voice over ip providers

henning schulzrinnei’ve been involved in the internet technical community since the early ’90s, primarilyin my academic role as faculty at columbia and previously as a researcher at bell labsand in a german research lab here in berlin, actually. and secondly, more recently, asa staff member for the federal communications commission. in that role, i have been participatingin traditional academic research, primarily in the networking realm, but also, workingprimarily within the internet engineering task force on standards development for internetapplications, primarily real-time applications. the topics i have worked on probably the mostare, as i said, the real-time internet applications, voice over ip and real-time streaming applications.voice over ip is the delivery of phone calls

over the internet. and that led to a numberof protocol developments that are now fairly commonly used in the industry. so this isthe real-time transfer protocol that transports audio and video content across networks, andthat’s often used for audio and video telephony within enterprises, but also increasinglyon the wide areas. so there are a number of voice over ip providers as well as what areknown as 4g or voice over lte systems that use that type of technology. and then, a correspondingprotocol that is commonly used again in the enterprise phase. many of the new ip pbx’s are used as kindof your desktop phones in offices, they typically use that in mobile phone carriers as partof the internet multimedia subsystem, ims. i’ve also worked on a number of applicationsin public safety, in how do you support emergency

calls such as 112 or 911 in the new all-ipenvironment. it’s really hard to answer that in generalitiesbecause the internet has become such a diverse ecosystem. it’s probably much more productiveto think of it as not like a single entity but like an ecosystem where some parts ofthe ecosystem are quite healthy and others, not so much. so let me try to give you justa few examples of that. we’re now seeing that when we talk about the internet we’rereally talking about two somewhat separate things: the technology and the global infrastructure.the technology involves protocols and software artifacts that use internet protocols butmay not be actually used on the internet, they may be used in private networks, in datacenters, in enterprises and homes, without

necessarily touching the internet. i thinkthat development has been robust and continues to progress pretty rapidly, where the majorproblems are probably in terms of robustness and reliability, and security-related problemsas well, but the technology seems to be able to keep pace with demand. the other one isthe internet as a network that you connect to, exchange data on, communicate with otherpeople on - and in that in many countries and many regions things are moving along quitenicely, speeds are improving, the availability on mobile devices is dramatically increasing,but we also have simultaneous challenges. just to name a few: the security challengesincreasingly make it difficult, particularly for individuals and small businesses, to knowwhat information is truly secure and private

- what of their bank account, of their privatedata, medical data is at risk. also, at a larger scale, for enterprises, being exposedto theft of their intellectual property - and i’m not talking about music here and videosprimarily - i’m talking here about blueprints and chemical formulas and customer lists andall the other things that companies maintain privately in order to maintain their competitiveposition. that i think is a major challenge simply because it doesn’t seem possiblefor ordinary individuals to keep up with deficiencies in both protocol design and implementationto have a reasonable certainty that the tools they use won’t be used against them. thereare also other larger scale challenges, mainly the suppression of freedoms in a number ofcountries, issues of privacy, how do we balance

free access to information and services onmobile devices with the desire to maintain private information as private. let me talk about security as one. first ofall i think it’s important that i don’t want to fall into the trap of saying thatthe internet is insecure because that’s not really a helpful statement. it doesn’tdifferentiate enough between the various components. i would look at that in three pieces. onepiece is the underlying technology. the second piece is the implementation software, primarily,and hardware to some limited extent. and thirdly the operational practices. and there are problemsin all areas but they are very different problems. i think there generally has been for at leasta decade, a fairly profound awareness on the

design and engineering side that a) you needto design protocols for hostile environments and we have reasonable ideas on how to dothat and i would say at least most protocols that have been designed we somewhat recentlyor have enhanced recently all have good to acceptable security mechanisms built in. soit is not so much a problem that our protocols are insecure but there are some that certainlycould use strengthening particularly in the routing side and again on the access sidewith the land protocols. but the other areas are far less encouraging and on the implementationside we seem to have difficulty on two counts. routinely we are designing reliable systems- software engineering - often because it is not immediately obvious when somethingis insecure because it works just fine until

somebody attacks it. and secondly, and onhow to test it and how to incentivize or de-incentivize people from building secure and insecure systems.currently, there seems to be a problem that many software developers, particularly smallerones, but certainly not limited to those, seem to have difficulty - i don’t know ifit’s an engineering problem or a managing problem - to put enough resources into creatingsecure systems, designing by good engineering practices, testing and particularly relying,not just on internal testing, but also on external testing. we are used to it in otherareas where safety and security are at stake. think of vehicles or electric toasters. wehave certifying bodies because we don’t want to rely on the manufacturers themselves,as diligent as they may be, to completely

