There are many decisions you can make in business that nobody will know about. Your shareholders may make more or less, as a result. Your agility or productivity might be impacted but there is not often a direct one-to-one linkage between decision and outcome. There is an exception to this, and it relates to magic-box licensing.
My hobby horse for decades has been encryption. I consider it a human right and absolutely fundamental to safety online and personal and corporate sovereignty. Others disagree; some have said “encryption is pointless” and then revealed their engineering prowess to the world years later in multi-week outages. The worst though are those who kind of agree, or at least recognise the need to agree, but don’t deliver.
If I look around this industry, I see a common theme. While encryption for VoIP has existed as long as VoIP itself has existed (SIP over TLS 20 years, SRTP 21 years), very few use it. At the ITSP level, back in the day at least, one could blame naivety – handset support was buggy as hell and the default install of popular “PBX” solutions didn’t enable encryption. You could be up and running with Asterisk on a Raspberry Pi in minutes, and an out-of-the-box handset would connect to that out-of-the-box install with just a user name and password. That was twenty five years ago though. Let me say that again louder: TWENTY FIVE YEARS AGO.
Back in 2000, privacy meant closing your curtains! Security meant ensuring you updated Norton Antivirus every week and resilience meant doing a defrag. Selfies didn’t exist. “Streaming” was illegal file sharing, at least as long as your mum didn’t pick up the house phone while downloading. 9/11, the Great Financial Crash or COVID hadn’t happened. Moreover, many people reading this weren’t born!
Hopefully, we can all agree that the world has moved on enormously and without getting into whether for better or for worse, technology has led that charge. So why the sweet mother of frick are people still running voice networks like it was 2000? Any guesses? I’ll tell you: money. Money over principles, money over responsibility and money over moral fortitude.
You see, while encryption is covered by many very well established RFCs, it comes at a cost. That cost can be CPU cycles or – if you want to run Macsec between routers at 400Gb, like we’re working towards – it can be crazy expensive ASIC horsepower. The standard is free and open source though, the software costs nothing, at least not directly.
If you have the first clue what you’re doing, and have plentiful hardware resources for the job in hand, encryption is trivial. I remember back in the late 90’s encrypting access to every page on the e-commerce site I ran then. People thought I was mad because, then the convention was to only encrypt the credit card page. I thought “that’s dumb”. It is no surprise, looking back, we were then picked by Visa and Barclays to beta test 3D Secure – yes, sorry that was me, and trust me it was far more ghastly to implement then. Now, it is standard that the entire site be delivered over HTTPS (and 3D Secure is on almost every online purchase).
And there’s a key point. HTTPS enables your browser to negotiate an encrypted session with the remote server. Nothing in between sees the unencrypted traffic. There are no third party gateways or boxes or applications required. SIP over TLS is the same, with SRTP being the encryption of the media where the keys are exchanged within the TLS session – hence why SRTP without TLS is pointless. That is how the standards work. Can you imagine if you had to VPN to Google before accessing YouTube? It seems laughable but so much of this industry offers zero encryption at all or does so in a really really ham-fisted way.
So if having a clue and investing in adequate hardware resources are the table-stakes for 100% encryption, why is this? Well, not having a clue and not investing are obvious explanations. It is more sinister than that though.
Great swathes, fair to say the majority, of our industry rely on magic boxes. Those magic boxes package these free and open standards, and quite often the free open-source software others have gifted to the world, and charge license fees for features. It should be of little surprise that the more expensive features are things that make Simwood unique – high availability, advanced codecs like Opus, and yes, “crypto”. This licensing drives the most stupid of stupid decisions elsewhere.
Without mentioning names, one operator will not tell you where their SBCs are located to optimise traffic delivery because it is a “matter of national security” yet they’ll willingly receive unencrypted traffic over the public Internet because they haven’t bought the crypto licenses on their magic boxes. Another, in its efforts to get compliant with the TSRs, hasn’t bought them either but they have a plan – rather than distributing traffic across geographically diverse SBCs, VPN into the single router in the UK with a cryptographic licence, with a backup connection to the other side of Europe! Another, delivers leading Enterprise and Government customers UCaaS/CCaaS yet offers plain SIP over UDP as default – no encryption. Yet another, can do encryption if you tell them how many licenses to buy (and pay for them of course!) or can offer you a VPN if you know no better.
VPNs are a truly ghastly solution for communications. Not only are you inserting a technical dependency and a “man in the middle” at both ends deliberately – the VPN client and gateway after which everything is unencrypted – you are removing any opportunity for network engineering to deliver the optimal performance to clients. Deep packet inspection can’t see inside VPN traffic to offer security or performance optimisation at the edge. Network level QoS, prioritisation etc. sees the VPN traffic as one stream and prioritises it accordingly – could be VoIP but could just as easily be cat pictures. Low latency protocols designed for lossy Internet connections (e.g. RTP over UDP) are now encapsulated into a tunnel which generally retransmits missing packets – yes, where there’s packet-loss your call just gets more and more latent. I could go on but the only reason these things exist in this scenario is because of cluelessness making the alternative more expensive, and corporate culture putting profit before doing the job properly.
If your carrier doesn’t give you free TLS and SRTP on every call, you need a new one, because they do not have your customers’ success and safety in mind – they just want your money. That kind of culture is what leads to unpatched SharePoint servers and what is looking like multi-month interruptions to regulatory obligations like we’re seeing at Colt. You can still “win” awards for it apparently but that’s a rant for another day.
Seriously people, it is 2025 and you need a carrier who respects you and your customers, and has the first clue what they’re doing.
