Telecom 6 min read

Architecture of carrier SIP routing: protecting voice cores from fraud

We examine carrier SIP routing architecture and methods for protecting voice cores from fraud by integrating MNP, billing systems, and cryptographic verification.

Modern voice infrastructure for telecom operators and large-scale enterprise networks is undergoing a fundamental transformation. By 2025, voice telephony has become an integrated component of complex IP infrastructure, requiring high levels of automation, instantaneous routing, and uncompromising security at the signaling level.

Rising global losses from telecom fraud, which reached approximately $41.82 billion according to the CFCA Global Fraud Loss Survey 2025, are forcing CTOs to fundamentally rethink voice routing architecture. Traditional security approaches based solely on trusting the IP addresses of transit partners are no longer sufficient to counter modern threats. The practical efficiency of an operator's infrastructure now depends on integrating flexible SIP routing with Mobile Number Portability (MNP) databases and billing systems into a unified loop capable of blocking fraud in real time.

Anatomy of a SIP call: how the carrier core processes and routes voice traffic

Call processing in a carrier network begins the moment a Session Border Controller (SBC) or SIP proxy receives an INVITE signal request. Unlike typical corporate PBXs, where logic is often reduced to simple prefix comparison, the telecom core performs multi-stage control of every session. After receiving the request, the system executes the following steps:

  • Number normalization: converting Calling Party (CLI) and Called Party (CLD) identifiers to a standardized E.164 format.
  • Source authentication and authorization: verifying the technical and commercial rights of the client to establish a connection in a specific direction.
  • Routing lookup: querying routing systems to select the optimal outbound trunk.
  • Header manipulation: adapting SIP packets to the technical requirements of a specific terminating operator.

MNP and LCR challenges: real-time route optimization

Routing complexity increases significantly due to Mobile Number Portability (MNP). Attempting to route a call based solely on the initial network code (NDC) leads to incorrect routing and additional transit costs. To minimize connection costs, operators use Least Cost Routing (LCR), but integrating it with MNP queries is a complex architectural task.

Direct queries to external relational MNP databases during INVITE processing significantly increase Post Dial Delay (PDD). To ensure seamless operation, modern platforms use high-performance in-memory databases and local caching. This allows queries to be completed in milliseconds, enabling LCR calculations on the fly without degrading the user experience.

Signaling security: preventing Caller ID spoofing and the RFC 8224 standard

The mass use of fake numbers (Caller ID spoofing) is the foundation for complex International Revenue Share Fraud (IRSF) schemes. According to the CFCA, subscription fraud alone costs telecom operators approximately $5.31 billion annually. The situation is complicated by the fact that the exploitation of legacy signaling protocols, such as SS7 and Diameter, remains a significant attack vector for mobile networks (according to the ENISA Threat Landscape 2025 report). Industry estimates suggest that up to 53.7% of international voice traffic in some regions may still pass through outdated, unsecured interconnects.

For cryptographic call verification, the IETF has developed the RFC 8224 standard, which regulates the use of the Identity header in SIP sessions (the technological basis for the STIR/SHAKEN framework approved by the FCC). The essence of this approach is as follows:

  1. The originating operator creates a special token (PASSporT), signing it with their own private key.
  2. This token is transmitted in the SIP INVITE request via the Identity header.
  3. The receiving operator validates the digital signature using the initiator's public key and determines the Caller ID trust level.

It is important to remember that STIR/SHAKEN does not eliminate all types of fraud—this mechanism is specifically designed to combat number spoofing. Therefore, it should be viewed as part of a broader anti-fraud strategy.

Integration with BSS/OSS: billing at the signaling core level

An architecture where Call Detail Records (CDR) are exported to billing post-factum is technically obsolete. Delays in billing allow attackers to generate financial losses before blocking can occur. Modern infrastructure requires real-time integration between the signaling core, the anti-fraud system, and BSS/OSS. This allows for immediate response to anomalies (for example, if a single account generates 27.7% or more simultaneous calls to atypical international destinations, sessions are terminated before the call is even answered on the B-side).

A powerful integration layer is required for reliable transaction processing and communication between voice nodes and billing systems. An example of a platform foundation for building such high-load registries and BSS applications is the low-code platform UnityBase (a joint development by companies in the Intecracy Group technology alliance, where InBase acts as a key, but not the only, developer). The platform's mechanisms, such as a unified Domain metadata model and automatically generated REST API, allow for the rapid deployment of microservices with flexible role-based access control (RBAC/RLS) and full transaction auditing. According to the developer's official recommendations, for high-load telecom operator environments, it is advisable to use commercial Enterprise or Defence editions, which support industrial DBMS (such as Oracle RAC or PostgreSQL), ensuring the necessary response speed.

Modernizing legacy infrastructure to cloud-native architecture

Since operators cannot afford service downtime, modernization usually occurs through an evolutionary path. Moving signaling and routing functions to a virtualized environment (containerized solutions) allows for horizontal scaling during peak loads and the configuration of geographic redundancy (Geo-redundancy) with instantaneous session state synchronization. Applying CI/CD practices enables the updating of routing rules without interrupting active calls.

Comparison of architectural approaches to carrier SIP routing
ParameterTraditional (Legacy) routingModern cloud-native routing
MNP query processingLocal static tables or periodic importsReal-time queries to centralized MNP databases via fast in-memory caches
Call authenticationTrust based on trunk IP address (vulnerable to spoofing)Cryptographic signature of Identity header per RFC 8224 (STIR/SHAKEN)
Billing integrationPost-factum analysis of CDR files (fraud risk)Real-time session authorization via integrated BSS/OSS loop
ScalingVertical (hardware or license replacement)Horizontal (automatic container deployment)

FAQ

How exactly does RFC 8224 regulate the use of the Identity header in SIP packets?

The RFC 8224 standard defines a secure authentication mechanism in SIP where the sending operator creates a cryptographic token (PASSporT) containing subscriber number data and call time. This token is signed with a private key and embedded in the Identity header. The terminating operator uses the initiator's public key to decrypt and verify the authenticity of the Caller ID.

What risks do legacy SS7 and Diameter protocols pose to modern VoIP networks?

SS7 and Diameter protocols were created for closed, trusted networks and lack robust built-in authentication mechanisms. As noted in ENISA reports, exploiting these protocols via unsecured interconnects allows attackers to perform Caller ID spoofing, intercept traffic, and bypass billing systems.

How can MNP routing be integrated into Least Cost Routing (LCR) logic without causing connection delays?

To avoid critical Post Dial Delay (PDD), operators deploy high-performance local in-memory databases that are constantly synchronized with central MNP registries. The SIP core queries the local cache in milliseconds, instantly determines the subscriber's current network, and applies LCR rules to find the most cost-effective route.

Data sources

Sources & materials

Materials and sources used in this article.

  1. CFCA Global Fraud Loss Survey 2025 — cfca.org
  2. ENISA Threat Landscape 2025 — enisa.europa.eu
  3. IETF: RFC 8224: Authenticated Identity Management in SIP — ietf.org
  4. FCC First Caller ID Authentication Report and Order — docs.fcc.gov