trust them that they will know whether theydid a good job. so we have entities like the underwriters laboratory for electrical equipment,for tv and germany and other countries for safety on just about anything, whether it’selevators or cars or umbrellas that have any type of even remote security or safety implication.we don’t do that for software and it is fairly obvious that it isn’t really working.to give you one example, what i’ve encountered in my work, in my current line of work: inthe united states we have a system called the emergency alert system, eas, which isused to alert tv viewers on imminent threats to life and properties. think storms or flashfloods, tsunamis, all of those. every tv station and cable system is obligated to have a devicethat allows a public safety authority to submit

a request to send out a broadcast saying totake cover to take appropriate actions. so it is obviously very important that this isa reliable system. until maybe five years ago these systems were not connected to theinternet at all. there were some master stations that would broadcast it and they would retransmitit down the line. more recently for convenience and operational purposes, they have designedsystems that use internet connected devices. recently in the past five years, these tvstations have, for convenience and operational efficiency’s sake, installed boxes thatconnect on one side of the internet and the other side intercept the tv signal so thatthey can inject a crawler on the bottom of the screen and audio into that tv signal becauseemergencies could happen anytime, even when

there is no engineer on staff, for example.well, unfortunately, these are fairly specialty devices and whoever designed those, didn’tdo a whole lot of testing. they have violated just about every guideline known for designingsecure systems, so what happened was someone discovered that you could search - you couldgoogle them on the internet, you just searched for the logging string - and then use a defaultpassword, which you could also easily google, just by looking at the manual, and then theythen injected at about a dozen tv stations - primarily smaller tv stations - a fake emergencyalert about zombies emanating from the ground and warning that the population should takecover. it was obviously kind of funny the first time around but it could easily be misused.so in our case, it happened just before the

state of the union address by the presidentof the united states, so there was grave concern that somebody would use that to start a panic,like report a false terrorist attack that would occur. that was an example where somebodyhad designed a system, not thinking that these would be connected to the internet, that peoplewould not change the default password and that there would be no other security protectionsin place and there’s many of these smaller systems -these could be home routers, it couldbe electric meters, it could be car systems - where there doesn’t seem to be a trueappreciation as to the dangers that could occur if somebody gets access to those andwe don’t seem to have a good way of dealing with that. i’ll briefly talk about the operationalaspect as the third consideration. it used

to be that in many computing systems, probablymost of them, they were operated by trained system administrators that at least had someprofessional awareness. skill levels probably varied, but at least many that worked in thatfield had education in computer science work, maybe even some security training. but nowadays,many if not most computers are operated by individuals that have no technical trainingwhatsoever and they shouldn’t have. this is true for home networks, it’s true forsmall business networks - i mean your dentist, your baker type of thing - everybody has acomputer, generally connected to the internet. think of your doctor’s office - it probablyhas one for electronic medical records. and none of those are operated by trained systemadministrators. so it is very easy for these

amateurs to make mistakes in operating thosetypes of systems. again, we’ve designed systems not really well anticipating the kindof users that would really use them, thinking or maybe not even thinking that they wouldbe used in the same way as they were in the 1980s and 1990s. that doesn’t mean we shouldtrain everybody to be a system administrator, that just doesn’t work. we need to designsystems that are secure out of the box; you just can’t make them insecure without alot of effort and we haven’t really succeed and that’s been far too difficult. the typeof technologies people use, like passwords and so on, are becoming increasingly userunfriendly and they become increasingly unmanageable and that’s what i see as one of the challengesto make it easy to build secure systems and

to operate secure systems. one particular one is the barrier to entryto creating new businesses, new content has dropped dramatically. in the last decade orso it is now possible for a much wider variety of individuals to not just consume content- you could always do that with radio and tv and all that have existed for a century- but you have a new possibility that ordinary individuals without a large budget, maybeeven without deep technical skill sets, could create interesting content of all kinds. examples:the kahn academy for training materials, individual small local groups that could distribute videos,websites and web applications that could be built, apps on smart phones. all of thoseare now accessible to many more individuals

than there were even a relatively short whileago. and that i think has probably been the greatest enabling capacity of the internet,not so much just as a distributor of high-cost, highly produced content - that’s alwaysbeen available - but as means for distributing low-cost, low-effort, much more democraticcontent, both for cultural as well as just plain business uses as well as educational. one of the things i’ve been involved withat the federal communications commission is to ensure anopen internet, mainly almost by physical design. while everybody can or most everybody cancreate content and applications it is very difficult for most people to operate theirown network. you just can’t string your

own fiber or run your own cell towers andso the number of operators in almost every country, in a particular region, tends tobe very small - a handful even if you count wireless operators, typically you have yourcopper base provider, your fiber or your coax base provider and then maybe a small number,three or four wireless operators, satellite operators. because it costs billions of dollarsto build a network, we can’t really rely purely on competition to ensure that usershave access to the legal content they want to get access to and create content that theywant to create because, in some cases - both for the content that they want to access andthe content that they want to create - they may well compete with ventures that the networkprovider has. most of the network providers

