
For more details on the scripting language, refer to the DGW Configuration guide - Configuration Scripting Language Syntax published on the Media5 documentation portal at https://documentation.media5corp.com/ .
The Configuration Manager (Conf) service allows executing configuration scripts as well as performing the backup/restore of the CPE's configuration. Configuration scripts are files containing textual commands that are downloaded from a file server over the network to a Mediatrix CPE. Scripts can be downloaded using the FTP, TFTP, HTTP and HTTPS protocols. All available parameters used to configure the Mediatrix CPE are supported by the configuration scripts.
Written by the system administrator, scripts can be used to assign values to parameters or execute configuration commands such as:
The administrator can chose to trigger the execution of scripts in different ways:
It is possible to generate a configuration script from the configuration running on the Mediatrix CPE. This script can be used as a:
The automated importation of configuration scripts can be performed using a Customer Profile or using a DHCP server indicating the location of the file server with options 66 or 67. The automated importation to a CPE is what is referred to as zero-touch, as the CPE is automatically updated with the latest configuration scripts without manual intervention. Because the importation is initiated by the Mediatrix CPE, scripts have no problem passing through residential or enterprise NAT and Firewalls.
Mediatrix offers a very detailed level of configuration. This provides a powerful flexibility to adapt the configuration to almost any SIP implementation. SIP is a technology based on a list of RFC and 3GPP recommendations that SIP vendors address diferently. These differences led to interoperability issues that demanded frequent adaptations when deploying servers and endpoints from different vendors. The large list of configuration parameters available with Mediatrix CPEs make these adaptations possible.
The configuration database of Mediatrix devices is organised into services. Each service:
Parameters configure every aspect of the Mediatrix CPE behaviour including:
Access to parameters is granted according to administrator credentials, 3 access levels are supported. This is customizable in Customer Profiles. Manually accessing to configuration parameters is available though a web GUI, SNMP management servers and Command Line Interface.
Carriers and service providers usually define a configuration that will apply to a large number of units in compliance with the network architecture. It is the commands and the parameter values grouped in a text file that produce the Configuration Scripts.
To enforce security, configuration scripts can be encrypted and only Mediatrix units with the matching encryption key will be capable of decrypting and applying the configuration settings. Furthermore, configuration scripts can be downloaded and uploaded using Hypertext Transfer Protocol Secure (HTTPS) .
Configuration Script files are fetched by Mediatrix units from the network through any of the management interfaces available. Upon receiving the file, the Mediatrix unit executes each command line in sequence and assigns the values to the configuration parameters.
HTTPS is a transfer protocol widely used to secure communications over Internet telephony networks.
HTTPS allows for communications over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) (TLS). HTTPS is mainly used to secure the content of a Web site and securely transfer files.
A communication using HTTPS reasonably guaranties that the targeted peer is the proper one, not an impostor, and that media cannot be read or tampered by any third-party.
The Transport Layer Security protocol provides data privacy and integrity for computer network communications.
TLS is used for:
When a X-509 Certificates
, a secure TLS
connection is established with a peer. Then SIP Transport Types
, Hypertext Transfer Protocol Secure (HTTPS)
, and TR-069 or CPE WAN Management Protocol (CWMP)
can be used over the TLS connection.
TLS connections also prevents man-in-the-middle attacks. Important The Mediatrix unit does not support a mix of both TLS and non-TLS links. Once TLS is enabled, it is enabled for all configured SIP gateways.
The Mediatrix unit does not support a mix of both TLS and non-TLS links. Once TLS is enabled, it is enabled for all configured SIP gateways.
Although some parameters are available through the Web GUI, many parameters are not accessible through the Web GUI:
For more details on advanced parameters, refer to Transport Layer Security (TLS) Parameters .
Signaling is the protocol that activates a device located in the network and establishes calls between peers.
To provide security to signaling, the Mediatrix unit will connect to the network via SIP over TLS. The network is then authenticated by a certificate that guaranties that the Mediatrix unit is connected to a "safe" network.
The network will then authenticate the device with the username and password to make sure the device is part of the network's subscriber list. This authentication is done with the digest authentication. The result of these authentications and verifications provides private and reliable communications between the network and the device. Calls will be established without leaving any possibility to a third party to identify the called or callee number, or to be able to interfere with the communication in any way.
