I’m at the beginnings of a project to migrate a call platform over to our network and have come across a weird one. One of the SIP carriers is Verizon, there is a p2p link between Verizon and one of our routers, with a vpn pointing towards verizon(not at the p2p ip, just routed towards them), and the LAN subnet associated with this setup is a public range, assigned by Verizon, but not routable over the internet.
I’ve never seen this before and have scheduled a call with Verizon for the end of the week to see why we have it set up this way.
Anyone seen similar before? I’ve never seen VPN’s pointing to a sip endpoint when on a private circuit, and definitely never been told we have to use their ip range on the lan
AT&T does this too, typically out of their 12. or 32. address space.
It guarantees that the address space is globally unique and there is no overlap on either side. Just because it’s not RFC1918 space does not mean it’s routable on the internet.
We do this for partner VPN tunnels, we carve a chunk out of our public blocks for a transit /30 that is typically used as SNAT so that the addresses have no chance of overlap.
it’s not entirely uncommon. I’ve had an MSP do the same thing for a VPN tunnel set up between our networks. they’re just using their public address space instead of their private.
My company does business with state governments, so we have a lot of VPN tunnels running through, and most of them go to non-RFC1918 internal subnets. And honestly, it makes life easier; no conflicts on our end, and no playing with NAT.
Also, there are plenty of organizations that purchased /8 blocks in the 80s and continue to use that entire block on their internal networks. It’s just a subnet that they completely own, it doesn’t mean that their networks are secured any less.
This is normal. You don’t have to worry about using their IP addresses on your LAN because your SBC sits between their VPN and your LAN. The only address Verizon should see is the public interface of your SBC, and the only address your internal clients should see is the inside interface of your SBC.
I have a decent amount of experience with Verizon wholesale SIP and it depends on the product. They require IPSEC VPN for their legacy products but that is just the signaling. The media/rtp can cross the public internet or over a direct connect (usually via BGP.) They will require a SIP Signaling range to load in the firewalls but media/rtp can come from anywhere. The newer GIPC product works a bit different and is a dedicated circuit without IPSEC but requires you route media over a private interconnect. In this case you have a set of IP ranges for both signaling and media and it doesnt matter if the addresses are public or private- they wont be reachable from the internet as others have outlined
Yeah I guessed it wouldn’t be routable. It makes it difficult to route through our core if they insist on us using their ip range(currently this sip trunk is terminating on a stand-alone ASR for this very reason), and makes it hella harder to migrate away in the future
What purpose is the vpn serving though? I generally stay away from voip over a vpn
Agree re: SIP and NAT. I will share an interesting (to me) anecdote. AT&T likes to use 1.1.1.1 as the IP for the SBC for SIP trunks. Turns out, doing so may make some issues for those trying to use the new cloudflare public DNS (1.1.1.1).
I have no problem with using a dedicated interconnect. What is the product called? I searched for “Verizon gipc” but came up blank. I have a meeting scheduled with them for next week
Ehh that’s horrible. Did Verizon deploy it originally? The last customer I saw with Verizon had their router accessible from the Internet and thousands of attempted fraud calls because they didn’t have any ACLs.
Its called “Global IP Connect” or GIPC for short. We have 3 interconnects in different cities for redundancy. It supports the toll free, DID, and LD termination.
Apologies, I should have at least traced to the sip endpoint before posting this. You are right, this is over the internet. I can reach the Verizon endpoint from my mobile phone! That explains the vpn
Because SIP/RTP isn’t encrypted and they don’t want to send your phone calls over the internet in the clear.
Actually, at the time I was looking at using Verizon SIP a few years ago, SIP was required to be encrypted but RTP was not allowed to be. I.e. your entire conversation was in the clear.
It’s a point to point circuit with Verizon so I’d presume it was not “internet” , no? Also the range isn’t or shouldn’t be publically routable i thought?
Now I understand it a bit better, could you explain the advantages/disadvantages of this approach(public range with vpn) vs something like a COLT approach whereby the ip addresses would be a private range and no need for a vpn?