- at least in the u.s. for example - alsodistribute their own video content, they may have applications of their own and they’vecertainly had voice applications, for example, and that’s very common for almost everynetwork operator. and so they have incentives to give themselves an advantage in order tocompete with other providers in content and applications. so i believe it continues tobe important to have rules and mechanisms in place so that providers cannot discriminateagainst providers of applications and content, because in many cases that is essentiallyour primary means of accessing information of all kinds. that remains a long-term challenge- how to do that in ways that do not unduly interfere with the expansion of the network,do not unduly increase costs. in the u.s.

we have found, as one current mechanism, thefcc open internet order, which spells out some of the conditions kind of at a high levelon how that should work out. but other regions and countries in europe are still trying tofind their way to find that balance. one of the other challenges that i see isthat as the network has become in both good ways and bad ways a commodity, mainly we allrely on it. it’s something that we notice mainly when it’s not around - “i can’tget internet access. what’s going on here?” we expect it in every hotel, in every airport,certainly in most homes, schools, wherever. one of the things that i think is in someway danger is a robust research infrastructure. if you look at many of the major providersof hardware and software and services, they

used to all have significant-sized researchlabs. just to give you one example that i heard recently, nokia - primarily they doboth network infrastructure and handsets - used to have 600 researchers in their lab. theyare now down to 60. verizon, in its previous incarnations, used to have large researchlabs and multiple facilities that did not just short-term but also long-term research.telecordia, the same thing. they all used to have long-term research. they have largelydiscontinued that. there is only really a relatively small number of companies thatstill do network-related research that more or less stay on a six-month time horizon.universities continue to do that. there is a vibrant research community, but it can’tbe universities by themselves, particularly

because for a variety of reasons funding isno longer nearly as available as it used to be - both funding through governments, aswell as - because of the downsizing of corporate research activities - funding available throughcorporate sponsorship. if we don’t have a vibrant research community, the problemsi alluded to earlier - security, accessibility, the usage for content creation - will allsuffer. we won’t notice it because we won’t notice it directly, we won’t notice whatwe’re missing, because we don’t see it, but if we don’t have that, i think it willbe much harder to solve those problems because in many ways most other research efforts haveoften created artifacts that were widely distributed, had low cost to acquire, which means lotsof people could use those and adopt them,

they tended to be non-proprietary, there tendedto be an emphasis on making sure it was available, and if you don’t have that any more, ifyou just have a small-scale, venture capital-style research going on, we’re missing out onsomething. 20:30 i think it’s partially the competitivepressures, namely research almost by its definition doesn’t just accrue benefits to whoeverdoes it. it’s really hard to keep research secret because that’s how nobody else benefits.you can do that in some areas such as pharmaceuticals where the output is a single drug that iseasily patented and you have a 20-year protection horizon on that and it’s very difficultfor somebody else to replicate exactly that prescription drug. but if you look at networkingor computer science research in general, most

of the ideas that you generate are hard tocontain. they just distribute themselves so to speak, through students, through publicationsand all the normal mechanisms - which is a good thing, we want that to happen, but ithad from a purely, local, economic optimization mechanism, where it’s easy to say, “hey.somebody else should do the research. i just get the benefit.” but if everybody doesthat, you don’t get any research done anymore. and in the old days, we always had - and thiswas more an accident than anything else than any planning - we always had very strong governmentfunding that hadn’t been concerned about those issues. we don’t really care exceptmaybe on a national level about the benefits from research, which in itself is a problem,and you have some people who say, “well

let the other countries - mainly the u.s.- let the other countries do the research and we’ll just basically build the stuffand - or we’ll just do shorter-term development work.” the other problem or maybe the otherissue is that in those environments you don’t really have the set of people who can reallycontinue to do that research because some other areas have become the go-to areas - bigdata, say graphics in some cases, so we don’t have quite the same student population thatwe had available. it’s partially because there aren’t as many research jobs out therethat people in the industry would go to. when people start a master’s or phd program theywant to have some assurance they will find a job afterwards, and research was often industrialresearch and was often a very attractive destination

because people recognize that only a verysmall fraction could become faculty or what else are you going to do? and industrial researchoffered an opportunity for a creative outlet and so on. so that a kind of a feedback loopthat’s not working very well right now, and it’s not clear how we can get out ofthis given that government funding in general for research in europe and the u.s. isn’tincreasing, to put it very politely, and we have a decrease which diminishes the supplyof talented students who want to participate in that research.