When talking about Class 4 PBX's, there is a clear advantage of using IP Authentication instead of registering: speed. We will explain here why this happens.

For starters, the IP authentication is very common when dealing with class-4 PBX's. Class-4 PBX's do not deal with end-user and its customers generally are other PBX's. This is to a hard rule, there are some reputable carriers offer registration as their first option. To Connect Me offers registration as the last resource, giving priority to IP authentication.

Each time a PBX receives an INVITE before answering with an error code (1xx, 2xx, 4xx), it will verify if the invite requires an authorization.

Take a look to this chat:

sip flow

The first INVITE from PBXA arrives without authorization, the PBX answers with an error 407 requiring some authentication. Then the PBXA understands and it sends the same INVITE adding the Proxy-Authorization header. In this example, the authentication was correct, and the PBXB answers with an error code 100 telling the PBXA it is trying to connect.

It looks a small amount of time if you see only one example, the first three chat lines wouldn't be necessary if IP authentication were in place. It took 0.005 s (half a second) to accept the INVITE.

Advantages of the IP Authentication

  • Faster than its registration counterpart
  • More difficult to hack than the registration one. Because there is no password involved, the only way is by doing some IP spoofing. SIP over TCP or TLS is really difficult because of the way they work (TCP sequence number and the security scheme behind the encryption). SIP over UDP has another way of protection, even if a machine could spoof the IP (routers not only validate the destination but the source), the SIP protocol keeps track of session, if a spoofed INVITE pass through, the client must return an ACK otherwise the communication will break. Also, knowing the IP of a customer it is not as easy as knowing the IP of the server. Also, many of the attacks are brute-force related, if an attacker is trying to send a REGISTER to a PBX where users do not exist, you are safe.

Disadvantages of the IP Authentication

  • One IP means one PBX, extension or customer (depending on how you manage that).
  • Requires a static IP, only available in data centers or paying an extra fee to your home ISP.

Advantages of the Registration

  • You can have multiple extensions registered behind a NAT.
  • You can host your class-5 PBX in your own home network, the dynamic IP won't be a problem.

Disadvantages of the Registration

  • Slower than IP Authentication.
  • Hackable, if someone knows your password, calls will be connected on your behalf.
  • Overload sensible, because registrations have TTL, a faulty client's router that doesn't honour the NAT and each registration may be a useless entry in the carrier PBX.

When is Best to use IP Authentication?

Fair question, if you are setting up a class-4 PBX (for billing or for SBC) that will forward calls from one PBX to another, IP authentication is your best option. If you are going to offer class-5 services such as voicemail, IVR and such, and your customers are users' endpoints (IP Phones for example), then registration is your best option.