An important aspect of communications security, is that data sent and received from one endpoint to another remains secured, reliable, and private at all times.
When configured for complete security, signaling is performed with TLS with the use of a certificate and the unit transports the audio and video through Secure RTP (SRTP). The Mediatrix unit will make sure that the certificate specifically encrypted for the session and issued by the end user is valid, e.g.:
The Mediatrix unit uses digital X-509 certificates which are based on the international X.509 public key infrastructure (PKI) standard. The certificates are a collection of data used to verify the identity of individuals, computers, and other entities on a network.
X.509 certificates provide guaranties on confidentiality, authentication, integrity, and non-repudiation. It is the Public Key Infrastructure (PKI) which includes hardware, procedures, and software than manages the certificates. The PKI also provides public-key encryption. Therefore, the Public Key Infrastructure provides information that can guaranty that the signed certificates can be trusted.
To enable a TLS connection on Mediatrix units, at least one CA certificate is needed to validate that the certificate presented by the server is valid. This certificate must be uploaded to the Mediatrix units. The Mediatrix unit then checks the server's identity by validating the host name used to contact it against the information found in the server's certificate. If the validation fails, the Mediatrix unit refuses the secure connection. Certificates are used to secure the following connections:
As defined in the Oxford Dictionary, authentication is the process or action of verifying the identity of a user or process.
In an Internet telephony network environment, authentication will allow the Mediatrix unit to make sure the peer it is communicating with is the proper network or endpoint (unit or end-user device). This provides a level of security for communications as no communication will be allowed if the authentication is not confirmed.
You can globally set the transport type for SIP all the endpoints of the Mediatrix unit to either UDP (User Datagram Protocol), TCP (Transmission Control Protocol), or TLS (Transport Layer Security).
Please note that RFC 3261 states the implementations must be able to handle messages up to the maximum datagram packet size. For UDP, this size is 65,535 bytes, including IP and UDP headers. However, the maximum datagram packet size the Mediatrix unit supports for a SIP request or response is 5120 bytes excluding the IP and UDP headers. This should be enough, as a packet is rarely bigger than 2500 bytes.
Although the services can be configured in great part in the Web browser, some aspects of the configuration can only be completed with the MIB parameters by :
Mediatrix CPEs offering session border controller capabilities address a large variety of applications such as network demarcation, SIP firewall, SIP normalization and survivability. To facilitate the implementation of these applications, Mediatrix session border controller provisioning is based on a catalog of configuration templates named Rulesets. Rulesets define one or several rules used to filter, manipulate or route inbound or outbound requests.
For example, they can manage:
Security Certificates are files used to authenticate a Mediatrix CPE to other network elements and vice versa. In other words, they establish a secure connection, using TLS or HTTPS, between the Mediatrix CPE and the network elements. Security certificates contain attributes that identify a network element or an organisation. They also include a public or private encryption key.
Certificates are used to secure the following connections:
The Mediatrix CPE provides several troubleshooting features such as notification messages, diagnostic traces and SIP signalling logs.
The Syslog daemon is a general purpose utility for monitoring applications and network devices with the TCP/ IP protocol. With this software, you can monitor useful messages coming from the Mediatrix CPE.
Several features are available for monitoring.
Mediatrix units are supplied with an exhaustive set of documentation.
Mediatrix user documentation is available on the Media5 Documentation Portal at http://documentation.media5corp.com
Several types of documents were created to clearly present the information you are looking for. Our documentation includes:
Several aspects of branding can be configured through a customer profile.
A profile is a customer factory customisation where parameter values, skins, and branding are defined specifically for the customer.
Customer profiles can be uploaded via HTTPS/TLS to insure data integrity and confidentiality. The customer profile can include information on:
Copyright © 2020 Media5 Corporation.
This document contains information that is proprietary to Media5 Corporation.
Media5 Corporation reserves all rights to this document as well as to the Intellectual Property of the document and the technology and know-how that it includes and represents.
This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever, without written prior approval by Media5 Corporation.
Media5 Corporation reserves the right to revise this publication and make changes at any time and without the obligation to notify any person and/or entity of such revisions and/or changes.